Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544773
MD5:	f1d1ddb711ab9a81234b10eb7417be4d
SHA1:	b4ed561f654cf34fe80521b07effca3835361301
SHA256:	e21deb95793d7008c47b0b11c6341afd6eb5e43c21dafe943abb01bda60cb481
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F1D1DDB711AB9A81234B10EB7417BE4D)

taskkill.exe (PID: 7080 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4948 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1184 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1396 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 8 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6288 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7140 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6020 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6668 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9166fe6b-6312-45c0-99a0-435f25bf70b7} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f0faf70710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7624 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -parentBuildID 20230927232528 -prefsHandle 4104 -prefMapHandle 4424 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0c0f30-e05e-429e-932b-ee96ae950bae} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f0ff823a10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7368 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5396 -prefMapHandle 5420 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b15a8493-3b64-4f9e-b7e1-655faeded7fa} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f097486f10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7032	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0078EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0078EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0078ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0078EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0077AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1692771414.00000000007D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4a4bc8cf-5
Source: file.exe, 00000000.00000000.1692771414.00000000007D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4e65686d-6
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f2cdddd1-f
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_917aad08-e

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002428FA0A3B7 NtQuerySystemInformation,		16_2_000002428FA0A3B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002428FA2BBB2 NtQuerySystemInformation,		16_2_000002428FA2BBB2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0077D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00771201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00771201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0077E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071BF40	0_2_0071BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00718060	0_2_00718060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00782046	0_2_00782046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00778298	0_2_00778298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074E4FF	0_2_0074E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074676B	0_2_0074676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A4873	0_2_007A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071CAF0	0_2_0071CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073CAA0	0_2_0073CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072CC39	0_2_0072CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00746DD9	0_2_00746DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072B119	0_2_0072B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007191C0	0_2_007191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731394	0_2_00731394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731706	0_2_00731706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073781B	0_2_0073781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072997D	0_2_0072997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00717920	0_2_00717920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007319B0	0_2_007319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00737A4A	0_2_00737A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731C77	0_2_00731C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00737CA7	0_2_00737CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079BE44	0_2_0079BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00749EEE	0_2_00749EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731F32	0_2_00731F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002428FA0A3B7	16_2_000002428FA0A3B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002428FA2BBB2	16_2_000002428FA2BBB2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002428FA2BBF2	16_2_000002428FA2BBF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002428FA2C2DC	16_2_000002428FA2C2DC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00730A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0072F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@67/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007837B5 GetLastError,FormatMessageW,

0_2_007837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007710BF AdjustTokenPrivileges,CloseHandle,		0_2_007710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0077D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0078648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1916560219.000001F09740F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874619225.000001F096CBE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1916560219.000001F09740F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1916560219.000001F09740F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1916560219.000001F09740F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1826646707.000001F09748E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1916560219.000001F09740F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1916560219.000001F09740F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1916560219.000001F09740F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1916560219.000001F09740F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1916560219.000001F09740F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9166fe6b-6312-45c0-99a0-435f25bf70b7} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f0faf70710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -parentBuildID 20230927232528 -prefsHandle 4104 -prefMapHandle 4424 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0c0f30-e05e-429e-932b-ee96ae950bae} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f0ff823a10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5396 -prefMapHandle 5420 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b15a8493-3b64-4f9e-b7e1-655faeded7fa} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f097486f10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9166fe6b-6312-45c0-99a0-435f25bf70b7} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f0faf70710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -parentBuildID 20230927232528 -prefsHandle 4104 -prefMapHandle 4424 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0c0f30-e05e-429e-932b-ee96ae950bae} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f0ff823a10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5396 -prefMapHandle 5420 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b15a8493-3b64-4f9e-b7e1-655faeded7fa} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f097486f10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UxTheme.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rsaenh.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1844280909.000001F0977A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1843616152.000001F0886A4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WinTypes.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1811411662.000001F097601000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xul.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nssckbi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc6.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8softokn3.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8twinapi.appcore.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8kernelbase.pdb source: firefox.exe, 0000000D.00000003.1832802717.000001F08D8B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1836093178.000001F0886A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8CoreMessaging.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8bcryptprimitives.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: freebl3.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1811411662.000001F097601000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8imagehlp.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8gkcodecs.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iphlpapi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ExplorerFrame.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8CoreUIComponents.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8osclientcerts.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cryptbase.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8cfgmgr32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: DWrite.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8iertutil.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8dhcpcsvc.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp140.amd64.pdb source: firefox.exe, 0000000D.00000003.1832802717.000001F08D8B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1844280909.000001F0977A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ncrypt.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8webauthn.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Kernel.Appcore.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ColorAdapterClient.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8powrprof.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8MMDevAPI.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: UMPDC.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8oleaut32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8kernel32.pdb source: firefox.exe, 0000000D.00000003.1832802717.000001F08D8B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8TextInputFramework.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844280909.000001F0977A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844280909.000001F0977A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8InputHost.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8ucrtbase.pdb source: firefox.exe, 0000000D.00000003.1832802717.000001F08D8B0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8audioses.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47mrm.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netutils.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8rasadhlp.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Bcp47Langs.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8msvcp_win.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8wtsapi32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8taskschd.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1843616152.000001F0886A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8fwpuclnt.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winhttp.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntasn1.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1836093178.000001F0886A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8advapi32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Storage.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8OnDemandConnRouteHelper.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8netprofm.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.Globalization.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: avrt.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8directmanipulation.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8setupapi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8vcruntime140_1.amd64.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8lgpllibs.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: 8gdi32full.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8vcruntime140.amd64.pdb source: firefox.exe, 0000000D.00000003.1832802717.000001F08D8B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: version.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dbgcore.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8DataExchange.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: 8wintrust.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8WindowManagementAPI.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8npmproxy.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8linkinfo.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8Windows.UI.Immersive.pdb source: firefox.exe, 0000000D.00000003.1827475431.000001F0973C2000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00730A76 push ecx; ret

0_2_00730A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0072F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95802

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002428FA0A3B7 rdtsc

16_2_000002428FA0A3B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0077DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007868EE FindFirstFileW,FindClose,	0_2_007868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0078698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0077D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0077D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00789642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00789642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0078979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00789B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00789B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00785C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00785C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Source: firefox.exe, 00000010.00000002.2947005336.000002428F880000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: firefox.exe, 0000000F.00000002.2948352885.00000139FE306000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: firefox.exe, 00000011.00000002.2942786420.00000217AAAAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPG
Source: firefox.exe, 0000000F.00000002.2948352885.00000139FE306000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle"[
Source: firefox.exe, 00000010.00000002.2947005336.000002428F880000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%
Source: firefox.exe, 0000000F.00000002.2948352885.00000139FE306000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2944517894.00000139FDF1A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2941945666.000002428F09A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2946842009.00000217AAE00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000D.00000003.1914911353.000001F0FF0C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2947816881.00000139FE212000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.2947005336.000002428F880000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002428FA0A3B7 rdtsc

16_2_000002428FA0A3B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078EAA2 BlockInput,

0_2_0078EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00742622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00742622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00734CE8 mov eax, dword ptr fs:[00000030h]

0_2_00734CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00770B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00770B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00742622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00742622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0073083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007309D5 SetUnhandledExceptionFilter,	0_2_007309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00730C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00730C21

Source: C:\Users\user\Desktop\file.exe

0_2_00771201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00752BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00752BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077B226 SendInput,keybd_event,

0_2_0077B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00770B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00771663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00771663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1822653729.000001F097601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00730698 cpuid

0_2_00730698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00788195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00788195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0076D27A GetUserNameW,

0_2_0076D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0074BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0074BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7032, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7032, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00791204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00791204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00791806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00791806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
http://exslt.org/sets	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
http://exslt.org/common	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.252.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.65.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	172.217.16.142	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	172.217.16.206	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.2943509349.00000217AACC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com0	firefox.exe, 0000000D.00000003.1918437345.000001F095631000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1874879499.000001F0969B6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000D.00000003.1900420272.000001F0FEFB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2945169053.00000139FE1CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2943189494.000002428F3E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2947081276.00000217AAF05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1848912643.000001F092F58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1774484470.000001F092F59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775554216.000001F092F59000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 0000000F.00000002.2945169053.00000139FE172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2943189494.000002428F386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2943509349.00000217AAC8F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1828850091.000001F093322000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1827780280.000001F093824000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1741955040.000001F08AE77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741538667.000001F08AE1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741668072.000001F08AE3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741816579.000001F08AE5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741385395.000001F08AC00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1832521357.000001F08D8FC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1918023822.000001F096CF2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874619225.000001F096CF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1830079270.000001F09303E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1910038531.000001F0FF81D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892868255.000001F0FF81D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1842489288.000001F08CE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851222410.000001F08CE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741955040.000001F08AE77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797183511.000001F08CE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741538667.000001F08AE1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846839066.000001F08CE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741668072.000001F08AE3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741816579.000001F08AE5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741385395.000001F08AC00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1830657230.000001F08E54D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1741955040.000001F08AE77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741538667.000001F08AE1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741668072.000001F08AE3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741816579.000001F08AE5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741385395.000001F08AC00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/sets	firefox.exe, 0000000D.00000003.1915545293.000001F0FEF8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900596255.000001F0FEF8A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1830657230.000001F08E5A7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000D.00000003.1900420272.000001F0FEFB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2945169053.00000139FE1CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2943189494.000002428F3E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2947081276.00000217AAF05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1913080703.000001F096C52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing	firefox.exe, 0000000D.00000003.1910038531.000001F0FF81D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892868255.000001F0FF81D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1797183511.000001F08CED2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/common	firefox.exe, 0000000D.00000003.1915545293.000001F0FEF8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900596255.000001F0FEF8A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1895015072.000001F09337D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 0000000D.00000003.1872810007.000001F0FFD52000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1914911353.000001F0FF0C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/dates-and-times	firefox.exe, 0000000D.00000003.1900596255.000001F0FEF61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915829245.000001F0FEF61000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000D.00000003.1900420272.000001F0FEFB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2945169053.00000139FE1CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2943189494.000002428F3E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2947081276.00000217AAF05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000011.00000002.2943509349.00000217AAC0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1827780280.000001F093898000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894255661.000001F093898000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.2943509349.00000217AACC4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1805402954.000001F08C446000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1844120238.000001F08CA26000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1827688021.000001F0969CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1832521357.000001F08D8FC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1912494750.000001F08CBCA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1914911353.000001F0FF0C9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1828850091.000001F093322000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2943189494.000002428F312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2943509349.00000217AAC13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1830079270.000001F09303E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1828850091.000001F09335D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895015072.000001F09337D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1914765928.000001F0FF83C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1803382271.000001F08CEE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891559022.000001F08CAA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844120238.000001F08CA26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899775627.000001F08B2BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847979916.000001F08B2D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1778190632.000001F093049000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864707305.000001F08CEED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869694309.000001F08C9B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1868593147.000001F08CAA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1746326867.000001F08B52A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1882133312.000001F08B24E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869249851.000001F08C9B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1837011245.000001F08C9A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892868255.000001F0FF83C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898801329.000001F08B2D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851430319.000001F08CAB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875206386.000001F092E6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830657230.000001F08E539000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848912643.000001F092F45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892295252.000001F08AF58000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1830657230.000001F08E54D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1830657230.000001F08E54D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1778342550.000001F08EABE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830477051.000001F08EAB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911006844.000001F08EAB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1830028004.000001F09309C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1777645334.000001F09309F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875010810.000001F0938CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827780280.000001F0938CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1830028004.000001F09309C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1777645334.000001F09309F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875010810.000001F0938CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827780280.000001F0938CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1828850091.000001F09335D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895015072.000001F09337D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1848912643.000001F092F58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775554216.000001F092F59000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1780723970.000001F08C266000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1910038531.000001F0FF81D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892868255.000001F0FF81D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1871803517.000001F089334000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1743449153.000001F089333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1744057954.000001F089318000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1859434961.000001F089333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1744249972.000001F089333000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1903824093.000001F08D737000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1830657230.000001F08E56A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1871803517.000001F089334000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1743449153.000001F089333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1744057954.000001F089318000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1859434961.000001F089333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1744249972.000001F089333000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1827780280.000001F093898000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894255661.000001F093898000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000D.00000003.1900420272.000001F0FEFB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2945169053.00000139FE1CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2943189494.000002428F3E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2947081276.00000217AAF05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1828850091.000001F093322000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1874879499.000001F0969B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901912969.000001F096CCB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1741385395.000001F08AC00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1842489288.000001F08CE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851222410.000001F08CE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741955040.000001F08AE77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797183511.000001F08CE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741538667.000001F08AE1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846839066.000001F08CE8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741668072.000001F08AE3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741816579.000001F08AE5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741385395.000001F08AC00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1830079270.000001F09303E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2944809156.00000139FDF50000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2947253810.000002428F980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2946384014.00000217AAD30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.1828850091.000001F09335D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919220370.000001F09336F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913311490.000001F09335D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false
172.217.16.142	youtube.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544773
Start date and time:	2024-10-29 18:23:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@67/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 39 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.160.212.113, 52.11.191.138, 54.185.230.140, 2.22.61.59, 2.22.61.56, 216.58.206.46, 142.250.186.138, 142.250.185.74
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:24:09	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	na.elf	Get hash	malicious	Mirai	Browse	34.66.240.23
	jew.mips.elf	Get hash	malicious	Mirai	Browse	34.118.114.104
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	jew.spc.elf	Get hash	malicious	Mirai	Browse	34.117.135.34
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	https://www.directo.com.bo/dok	Get hash	malicious	Unknown	Browse	34.36.223.9
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	jew.arm.elf	Get hash	malicious	Unknown	Browse	34.17.28.185
	jew.sh4.elf	Get hash	malicious	Mirai	Browse	57.44.124.175
	jew.x86.elf	Get hash	malicious	Mirai	Browse	57.240.89.255
	jew.mips.elf	Get hash	malicious	Mirai	Browse	57.229.27.95
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	jew.mpsl.elf	Get hash	malicious	Mirai	Browse	51.205.119.4
	jew.ppc.elf	Get hash	malicious	Mirai	Browse	34.144.225.149
	jew.spc.elf	Get hash	malicious	Mirai	Browse	51.188.226.213
FASTLYUS	https://www.directo.com.bo/dok	Get hash	malicious	Unknown	Browse	151.101.65.44
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://lumen.backerkit.com/invites/mAqpu6B5ZtIAsrg4a5WdGA/confirm?redirect_path=//rahul-garg-lcatterton-com.athuselevadores.com.br	Get hash	malicious	HTMLPhisher	Browse	151.101.129.229
	Jmaman_##Salary##_Benefit_for_JmamanID#IyNURVhUTlVNUkFORE9NMTAjIw==.html	Get hash	malicious	HTMLPhisher	Browse	151.101.1.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	Oakville_Service_Update_d76b33a1-3420-40be-babd-e82e253ad25c.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
ATGS-MMD-ASUS	https://www.directo.com.bo/dok	Get hash	malicious	Unknown	Browse	34.36.223.9
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	jew.arm.elf	Get hash	malicious	Unknown	Browse	34.17.28.185
	jew.sh4.elf	Get hash	malicious	Mirai	Browse	57.44.124.175
	jew.x86.elf	Get hash	malicious	Mirai	Browse	57.240.89.255
	jew.mips.elf	Get hash	malicious	Mirai	Browse	57.229.27.95
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	jew.mpsl.elf	Get hash	malicious	Mirai	Browse	51.205.119.4
	jew.ppc.elf	Get hash	malicious	Mirai	Browse	34.144.225.149
	jew.spc.elf	Get hash	malicious	Mirai	Browse	51.188.226.213

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_13f5ad97-b408-46c0-b2ed-b10a37f5ed97.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176599861891709
Encrypted:	false
SSDEEP:	192:SjMX1i1M1XcbhbVbTbfbRbObtbyEl7nNeO0zrnJA6WnSrDtTUd/SkDrT:SYF6gXcNhnzFSJteO0zrOBnSrDhUd/p
MD5:	1C6C6256CB82D8AE14D0EA53CDEFF4EB
SHA1:	13B09EAD90978B865B01FE2A4A8167C92A8F35D8
SHA-256:	C3BEAE1ECB3A52AFEA21FB13A1B984ACBC0F420C254FAD30FE2EB2B8966F408F
SHA-512:	AB69B504597292679DAE8736B049C8D44A3FBF4BB60FBC88928503CA75ED77B923BB31ECAD4E41B273D0EB4107DA6B3568C58B126A1385673F221C0E6979232A
Malicious:	false
Preview:	{"type":"uninstall","id":"13f5ad97-b408-46c0-b2ed-b10a37f5ed97","creationDate":"2024-10-29T18:43:32.220Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_13f5ad97-b408-46c0-b2ed-b10a37f5ed97.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.176599861891709
Encrypted:	false
SSDEEP:	192:SjMX1i1M1XcbhbVbTbfbRbObtbyEl7nNeO0zrnJA6WnSrDtTUd/SkDrT:SYF6gXcNhnzFSJteO0zrOBnSrDhUd/p
MD5:	1C6C6256CB82D8AE14D0EA53CDEFF4EB
SHA1:	13B09EAD90978B865B01FE2A4A8167C92A8F35D8
SHA-256:	C3BEAE1ECB3A52AFEA21FB13A1B984ACBC0F420C254FAD30FE2EB2B8966F408F
SHA-512:	AB69B504597292679DAE8736B049C8D44A3FBF4BB60FBC88928503CA75ED77B923BB31ECAD4E41B273D0EB4107DA6B3568C58B126A1385673F221C0E6979232A
Malicious:	false
Preview:	{"type":"uninstall","id":"13f5ad97-b408-46c0-b2ed-b10a37f5ed97","creationDate":"2024-10-29T18:43:32.220Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927539138231081
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNJ9K:8S+OfJQPUFpOdwNIOdYVjvYcXaNL+B8P
MD5:	71D0E7C02617CBB284547B3786E657C6
SHA1:	5661743AB83452ABB0AABC4D4330914A88F69E24
SHA-256:	989A487D60C1B36B76A7589B90E9236D6BD958D99FCA92C97C99186B453DE0D0
SHA-512:	E0BDB88D6FFFF5B8C889648FCC26BA861EE7AB403F067F44E504E3B565485F03B1EF8670771C9B86613F243F98F70CDE818E207FF66C1DE1105305AFA58E625E
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927539138231081
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNJ9K:8S+OfJQPUFpOdwNIOdYVjvYcXaNL+B8P
MD5:	71D0E7C02617CBB284547B3786E657C6
SHA1:	5661743AB83452ABB0AABC4D4330914A88F69E24
SHA-256:	989A487D60C1B36B76A7589B90E9236D6BD958D99FCA92C97C99186B453DE0D0
SHA-512:	E0BDB88D6FFFF5B8C889648FCC26BA861EE7AB403F067F44E504E3B565485F03B1EF8670771C9B86613F243F98F70CDE818E207FF66C1DE1105305AFA58E625E
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07328806782755866
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiB/:DLhesh7Owd4+jiB/
MD5:	4D8C2C4C0B51C34FF44D622E82F024B1
SHA1:	A9C302D2CB10AFB53BD0DB68BCD6D9589FD1B2C0
SHA-256:	EF8D68544898DA185A721EA8DF43CC3D9D9E34A87D8575E8B2A52BBA72D5BF97
SHA-512:	EC5432B6F199DFFEE45B7751915E3C4519BDA1168B2AB3ACCDD20B8C8602EB139DD691F50290034E2046EA34A211821513709957D532A261EFEA179CFF42E141
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03511342098186293
Encrypted:	false
SSDEEP:	3:GtlstFVT0kg0w/aDIl1lstFVT0kg0w/aZl/lT89//alEl:GtWtA/aEWtA/abx89XuM
MD5:	3ECE4DCB500902AC4696CE8F83F0ECEA
SHA1:	D8AC6CE9453A5E47B5A988C2A6015E56347422B8
SHA-256:	69B6A02047760761A001995543FDD0A513290C477762A33296FA8312E130854D
SHA-512:	46D2F723776E533462E510CAD7D62AE58449EBDD3E8B8580EFA4F3790F8356E0D27FEC032A20501CF5CCB4DD7F577EA328579D9B7E115FA981A0D4C90D269E24
Malicious:	false
Preview:	..-.....................B...A..v.B.....A\|....U...-.....................B...A..v.B.....A\|....U.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03969146411378161
Encrypted:	false
SSDEEP:	3:Ol1ZuEKG9oq3liwl8rEXsxdwhml8XW3R2:K6E7Nlll8dMhm93w
MD5:	E100E005D85C76E5B1286BAADE82E3C4
SHA1:	61196F1BC3171BAA915B19988B592225C5A9916F
SHA-256:	619DA475946A4C3FC175D0DBAB6BE16426AAD739D809FF08901DA9167ED6560F
SHA-512:	4591FEC637259C31428D229A9487B0845AF4BEA03F777C613198C6C37BF27076BB24EC8A6995FAFD3E4F8061804AE6B3ED6F118926618130C945458239EB169A
Malicious:	false
Preview:	7....-...........B.....A\HE.U............B.....A..Bv..A................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	modified
Size (bytes):	13254
Entropy (8bit):	5.493266921480054
Encrypted:	false
SSDEEP:	192:vyZXGLibAnaRtLYbBp6Jhj4qyaaXzh6KDupAPvNWs5RfGNBw8dDSl:vyZXGLibdebqiY0upAPlvcw80
MD5:	4206BDE56B4F216E0B7B35C2839BDA8A
SHA1:	B6F6EFDD0CE0F2633335C50F6A0C085A94AA7438
SHA-256:	3B3B6B5F4450AAB7D5DD0D3235600681214621A87377388849B680CA172BDD86
SHA-512:	D6A5DF1CE6033600180BC5ED70F827966A5E6C0D7A616ADE5CBD6BE976D37191472F5FA33A87EF5465EE4B6A638DA5A5760935C7F3E803FA89829AB5E6F74D53
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730227382);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730227382);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730227382);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173022

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.493266921480054
Encrypted:	false
SSDEEP:	192:vyZXGLibAnaRtLYbBp6Jhj4qyaaXzh6KDupAPvNWs5RfGNBw8dDSl:vyZXGLibdebqiY0upAPlvcw80
MD5:	4206BDE56B4F216E0B7B35C2839BDA8A
SHA1:	B6F6EFDD0CE0F2633335C50F6A0C085A94AA7438
SHA-256:	3B3B6B5F4450AAB7D5DD0D3235600681214621A87377388849B680CA172BDD86
SHA-512:	D6A5DF1CE6033600180BC5ED70F827966A5E6C0D7A616ADE5CBD6BE976D37191472F5FA33A87EF5465EE4B6A638DA5A5760935C7F3E803FA89829AB5E6F74D53
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730227382);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730227382);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730227382);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173022

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.328229088554713
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS8MSKHkLXnIg0yK/pnxQwRWT5sKt073eHVQj6TPamzjJlOsIomNVrw:GUpOxaSP8yCnRoa3eHTP5JlIquR4
MD5:	F0933CB869ED2AC30028159718004FF6
SHA1:	937E7A26739563C92E460F68DBB82B9C1AB74D7E
SHA-256:	68F534475BB876449F32E00D2465C6377F651B98F3676A430FE3811A4BB6B021
SHA-512:	B1CD346352A7A1C76BB16FFE6FA1BCA84240F917AA6D7C7E467663D87DB4A13AC01EB147132EEE4324CD96B6E246E99B2FCF6BBB0CA1318A923064DDB23665D5
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{894594d9-5b59-4741-ac0b-7fb9d43e0bde}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730227386758,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t..Flags":2167541....width":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P51728...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...57946,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.328229088554713
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS8MSKHkLXnIg0yK/pnxQwRWT5sKt073eHVQj6TPamzjJlOsIomNVrw:GUpOxaSP8yCnRoa3eHTP5JlIquR4
MD5:	F0933CB869ED2AC30028159718004FF6
SHA1:	937E7A26739563C92E460F68DBB82B9C1AB74D7E
SHA-256:	68F534475BB876449F32E00D2465C6377F651B98F3676A430FE3811A4BB6B021
SHA-512:	B1CD346352A7A1C76BB16FFE6FA1BCA84240F917AA6D7C7E467663D87DB4A13AC01EB147132EEE4324CD96B6E246E99B2FCF6BBB0CA1318A923064DDB23665D5
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{894594d9-5b59-4741-ac0b-7fb9d43e0bde}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730227386758,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t..Flags":2167541....width":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P51728...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...57946,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.328229088554713
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS8MSKHkLXnIg0yK/pnxQwRWT5sKt073eHVQj6TPamzjJlOsIomNVrw:GUpOxaSP8yCnRoa3eHTP5JlIquR4
MD5:	F0933CB869ED2AC30028159718004FF6
SHA1:	937E7A26739563C92E460F68DBB82B9C1AB74D7E
SHA-256:	68F534475BB876449F32E00D2465C6377F651B98F3676A430FE3811A4BB6B021
SHA-512:	B1CD346352A7A1C76BB16FFE6FA1BCA84240F917AA6D7C7E467663D87DB4A13AC01EB147132EEE4324CD96B6E246E99B2FCF6BBB0CA1318A923064DDB23665D5
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{894594d9-5b59-4741-ac0b-7fb9d43e0bde}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730227386758,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t..Flags":2167541....width":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...9,"startTim..P51728...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...57946,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034856257086378
Encrypted:	false
SSDEEP:	48:YrSAY66UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yc6yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	CD399A12BF7A5A7A0A352290A06EDDBF
SHA1:	99B66462E3C552637264FA9F2770D63F978A1C88
SHA-256:	0573A17E34511722B4DF4AB853B42357A103AE59E432F7D24A808549A9737BA8
SHA-512:	3DCFCE9D9805D50CE808EF0E5B5CC43CFB5C3D9C0EE28D6132BFAF9CFC4D0C959469453EED54D6B35DD17D610E3CA13F9B39C20900EF151198965DCC4757DAEA
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T18:42:45.977Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034856257086378
Encrypted:	false
SSDEEP:	48:YrSAY66UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yc6yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	CD399A12BF7A5A7A0A352290A06EDDBF
SHA1:	99B66462E3C552637264FA9F2770D63F978A1C88
SHA-256:	0573A17E34511722B4DF4AB853B42357A103AE59E432F7D24A808549A9737BA8
SHA-512:	3DCFCE9D9805D50CE808EF0E5B5CC43CFB5C3D9C0EE28D6132BFAF9CFC4D0C959469453EED54D6B35DD17D610E3CA13F9B39C20900EF151198965DCC4757DAEA
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-29T18:42:45.977Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584696134436964
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	f1d1ddb711ab9a81234b10eb7417be4d
SHA1:	b4ed561f654cf34fe80521b07effca3835361301
SHA256:	e21deb95793d7008c47b0b11c6341afd6eb5e43c21dafe943abb01bda60cb481
SHA512:	a7a3bca95b24b08726ccdbe418d73c754daf19acab2b5d53ce4f384540fba1baaa2ad0b4209f7c295c8ee3a821531d741fbfc5123accbcb5d0e302359968107a
SSDEEP:	12288:WqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TS:WqDEvCTbMWu7rQYlBQcBiT6rprG8abS
TLSH:	86159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67211725 [Tue Oct 29 17:11:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007EFF64B76B43h
jmp 00007EFF64B7644Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007EFF64B7662Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007EFF64B765FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007EFF64B791EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007EFF64B79238h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007EFF64B79221h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	6fb659cf21bc29a0d809e2173e946483	False	0.31561511075949367	data	5.3737777590656375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 18:24:06.288880110 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:06.288944960 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 18:24:06.289735079 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:06.295937061 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:06.295953989 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 18:24:06.910914898 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 18:24:06.911026955 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:06.919926882 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:06.919987917 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 18:24:06.920089960 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:06.920170069 CET	443	49736	35.190.72.216	192.168.2.4
Oct 29, 2024 18:24:06.920299053 CET	49736	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:08.660512924 CET	49738	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:08.660557985 CET	443	49738	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:08.662525892 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:08.668081999 CET	80	49739	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:08.669306040 CET	49738	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:08.669322014 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:08.670968056 CET	49738	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:08.670979977 CET	443	49738	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:08.671099901 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:08.676528931 CET	80	49739	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:08.684113979 CET	49740	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:08.684202909 CET	443	49740	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:08.688683033 CET	49740	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:08.692765951 CET	49740	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:08.692801952 CET	443	49740	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:08.909056902 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:08.909158945 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:08.909895897 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:08.911469936 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:08.911506891 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.262461901 CET	80	49739	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:09.277264118 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.277363062 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.278558969 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.280076981 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.280112028 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.289510012 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:09.289535999 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:09.289731979 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:09.289870024 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:09.289894104 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:09.321594000 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:09.355242014 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:09.360553980 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:09.360634089 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:09.360774994 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:09.366122007 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:09.492350101 CET	49745	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:09.492396116 CET	443	49745	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:09.492588043 CET	49745	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:09.492793083 CET	49745	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:09.492805004 CET	443	49745	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:09.529989958 CET	443	49738	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:09.530000925 CET	443	49738	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:09.530071974 CET	49738	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.530680895 CET	443	49738	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:09.530961037 CET	49738	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.534630060 CET	49738	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.534640074 CET	443	49738	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:09.534748077 CET	49738	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.534810066 CET	443	49738	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:09.534873009 CET	49738	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.537091970 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.537257910 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.541682959 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.541712999 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.541789055 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.541944027 CET	443	49741	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.542047024 CET	49741	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.542141914 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.542170048 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.542314053 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.543672085 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.543684959 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.545443058 CET	443	49740	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:09.545530081 CET	49740	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.546133041 CET	443	49740	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:09.546190977 CET	49740	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.550122023 CET	49740	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.550149918 CET	443	49740	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:09.550234079 CET	49740	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.550376892 CET	443	49740	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:09.550518990 CET	49740	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.550554991 CET	49747	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.550591946 CET	443	49747	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:09.550856113 CET	49747	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.552330971 CET	49747	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:09.552342892 CET	443	49747	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:09.902267933 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.902456045 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:09.902580023 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.902606964 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:09.907183886 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:09.907195091 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:09.907439947 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:09.909759045 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.909764051 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.909885883 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.909995079 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:09.910027027 CET	443	49742	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.910089016 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:09.910139084 CET	443	49743	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:09.910372019 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.910399914 CET	443	49749	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.910454988 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:09.910471916 CET	49742	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.910482883 CET	49743	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:09.910657883 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.912170887 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:09.912182093 CET	443	49749	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:09.948395967 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:09.954756021 CET	80	49739	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:09.968400002 CET	49739	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:09.969295979 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:09.984345913 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:09.991286993 CET	80	49744	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:09.999706984 CET	49744	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:10.111448050 CET	443	49745	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.123343945 CET	443	49745	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.153707981 CET	49745	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.156864882 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:10.167335987 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:10.173823118 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:10.190522909 CET	49745	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.190543890 CET	443	49745	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.190933943 CET	443	49745	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.234397888 CET	49745	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.280585051 CET	49745	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.280826092 CET	443	49745	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.283951998 CET	49745	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.283962011 CET	443	49745	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.287746906 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.287796974 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.291274071 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:10.291290045 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:10.291517019 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:10.294743061 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:10.294749022 CET	443	49746	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:10.294867039 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.295008898 CET	49746	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:10.295011997 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.295022011 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.418397903 CET	443	49747	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:10.418948889 CET	49747	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:10.419101954 CET	443	49747	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:10.420764923 CET	49747	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:10.424387932 CET	49747	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:10.424396038 CET	443	49747	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:10.424484015 CET	49747	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:10.424559116 CET	443	49747	172.217.16.142	192.168.2.4
Oct 29, 2024 18:24:10.424618959 CET	49747	443	192.168.2.4	172.217.16.142
Oct 29, 2024 18:24:10.491334915 CET	443	49745	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.491858959 CET	49745	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.533024073 CET	443	49749	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:10.535027981 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:10.539340973 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:10.539350986 CET	443	49749	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:10.539433002 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:10.539695978 CET	443	49749	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:10.539756060 CET	49749	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:10.647507906 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:10.654932022 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:10.659959078 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:10.660273075 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:10.667674065 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:10.902919054 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:10.902976990 CET	443	49752	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:10.909231901 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:10.910681009 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:10.910712957 CET	443	49752	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:10.931593895 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.931606054 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.946620941 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.951302052 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.951318979 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.951613903 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.955051899 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.955116034 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.955303907 CET	443	49750	34.160.144.191	192.168.2.4
Oct 29, 2024 18:24:10.955496073 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:10.955513954 CET	49750	443	192.168.2.4	34.160.144.191
Oct 29, 2024 18:24:11.244302988 CET	49755	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:11.244354963 CET	443	49755	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:11.244663954 CET	49755	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:11.246083021 CET	49755	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:11.246095896 CET	443	49755	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:11.284579039 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:11.335294008 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:11.468885899 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:11.474356890 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:11.474451065 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:11.474558115 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:11.479899883 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:11.541496992 CET	443	49752	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:11.548878908 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:11.556283951 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:11.556303024 CET	443	49752	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:11.556396008 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:11.556571007 CET	443	49752	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:11.556776047 CET	49757	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:11.556823969 CET	443	49757	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:11.558064938 CET	49752	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:11.558099031 CET	49757	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:11.559501886 CET	49757	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:11.559518099 CET	443	49757	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:11.867572069 CET	443	49755	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:11.867666006 CET	49755	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:11.873804092 CET	49755	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:11.873821020 CET	443	49755	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:11.873913050 CET	49755	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:11.873997927 CET	443	49755	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:11.874437094 CET	49755	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:11.988982916 CET	49758	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:11.989072084 CET	443	49758	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:11.989969969 CET	49758	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:11.992100000 CET	49758	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:11.992139101 CET	443	49758	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:12.016735077 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:12.022505045 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:12.029019117 CET	49759	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:12.029115915 CET	443	49759	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:12.029942036 CET	49759	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:12.031337023 CET	49759	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:12.031371117 CET	443	49759	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:12.043510914 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:12.043544054 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:12.044440985 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:12.044642925 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:12.044672012 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:12.099073887 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:12.141946077 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:12.159744024 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:12.184919119 CET	443	49757	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:12.188065052 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:12.189001083 CET	49757	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:12.193881989 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:12.194025040 CET	49757	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:12.194036007 CET	443	49757	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:12.194195986 CET	49757	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:12.194215059 CET	443	49757	34.117.188.166	192.168.2.4
Oct 29, 2024 18:24:12.196441889 CET	49757	443	192.168.2.4	34.117.188.166
Oct 29, 2024 18:24:12.206623077 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:12.292258978 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:12.297602892 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:12.313493013 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:12.355355024 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:12.417543888 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:12.459167004 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:12.472610950 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:12.478018999 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:12.601758003 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:12.612134933 CET	443	49758	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:12.612957954 CET	49758	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:12.646444082 CET	443	49759	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:12.651340008 CET	443	49759	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:12.659795046 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:12.659842014 CET	49759	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:12.663153887 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:12.667330980 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:12.681965113 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:12.725855112 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:12.725879908 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:12.726181984 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:12.730670929 CET	49758	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:12.730699062 CET	443	49758	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:12.730820894 CET	49758	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:12.730947971 CET	443	49758	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:12.736933947 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:12.737131119 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:12.737179995 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:12.737195969 CET	443	49760	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:12.744462967 CET	49758	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:12.744505882 CET	49760	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:12.783660889 CET	49759	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:12.783715010 CET	443	49759	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:12.783761978 CET	49759	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:12.784459114 CET	443	49759	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:12.784842014 CET	49759	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:13.814460039 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:13.824831009 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:13.841197968 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:13.841234922 CET	443	49761	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:13.841567993 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:13.842737913 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:13.842753887 CET	443	49761	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:13.945420027 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:13.987358093 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:14.474988937 CET	443	49761	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:14.476434946 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:14.549618959 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:14.549640894 CET	443	49761	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:14.549695969 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:14.549875021 CET	443	49761	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:14.551341057 CET	49761	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:18.368798971 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:18.374515057 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:18.494651079 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:18.546375036 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:18.925010920 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:18.930340052 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:18.942389965 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:18.942461967 CET	443	49766	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:18.946369886 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:18.948185921 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:18.948208094 CET	443	49766	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:19.050262928 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:19.116847992 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:19.119539976 CET	49767	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:19.119586945 CET	443	49767	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:19.120105982 CET	49767	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:19.121408939 CET	49767	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:19.121424913 CET	443	49767	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:19.583803892 CET	443	49766	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:19.583901882 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:19.589236021 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:19.589251995 CET	443	49766	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:19.589351892 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:19.589463949 CET	443	49766	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:19.589560986 CET	49766	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:19.724167109 CET	443	49767	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:19.724766016 CET	49767	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:19.736619949 CET	49767	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:19.736639977 CET	443	49767	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:19.736704111 CET	49767	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:19.736864090 CET	443	49767	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:19.739062071 CET	49767	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:20.437266111 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:20.442688942 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:20.562431097 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:20.613482952 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:21.042995930 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:21.045831919 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:21.045905113 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:21.047669888 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:21.047744989 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:21.048535109 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:21.060087919 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:21.060264111 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:21.060553074 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:21.060609102 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:21.060707092 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:21.060736895 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:21.079574108 CET	49771	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:21.079641104 CET	443	49771	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:21.080272913 CET	49771	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:21.082262993 CET	49771	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:21.082300901 CET	443	49771	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:21.108088970 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:21.108118057 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:21.109028101 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:21.111048937 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:21.111076117 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:21.168100119 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:21.215259075 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:21.255155087 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:21.260647058 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:21.380400896 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:21.431488037 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:21.690442085 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:21.690480947 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:21.690499067 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:21.690511942 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:21.698137045 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:21.698165894 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:21.702461958 CET	443	49771	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:21.707355976 CET	443	49771	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:21.708511114 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:21.716793060 CET	49771	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:21.716927052 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.047943115 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.048012018 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:22.048368931 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:22.051477909 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.051511049 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:22.051975012 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:22.094027042 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.094149113 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.172700882 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.172787905 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.172914028 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.172986984 CET	443	49769	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:22.173139095 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.173360109 CET	49771	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:22.173423052 CET	443	49770	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:22.173454046 CET	443	49771	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:22.173492908 CET	49771	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:22.173526049 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.173547983 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:22.173603058 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.173759937 CET	49769	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.173778057 CET	443	49772	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:22.173780918 CET	49770	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.173955917 CET	443	49771	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:22.174335003 CET	49772	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:22.174376011 CET	49771	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:23.305460930 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.305537939 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.308885098 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.309022903 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.309046030 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.309676886 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:23.318352938 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:23.318435907 CET	49775	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.318468094 CET	443	49775	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.319629908 CET	49775	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.321635962 CET	49775	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.321651936 CET	443	49775	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.323407888 CET	49776	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.323491096 CET	443	49776	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.323740005 CET	49776	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.323894978 CET	49776	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.323932886 CET	443	49776	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.434885025 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:23.438194990 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:23.443631887 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:23.482280016 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:23.563832045 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:23.613816977 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:23.932373047 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.932496071 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.936460018 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.936490059 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.936712980 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.939584970 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.939739943 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.939798117 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.939816952 CET	443	49774	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.939866066 CET	443	49775	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.939961910 CET	49774	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.940040112 CET	49775	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.942239046 CET	443	49776	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.943100929 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:23.944308043 CET	49776	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.946302891 CET	49776	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.946329117 CET	443	49776	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.947119951 CET	443	49776	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.947530031 CET	49775	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.947537899 CET	443	49775	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.947614908 CET	49775	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.947810888 CET	443	49775	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.948244095 CET	49775	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.948385000 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:23.949677944 CET	49776	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.949752092 CET	49776	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.950052977 CET	443	49776	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.950119972 CET	49776	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.951939106 CET	49777	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.952008963 CET	443	49777	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:23.952747107 CET	49777	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.953911066 CET	49777	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:23.953939915 CET	443	49777	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:24.068507910 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:24.072681904 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:24.078279018 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:24.115289927 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:24.227054119 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:24.284610987 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:24.591175079 CET	443	49777	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:24.591295004 CET	49777	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:24.596008062 CET	49777	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:24.596057892 CET	443	49777	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:24.596205950 CET	443	49777	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:24.596249104 CET	49777	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:24.596266985 CET	443	49777	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:24.599657059 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:24.605686903 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:24.731116056 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:24.735452890 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:24.741040945 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:24.786005974 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:24.807337999 CET	443	49777	34.120.208.123	192.168.2.4
Oct 29, 2024 18:24:24.808648109 CET	49777	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:24:24.860586882 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:24.901935101 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:31.055862904 CET	49778	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:31.055924892 CET	443	49778	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:31.056370974 CET	49778	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:31.057809114 CET	49778	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:31.057828903 CET	443	49778	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:31.714585066 CET	443	49778	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:31.714812040 CET	49778	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:31.719805002 CET	49778	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:31.719819069 CET	443	49778	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:31.719918966 CET	49778	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:31.720031023 CET	443	49778	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:31.721415997 CET	49778	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:31.723952055 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:31.729351044 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:31.849577904 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:31.853796959 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:31.859538078 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:31.907011986 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:31.979458094 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:32.038397074 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:34.686513901 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:34.686551094 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:34.692558050 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:34.692686081 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:34.692697048 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:34.696692944 CET	49780	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:34.696734905 CET	443	49780	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:34.697124958 CET	49780	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:34.714798927 CET	49780	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:34.714811087 CET	443	49780	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:34.715327978 CET	49781	443	192.168.2.4	151.101.65.91
Oct 29, 2024 18:24:34.715372086 CET	443	49781	151.101.65.91	192.168.2.4
Oct 29, 2024 18:24:34.715593100 CET	49781	443	192.168.2.4	151.101.65.91
Oct 29, 2024 18:24:34.715663910 CET	49781	443	192.168.2.4	151.101.65.91
Oct 29, 2024 18:24:34.715677023 CET	443	49781	151.101.65.91	192.168.2.4
Oct 29, 2024 18:24:34.865154028 CET	49782	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:34.865281105 CET	443	49782	35.190.72.216	192.168.2.4
Oct 29, 2024 18:24:34.866303921 CET	49782	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:34.867842913 CET	49782	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:34.867893934 CET	443	49782	35.190.72.216	192.168.2.4
Oct 29, 2024 18:24:34.879373074 CET	49783	443	192.168.2.4	35.201.103.21
Oct 29, 2024 18:24:34.879441023 CET	443	49783	35.201.103.21	192.168.2.4
Oct 29, 2024 18:24:34.880933046 CET	49783	443	192.168.2.4	35.201.103.21
Oct 29, 2024 18:24:34.882349014 CET	49783	443	192.168.2.4	35.201.103.21
Oct 29, 2024 18:24:34.882359982 CET	443	49783	35.201.103.21	192.168.2.4
Oct 29, 2024 18:24:35.296812057 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.296894073 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.300093889 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.300102949 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.300425053 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.303014994 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.303122997 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.303215027 CET	443	49779	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.303337097 CET	49779	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.307122946 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:35.312539101 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:35.360719919 CET	443	49780	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:35.360806942 CET	49780	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:35.364015102 CET	49780	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:35.364037037 CET	443	49780	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:35.364391088 CET	443	49780	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:35.366960049 CET	443	49781	151.101.65.91	192.168.2.4
Oct 29, 2024 18:24:35.367017984 CET	49780	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:35.367125988 CET	49780	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:35.367216110 CET	443	49780	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:35.368630886 CET	49781	443	192.168.2.4	151.101.65.91
Oct 29, 2024 18:24:35.368825912 CET	49780	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:35.371439934 CET	49781	443	192.168.2.4	151.101.65.91
Oct 29, 2024 18:24:35.371506929 CET	443	49781	151.101.65.91	192.168.2.4
Oct 29, 2024 18:24:35.371867895 CET	443	49781	151.101.65.91	192.168.2.4
Oct 29, 2024 18:24:35.373790026 CET	49781	443	192.168.2.4	151.101.65.91
Oct 29, 2024 18:24:35.373855114 CET	49781	443	192.168.2.4	151.101.65.91
Oct 29, 2024 18:24:35.374000072 CET	443	49781	151.101.65.91	192.168.2.4
Oct 29, 2024 18:24:35.378588915 CET	49781	443	192.168.2.4	151.101.65.91
Oct 29, 2024 18:24:35.381819010 CET	49784	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.381860971 CET	443	49784	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.382193089 CET	49784	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.382340908 CET	49784	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.382356882 CET	443	49784	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.384848118 CET	49785	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.384941101 CET	443	49785	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.385394096 CET	49785	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.385482073 CET	49785	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.385504961 CET	443	49785	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.387084007 CET	49786	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.387096882 CET	443	49786	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.387238026 CET	49786	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.387399912 CET	49786	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.387418985 CET	443	49786	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.687854052 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:35.689650059 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:35.689919949 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:35.691504955 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:35.692620993 CET	443	49782	35.190.72.216	192.168.2.4
Oct 29, 2024 18:24:35.692769051 CET	49782	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:35.696630001 CET	443	49783	35.201.103.21	192.168.2.4
Oct 29, 2024 18:24:35.696851015 CET	49783	443	192.168.2.4	35.201.103.21
Oct 29, 2024 18:24:35.698905945 CET	49782	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:35.698955059 CET	443	49782	35.190.72.216	192.168.2.4
Oct 29, 2024 18:24:35.699007034 CET	49782	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:35.699186087 CET	443	49782	35.190.72.216	192.168.2.4
Oct 29, 2024 18:24:35.700758934 CET	49782	443	192.168.2.4	35.190.72.216
Oct 29, 2024 18:24:35.700974941 CET	49783	443	192.168.2.4	35.201.103.21
Oct 29, 2024 18:24:35.700987101 CET	443	49783	35.201.103.21	192.168.2.4
Oct 29, 2024 18:24:35.701051950 CET	49783	443	192.168.2.4	35.201.103.21
Oct 29, 2024 18:24:35.701150894 CET	443	49783	35.201.103.21	192.168.2.4
Oct 29, 2024 18:24:35.701462030 CET	49783	443	192.168.2.4	35.201.103.21
Oct 29, 2024 18:24:35.702147007 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:35.713814020 CET	49787	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:35.713860035 CET	443	49787	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:35.713965893 CET	49787	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:35.714111090 CET	49787	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:35.714129925 CET	443	49787	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:35.719718933 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:35.721359968 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:35.839307070 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:35.841566086 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:35.844218016 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:35.850831032 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:35.895639896 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:35.972296953 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:35.994254112 CET	443	49784	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.994350910 CET	49784	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.997158051 CET	443	49786	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.997416973 CET	49784	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:35.997426033 CET	443	49784	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.997654915 CET	443	49784	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:35.997880936 CET	49786	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.000148058 CET	49786	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.000153065 CET	443	49786	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:36.000835896 CET	443	49786	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:36.002506018 CET	49784	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.002604008 CET	49784	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.002669096 CET	443	49784	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:36.003438950 CET	49786	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.003505945 CET	49786	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.003659010 CET	443	49786	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:36.004338980 CET	49784	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.004359961 CET	49786	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.007392883 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:36.009373903 CET	443	49785	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:36.009766102 CET	49785	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.012402058 CET	49785	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.012418032 CET	443	49785	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:36.012743950 CET	443	49785	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:36.014161110 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:36.014630079 CET	49785	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.014713049 CET	49785	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.014786959 CET	443	49785	35.244.181.201	192.168.2.4
Oct 29, 2024 18:24:36.014853954 CET	49785	443	192.168.2.4	35.244.181.201
Oct 29, 2024 18:24:36.018100023 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:36.138343096 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:36.141503096 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:36.147026062 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:36.181051016 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:36.267174959 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:36.319044113 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:36.356697083 CET	443	49787	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:36.356797934 CET	49787	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:36.360161066 CET	49787	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:36.360178947 CET	443	49787	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:36.360434055 CET	443	49787	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:36.362771988 CET	49787	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:36.362884045 CET	49787	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:36.362946033 CET	443	49787	34.149.100.209	192.168.2.4
Oct 29, 2024 18:24:36.363992929 CET	49787	443	192.168.2.4	34.149.100.209
Oct 29, 2024 18:24:36.366024971 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:36.371609926 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:36.491409063 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:36.494596958 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:36.501193047 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:36.535135984 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:36.621280909 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:36.666702986 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:46.498393059 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:46.503853083 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:46.630023956 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:46.636162043 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:51.804559946 CET	49789	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:51.804637909 CET	443	49789	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:51.804929018 CET	49789	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:51.806269884 CET	49789	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:51.806308031 CET	443	49789	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:52.408817053 CET	443	49789	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:52.409054041 CET	49789	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:52.418121099 CET	49789	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:52.418159008 CET	443	49789	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:52.418216944 CET	49789	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:52.418339968 CET	443	49789	34.107.243.93	192.168.2.4
Oct 29, 2024 18:24:52.419790983 CET	49789	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:24:52.422099113 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:52.427459002 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:52.547477007 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:52.553838015 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:52.560461998 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:52.594074965 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:52.680339098 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:52.747780085 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:58.364573002 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:58.370017052 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:58.489506006 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:58.491853952 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:58.497251987 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:58.533423901 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:24:58.617074013 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:24:58.664977074 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:05.094784021 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.094847918 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.095242023 CET	49829	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.095261097 CET	443	49829	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.095519066 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.095546961 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.099174976 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.099184036 CET	49829	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.099222898 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.099395990 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.099423885 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.099539995 CET	49829	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.099555016 CET	443	49829	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.099620104 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.099632978 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.711380959 CET	443	49829	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.711453915 CET	49829	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.714507103 CET	49829	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.714514971 CET	443	49829	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.714813948 CET	443	49829	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.716676950 CET	49829	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.716784000 CET	49829	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.716883898 CET	443	49829	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.717600107 CET	49829	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.717617035 CET	49829	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.721059084 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:05.722151995 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.722378969 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.725933075 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.725965023 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.726291895 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.727271080 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:05.728298903 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.729399920 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.729530096 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.729577065 CET	443	49828	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.730345011 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.730386972 CET	49828	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.730386972 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.734368086 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.734384060 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.734791040 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.737817049 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.737916946 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.738018990 CET	443	49830	34.120.208.123	192.168.2.4
Oct 29, 2024 18:25:05.738878965 CET	49830	443	192.168.2.4	34.120.208.123
Oct 29, 2024 18:25:05.847527027 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:05.850723982 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:05.857047081 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:05.892014980 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:05.976695061 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:06.023374081 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:15.852185965 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:15.857476950 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:15.983722925 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:15.989442110 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:25.866569042 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:25.872152090 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:26.004595995 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:26.010078907 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:33.071899891 CET	49977	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:25:33.071950912 CET	443	49977	34.107.243.93	192.168.2.4
Oct 29, 2024 18:25:33.072020054 CET	49977	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:25:33.073467016 CET	49977	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:25:33.073484898 CET	443	49977	34.107.243.93	192.168.2.4
Oct 29, 2024 18:25:33.707298040 CET	443	49977	34.107.243.93	192.168.2.4
Oct 29, 2024 18:25:33.707396030 CET	49977	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:25:33.712513924 CET	49977	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:25:33.712523937 CET	443	49977	34.107.243.93	192.168.2.4
Oct 29, 2024 18:25:33.712619066 CET	49977	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:25:33.712835073 CET	443	49977	34.107.243.93	192.168.2.4
Oct 29, 2024 18:25:33.712883949 CET	49977	443	192.168.2.4	34.107.243.93
Oct 29, 2024 18:25:33.715636969 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:33.721050978 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:33.840931892 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:33.844634056 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:33.850167990 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:33.889389992 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:33.969949961 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:34.027498960 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:43.855361938 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:43.863375902 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:43.971379042 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:43.976993084 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:53.884408951 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:53.890050888 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:25:53.984675884 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:25:53.990247011 CET	80	49756	34.107.221.82	192.168.2.4
Oct 29, 2024 18:26:03.901470900 CET	49751	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:26:03.906924963 CET	80	49751	34.107.221.82	192.168.2.4
Oct 29, 2024 18:26:04.002357960 CET	49756	80	192.168.2.4	34.107.221.82
Oct 29, 2024 18:26:04.008321047 CET	80	49756	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 18:24:06.289633036 CET	50512	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:06.297727108 CET	53	50512	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:06.299881935 CET	62684	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:06.309264898 CET	53	62684	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:08.428131104 CET	50982	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:08.441901922 CET	62735	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:08.450170994 CET	53	62735	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:08.455024958 CET	53227	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:08.463624954 CET	53	53227	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:08.648713112 CET	61424	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:08.657401085 CET	53	61424	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:08.661020041 CET	64657	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:08.668663979 CET	53	64657	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:08.697669029 CET	65335	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:08.705315113 CET	53	65335	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:08.898008108 CET	61695	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:08.905849934 CET	53	61695	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:08.909800053 CET	56916	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:08.917514086 CET	53	56916	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:08.918128967 CET	59269	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:08.925787926 CET	53	59269	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:09.266518116 CET	64599	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:09.274120092 CET	53	64599	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:09.277420044 CET	51829	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:09.288460016 CET	53	51829	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:09.289655924 CET	55053	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:09.290508986 CET	55601	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:09.297771931 CET	53	55053	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:09.298625946 CET	53	55601	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:09.308157921 CET	50349	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:09.310949087 CET	56618	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:09.316050053 CET	53	50349	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:09.318804979 CET	53	56618	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:09.321208954 CET	52731	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:09.329118013 CET	53	52731	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:09.331698895 CET	50562	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:09.478790045 CET	64085	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:09.490721941 CET	53	64085	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:09.492512941 CET	61924	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:09.500981092 CET	53	61924	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:09.501698971 CET	59646	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:09.509538889 CET	53	59646	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:10.908020020 CET	52850	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:10.940231085 CET	63792	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:10.955390930 CET	53	63792	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:10.957879066 CET	59459	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:10.967276096 CET	53	59459	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:10.967288017 CET	53	54083	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:10.968986034 CET	56505	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:10.979438066 CET	53	56505	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:11.989592075 CET	52854	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:11.998241901 CET	53	52854	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:12.004190922 CET	60449	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:12.012399912 CET	53	60449	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:12.017438889 CET	54515	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:12.025955915 CET	53	54515	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:12.029680014 CET	59155	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:12.038774967 CET	53	59155	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:12.072676897 CET	60799	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:12.081207991 CET	53	60799	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:13.823420048 CET	60184	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:13.832534075 CET	53	60184	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:13.840563059 CET	56742	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:13.852932930 CET	53	56742	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:13.853838921 CET	59667	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:13.867934942 CET	53	59667	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.371032000 CET	57822	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.371330976 CET	53948	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.371876955 CET	62742	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.378823042 CET	53	57822	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.378952980 CET	53	53948	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.380089998 CET	53	62742	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.387567043 CET	53464	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.390399933 CET	63695	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.391136885 CET	58479	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.395354033 CET	53	53464	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.396055937 CET	50439	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.398714066 CET	53	63695	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.399791002 CET	53	58479	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.402580976 CET	55956	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.402757883 CET	59184	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.404654980 CET	53	50439	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.405174971 CET	59945	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.411103010 CET	53	59184	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.411637068 CET	54066	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.411947966 CET	53	55956	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.412959099 CET	53	59945	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.413559914 CET	62948	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.419131994 CET	53	54066	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.419948101 CET	52481	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.421951056 CET	53	62948	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.422370911 CET	63808	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.428567886 CET	53	52481	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.430840015 CET	53	63808	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.430927038 CET	56914	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.438625097 CET	53	56914	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.828170061 CET	50667	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.835851908 CET	53	50667	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.837152958 CET	57615	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.845221996 CET	53	57615	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:18.956702948 CET	61950	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:18.964612007 CET	53	61950	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:23.952677965 CET	60701	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:23.960191965 CET	53	60701	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:31.056132078 CET	54279	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:31.064780951 CET	53	54279	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:34.687613964 CET	52344	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:34.693814993 CET	64284	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:34.697247982 CET	53	52344	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:34.704377890 CET	53	64284	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:34.706850052 CET	56165	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:34.715343952 CET	53	56165	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:34.716104984 CET	59726	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:34.725438118 CET	53	59726	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:34.870197058 CET	57558	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:34.878485918 CET	53	57558	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:34.880022049 CET	64700	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:34.889383078 CET	53	64700	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:34.901052952 CET	63167	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:34.910422087 CET	53	63167	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:51.795293093 CET	58884	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:51.803240061 CET	53	58884	1.1.1.1	192.168.2.4
Oct 29, 2024 18:24:51.804825068 CET	56145	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:24:51.812417984 CET	53	56145	1.1.1.1	192.168.2.4
Oct 29, 2024 18:25:05.092427969 CET	50504	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:25:05.101528883 CET	53	50504	1.1.1.1	192.168.2.4
Oct 29, 2024 18:25:05.721606016 CET	55782	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:25:32.936808109 CET	54674	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:25:33.070420980 CET	53	54674	1.1.1.1	192.168.2.4
Oct 29, 2024 18:25:33.071424961 CET	59801	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:25:33.078872919 CET	53	59801	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 18:24:06.289633036 CET	192.168.2.4	1.1.1.1	0x8fb5	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:06.299881935 CET	192.168.2.4	1.1.1.1	0x90da	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 18:24:08.428131104 CET	192.168.2.4	1.1.1.1	0x6e82	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.441901922 CET	192.168.2.4	1.1.1.1	0xd5d7	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.455024958 CET	192.168.2.4	1.1.1.1	0xe130	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 18:24:08.648713112 CET	192.168.2.4	1.1.1.1	0xcbbc	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.661020041 CET	192.168.2.4	1.1.1.1	0x8af1	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.697669029 CET	192.168.2.4	1.1.1.1	0xc0ac	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:08.898008108 CET	192.168.2.4	1.1.1.1	0x49	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.909800053 CET	192.168.2.4	1.1.1.1	0xdb9c	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.918128967 CET	192.168.2.4	1.1.1.1	0xc9e7	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:09.266518116 CET	192.168.2.4	1.1.1.1	0x2213	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.277420044 CET	192.168.2.4	1.1.1.1	0xdcdc	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.289655924 CET	192.168.2.4	1.1.1.1	0xab7f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.290508986 CET	192.168.2.4	1.1.1.1	0xf533	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 18:24:09.308157921 CET	192.168.2.4	1.1.1.1	0xd136	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.310949087 CET	192.168.2.4	1.1.1.1	0xe9d9	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 18:24:09.321208954 CET	192.168.2.4	1.1.1.1	0xc6b0	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.331698895 CET	192.168.2.4	1.1.1.1	0x6635	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.478790045 CET	192.168.2.4	1.1.1.1	0x2c74	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.492512941 CET	192.168.2.4	1.1.1.1	0x96c5	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.501698971 CET	192.168.2.4	1.1.1.1	0xc36d	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 18:24:10.908020020 CET	192.168.2.4	1.1.1.1	0xb640	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:10.940231085 CET	192.168.2.4	1.1.1.1	0x4cf	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:10.957879066 CET	192.168.2.4	1.1.1.1	0xda9f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:10.968986034 CET	192.168.2.4	1.1.1.1	0x9212	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:11.989592075 CET	192.168.2.4	1.1.1.1	0xb61f	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:12.004190922 CET	192.168.2.4	1.1.1.1	0x161c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:12.017438889 CET	192.168.2.4	1.1.1.1	0x1d39	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:12.029680014 CET	192.168.2.4	1.1.1.1	0xedb6	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:12.072676897 CET	192.168.2.4	1.1.1.1	0x10fb	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 18:24:13.823420048 CET	192.168.2.4	1.1.1.1	0xa162	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:13.840563059 CET	192.168.2.4	1.1.1.1	0xc491	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:13.853838921 CET	192.168.2.4	1.1.1.1	0x322e	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 18:24:18.371032000 CET	192.168.2.4	1.1.1.1	0x8e72	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.371330976 CET	192.168.2.4	1.1.1.1	0x88f8	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.371876955 CET	192.168.2.4	1.1.1.1	0xabc7	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.387567043 CET	192.168.2.4	1.1.1.1	0x6bf8	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.390399933 CET	192.168.2.4	1.1.1.1	0x582	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.391136885 CET	192.168.2.4	1.1.1.1	0xf608	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.396055937 CET	192.168.2.4	1.1.1.1	0xfda0	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:18.402580976 CET	192.168.2.4	1.1.1.1	0xab88	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 29, 2024 18:24:18.402757883 CET	192.168.2.4	1.1.1.1	0x617	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:18.405174971 CET	192.168.2.4	1.1.1.1	0x87e	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.411637068 CET	192.168.2.4	1.1.1.1	0x71cf	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.413559914 CET	192.168.2.4	1.1.1.1	0xe655	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.419948101 CET	192.168.2.4	1.1.1.1	0x1591	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.422370911 CET	192.168.2.4	1.1.1.1	0xf353	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 29, 2024 18:24:18.430927038 CET	192.168.2.4	1.1.1.1	0x60a7	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:18.828170061 CET	192.168.2.4	1.1.1.1	0x66fc	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.837152958 CET	192.168.2.4	1.1.1.1	0x290b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:18.956702948 CET	192.168.2.4	1.1.1.1	0xcc44	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:23.952677965 CET	192.168.2.4	1.1.1.1	0x92c4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:31.056132078 CET	192.168.2.4	1.1.1.1	0x9ee2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:34.687613964 CET	192.168.2.4	1.1.1.1	0x2884	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 29, 2024 18:24:34.693814993 CET	192.168.2.4	1.1.1.1	0xef47	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.706850052 CET	192.168.2.4	1.1.1.1	0x8c34	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.716104984 CET	192.168.2.4	1.1.1.1	0xe4fb	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 29, 2024 18:24:34.870197058 CET	192.168.2.4	1.1.1.1	0xe62f	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.880022049 CET	192.168.2.4	1.1.1.1	0x4dfb	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.901052952 CET	192.168.2.4	1.1.1.1	0x8ce9	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 18:24:51.795293093 CET	192.168.2.4	1.1.1.1	0x6e53	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:51.804825068 CET	192.168.2.4	1.1.1.1	0x3d41	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 18:25:05.092427969 CET	192.168.2.4	1.1.1.1	0xe2c6	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 29, 2024 18:25:05.721606016 CET	192.168.2.4	1.1.1.1	0xad9e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:25:32.936808109 CET	192.168.2.4	1.1.1.1	0x3a53	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:25:33.071424961 CET	192.168.2.4	1.1.1.1	0x6756	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 18:24:06.236563921 CET	1.1.1.1	192.168.2.4	0x47c6	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:06.297727108 CET	1.1.1.1	192.168.2.4	0x8fb5	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.436925888 CET	1.1.1.1	192.168.2.4	0x6e82	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:08.436925888 CET	1.1.1.1	192.168.2.4	0x6e82	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.450170994 CET	1.1.1.1	192.168.2.4	0xd5d7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.463624954 CET	1.1.1.1	192.168.2.4	0xe130	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 18:24:08.657401085 CET	1.1.1.1	192.168.2.4	0xcbbc	No error (0)	youtube.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.668663979 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.705315113 CET	1.1.1.1	192.168.2.4	0xc0ac	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 29, 2024 18:24:08.905849934 CET	1.1.1.1	192.168.2.4	0x49	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:08.917514086 CET	1.1.1.1	192.168.2.4	0xdb9c	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.274120092 CET	1.1.1.1	192.168.2.4	0x2213	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:09.274120092 CET	1.1.1.1	192.168.2.4	0x2213	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.288389921 CET	1.1.1.1	192.168.2.4	0xfe6b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:09.288389921 CET	1.1.1.1	192.168.2.4	0xfe6b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.288460016 CET	1.1.1.1	192.168.2.4	0xdcdc	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.297771931 CET	1.1.1.1	192.168.2.4	0xab7f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.316050053 CET	1.1.1.1	192.168.2.4	0xd136	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.329118013 CET	1.1.1.1	192.168.2.4	0xc6b0	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.329118013 CET	1.1.1.1	192.168.2.4	0xc6b0	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.339934111 CET	1.1.1.1	192.168.2.4	0x6635	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:09.339934111 CET	1.1.1.1	192.168.2.4	0x6635	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.490721941 CET	1.1.1.1	192.168.2.4	0x2c74	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:09.490721941 CET	1.1.1.1	192.168.2.4	0x2c74	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:09.490721941 CET	1.1.1.1	192.168.2.4	0x2c74	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.500981092 CET	1.1.1.1	192.168.2.4	0x96c5	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:09.509538889 CET	1.1.1.1	192.168.2.4	0xc36d	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 29, 2024 18:24:10.923367023 CET	1.1.1.1	192.168.2.4	0xb640	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:10.955390930 CET	1.1.1.1	192.168.2.4	0x4cf	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:10.967276096 CET	1.1.1.1	192.168.2.4	0xda9f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:11.987728119 CET	1.1.1.1	192.168.2.4	0x6b67	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:11.998241901 CET	1.1.1.1	192.168.2.4	0xb61f	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:12.025955915 CET	1.1.1.1	192.168.2.4	0x1d39	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:12.025955915 CET	1.1.1.1	192.168.2.4	0x1d39	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:12.028079033 CET	1.1.1.1	192.168.2.4	0xcf26	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:12.028079033 CET	1.1.1.1	192.168.2.4	0xcf26	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:12.038774967 CET	1.1.1.1	192.168.2.4	0xedb6	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:13.827735901 CET	1.1.1.1	192.168.2.4	0x9ea9	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:13.832534075 CET	1.1.1.1	192.168.2.4	0xa162	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:13.832534075 CET	1.1.1.1	192.168.2.4	0xa162	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:13.832534075 CET	1.1.1.1	192.168.2.4	0xa162	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:13.852932930 CET	1.1.1.1	192.168.2.4	0xc491	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378823042 CET	1.1.1.1	192.168.2.4	0x8e72	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378952980 CET	1.1.1.1	192.168.2.4	0x88f8	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:18.378952980 CET	1.1.1.1	192.168.2.4	0x88f8	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.380089998 CET	1.1.1.1	192.168.2.4	0xabc7	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:18.380089998 CET	1.1.1.1	192.168.2.4	0xabc7	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.395354033 CET	1.1.1.1	192.168.2.4	0x6bf8	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.398714066 CET	1.1.1.1	192.168.2.4	0x582	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.399791002 CET	1.1.1.1	192.168.2.4	0xf608	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.404654980 CET	1.1.1.1	192.168.2.4	0xfda0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 18:24:18.404654980 CET	1.1.1.1	192.168.2.4	0xfda0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 18:24:18.404654980 CET	1.1.1.1	192.168.2.4	0xfda0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 18:24:18.404654980 CET	1.1.1.1	192.168.2.4	0xfda0	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 29, 2024 18:24:18.411103010 CET	1.1.1.1	192.168.2.4	0x617	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 29, 2024 18:24:18.411947966 CET	1.1.1.1	192.168.2.4	0xab88	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 29, 2024 18:24:18.412959099 CET	1.1.1.1	192.168.2.4	0x87e	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:18.412959099 CET	1.1.1.1	192.168.2.4	0x87e	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.412959099 CET	1.1.1.1	192.168.2.4	0x87e	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.412959099 CET	1.1.1.1	192.168.2.4	0x87e	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.412959099 CET	1.1.1.1	192.168.2.4	0x87e	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.419131994 CET	1.1.1.1	192.168.2.4	0x71cf	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.421951056 CET	1.1.1.1	192.168.2.4	0xe655	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.421951056 CET	1.1.1.1	192.168.2.4	0xe655	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.421951056 CET	1.1.1.1	192.168.2.4	0xe655	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.421951056 CET	1.1.1.1	192.168.2.4	0xe655	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.428567886 CET	1.1.1.1	192.168.2.4	0x1591	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:18.835851908 CET	1.1.1.1	192.168.2.4	0x66fc	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.704377890 CET	1.1.1.1	192.168.2.4	0xef47	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.704377890 CET	1.1.1.1	192.168.2.4	0xef47	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.704377890 CET	1.1.1.1	192.168.2.4	0xef47	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.704377890 CET	1.1.1.1	192.168.2.4	0xef47	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.715343952 CET	1.1.1.1	192.168.2.4	0x8c34	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.715343952 CET	1.1.1.1	192.168.2.4	0x8c34	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.715343952 CET	1.1.1.1	192.168.2.4	0x8c34	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.715343952 CET	1.1.1.1	192.168.2.4	0x8c34	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.725438118 CET	1.1.1.1	192.168.2.4	0xe4fb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 18:24:34.725438118 CET	1.1.1.1	192.168.2.4	0xe4fb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 18:24:34.725438118 CET	1.1.1.1	192.168.2.4	0xe4fb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 18:24:34.725438118 CET	1.1.1.1	192.168.2.4	0xe4fb	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 29, 2024 18:24:34.878485918 CET	1.1.1.1	192.168.2.4	0xe62f	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:34.878485918 CET	1.1.1.1	192.168.2.4	0xe62f	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:34.889383078 CET	1.1.1.1	192.168.2.4	0x4dfb	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:24:36.019506931 CET	1.1.1.1	192.168.2.4	0x898e	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:36.019506931 CET	1.1.1.1	192.168.2.4	0x898e	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:24:51.803240061 CET	1.1.1.1	192.168.2.4	0x6e53	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:25:05.083385944 CET	1.1.1.1	192.168.2.4	0x8771	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:25:05.730248928 CET	1.1.1.1	192.168.2.4	0xad9e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 18:25:05.730248928 CET	1.1.1.1	192.168.2.4	0xad9e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 29, 2024 18:25:33.070420980 CET	1.1.1.1	192.168.2.4	0x3a53	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	6020	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 18:24:08.671099901 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:09.262461901 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9863 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	34.107.221.82	80	6020	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 18:24:09.360774994 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:09.969295979 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79735 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	34.107.221.82	80	6020	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 18:24:10.660273075 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:11.284579039 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9865 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:12.016735077 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:12.141946077 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9866 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:12.292258978 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:12.417543888 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9866 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:13.814460039 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:13.945420027 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9867 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:18.925010920 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:19.050262928 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9872 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:21.042995930 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:21.168100119 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9875 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:23.309676886 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:23.434885025 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9877 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:23.943100929 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:24.068507910 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9878 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:24.599657059 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:24.731116056 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9878 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:31.723952055 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:31.849577904 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9885 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:35.307122946 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:35.687854052 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9889 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:35.689650059 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9889 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:35.702147007 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:35.841566086 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9889 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:36.007392883 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:36.138343096 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9890 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:36.366024971 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:36.491409063 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9890 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:46.498393059 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 18:24:52.422099113 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:52.547477007 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9906 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:24:58.364573002 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:24:58.489506006 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9912 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:25:05.721059084 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:25:05.847527027 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9919 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:25:15.852185965 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 18:25:25.866569042 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 18:25:33.715636969 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 29, 2024 18:25:33.840931892 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 14:39:46 GMT Age: 9947 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 29, 2024 18:25:43.855361938 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 18:25:53.884408951 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 18:26:03.901470900 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49756	34.107.221.82	80	6020	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 18:24:11.474558115 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:12.099073887 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79738 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:12.188065052 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:12.313493013 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79738 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:12.472610950 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:12.601758003 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79738 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:18.368798971 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:18.494651079 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79744 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:20.437266111 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:20.562431097 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79746 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:21.255155087 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:21.380400896 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79747 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:23.438194990 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:23.563832045 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79749 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:24.072681904 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:24.227054119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79750 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:24.735452890 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:24.860586882 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79750 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:31.853796959 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:31.979458094 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79757 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:35.691504955 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:35.839307070 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79761 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:35.844218016 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:35.972296953 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79761 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:36.141503096 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:36.267174959 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79762 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:36.494596958 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:36.621280909 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79762 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:46.630023956 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 18:24:52.553838015 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:52.680339098 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79778 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:24:58.491853952 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:24:58.617074013 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79784 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:25:05.850723982 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:25:05.976695061 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79791 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:25:15.983722925 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 18:25:26.004595995 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 18:25:33.844634056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 29, 2024 18:25:33.969949961 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 28 Oct 2024 19:15:14 GMT Age: 79819 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 29, 2024 18:25:43.971379042 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 18:25:53.984675884 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 29, 2024 18:26:04.002357960 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	13:23:59
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x710000
File size:	919'552 bytes
MD5 hash:	F1D1DDB711AB9A81234B10EB7417BE4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:24:00
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xd90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:24:00
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:24:02
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xd90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:24:02
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:24:02
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xd90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:24:02
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:24:02
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xd90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:24:02
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:24:02
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xd90000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:24:02
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:24:03
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:24:03
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:24:03
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	13:24:04
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9166fe6b-6312-45c0-99a0-435f25bf70b7} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f0faf70710 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	13:24:06
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3840 -parentBuildID 20230927232528 -prefsHandle 4104 -prefMapHandle 4424 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0c0f30-e05e-429e-932b-ee96ae950bae} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f0ff823a10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	13:24:11
Start date:	29/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5396 -prefMapHandle 5420 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b15a8493-3b64-4f9e-b7e1-655faeded7fa} 6020 "\\.\pipe\gecko-crash-server-pipe.6020" 1f097486f10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	1548
Total number of Limit Nodes:	59

Executed Functions

Function 007142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0071430D

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

GetCurrentProcess.KERNEL32(?,007ACB64,00000000,?,?), ref: 00714422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00714429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00714454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00714466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00714474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0071447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007144A0

Strings

|O, xrefs: 007536F8
kernel32.dll, xrefs: 0071444F
GetNativeSystemInfo, xrefs: 00714460

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8422e3c819b3fd66c7ef82bb10765c8cc169e645bb6c45aca133f72cb36812a9
Instruction ID: 61a728e487382d2ffd26c9a8a2a6302f791fd2cd0d411c066b4e7bd40995fff8
Opcode Fuzzy Hash: 8422e3c819b3fd66c7ef82bb10765c8cc169e645bb6c45aca133f72cb36812a9
Instruction Fuzzy Hash: C2A1B57190B2C0DFC712C76DBCC35D97FA46B2E741B98C899D8419BA62D27C4948CB39

Function 007142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007150AA,?,?,00000000,00000000), ref: 007142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007150AA,?,?,00000000,00000000), ref: 007142C9
LoadResource.KERNEL32(?,00000000,?,?,007150AA,?,?,00000000,00000000,?,?,?,?,?,?,00714F20), ref: 007535BE
SizeofResource.KERNEL32(?,00000000,?,?,007150AA,?,?,00000000,00000000,?,?,?,?,?,?,00714F20), ref: 007535D3
LockResource.KERNEL32(007150AA,?,?,007150AA,?,?,00000000,00000000,?,?,?,?,?,?,00714F20,?), ref: 007535E6

Strings

SCRIPT, xrefs: 007142BF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6326701dea7b611c3745878353fef1de12f9c6246b7a54cb7ee9eadea9309db9
Instruction ID: 078e415e3dcdb5a2318902a1cf8b8e1b4e08edb23d86cefa097389b90d852af8
Opcode Fuzzy Hash: 6326701dea7b611c3745878353fef1de12f9c6246b7a54cb7ee9eadea9309db9
Instruction Fuzzy Hash: 76118E71200700BFDB268B69DC49F677BBAFBC6B51F108169F402D62A0DB75DC409A30

Function 00752BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00712B6B

Part of subcall function 00713A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007E1418,?,00712E7F,?,?,?,00000000), ref: 00713A78

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,007D2224), ref: 00752C10
ShellExecuteW.SHELL32(00000000,?,?,007D2224), ref: 00752C17

Strings

runas, xrefs: 00752C0B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 85d584d4f750e5e00dd26d518d932129a611c4dc5a64ff1e93e14fc5f3e5bb7a
Instruction ID: fdd33ec09103c1c2364a8ce8d37effc187918350f2a1411c69899f80e1b0251e
Opcode Fuzzy Hash: 85d584d4f750e5e00dd26d518d932129a611c4dc5a64ff1e93e14fc5f3e5bb7a
Instruction Fuzzy Hash: 8C11D571208381EAC715FF68D85A9EDB7A49B96350F44442DB182061E3DF3C9A8B8712

Function 0077D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0077D501
Process32FirstW.KERNEL32(00000000,?), ref: 0077D50F
Process32NextW.KERNEL32(00000000,?), ref: 0077D52F
CloseHandle.KERNELBASE(00000000), ref: 0077D5DC

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 95326117376729f05973ea81cc7a6813d97bfbb87f909dba36f38cd3f287a449
Instruction ID: fdac29c39eb320e89cdccb77d7d8b6e701500ab5697455adbf8ec287c4ecc539
Opcode Fuzzy Hash: 95326117376729f05973ea81cc7a6813d97bfbb87f909dba36f38cd3f287a449
Instruction Fuzzy Hash: 5A31B372108300EFD711EF54C895AAFBBF8EFD9384F10452DF685821A1EB759985CBA2

Function 0077DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00755222), ref: 0077DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0077DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0077DBEE
FindClose.KERNEL32(00000000), ref: 0077DBFA

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 7fc455223917fb0fcf06fe3d132dd4ee6b2e069a4ca13ffdbcd0756ea121652e
Instruction ID: 0e8db9eb0887bbd4ddfbbb28e9558a1b47cc3b62dee6685332612eef450e94a1
Opcode Fuzzy Hash: 7fc455223917fb0fcf06fe3d132dd4ee6b2e069a4ca13ffdbcd0756ea121652e
Instruction Fuzzy Hash: 91F0EC304105146B96326B7CDC0D4AA377CAE42374F10C702F43AC10F0EBB85D54C5E9

Function 00734CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007428E9,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002,00000000,?,007428E9), ref: 00734D09
TerminateProcess.KERNEL32(00000000,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002,00000000,?,007428E9), ref: 00734D10
ExitProcess.KERNEL32 ref: 00734D22

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 587f9d0bcb64feacf17a6f5caa9774471686834c6b9ba6d5a022fae6e187e72b
Instruction ID: f71e474f37f7d0577c0548a2aaf5504297bc068c4a3bdbc9ea5456626bc873f8
Opcode Fuzzy Hash: 587f9d0bcb64feacf17a6f5caa9774471686834c6b9ba6d5a022fae6e187e72b
Instruction Fuzzy Hash: BFE0B631110548FBDF16AF64DD09A593B79EB82781F118014FD099A133CB3DED42CA85

Function 0071BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#~, xrefs: 007607CE

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#~
API String ID: 3964851224-2728696344
Opcode ID: 366b7e1b0bbde45f0ca8a0d4e0fff693fdda50e5789802548b46590008f05275
Instruction ID: c02292d465e6b338c137c29cec6f9c6645fe3e361ee6a88ca52c75b719bff6ef
Opcode Fuzzy Hash: 366b7e1b0bbde45f0ca8a0d4e0fff693fdda50e5789802548b46590008f05275
Instruction Fuzzy Hash: 9DA28D70608341CFD711CF68C484B6AB7E1BF89304F14896DE89A9B392D779EC85CB92

Function 0079AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0079B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0079B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0079B1D4
_wcslen.LIBCMT ref: 0079B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0079B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0079B236
_wcslen.LIBCMT ref: 0079B332

Part of subcall function 007805A7: GetStdHandle.KERNEL32(000000F6), ref: 007805C6

_wcslen.LIBCMT ref: 0079B34B
_wcslen.LIBCMT ref: 0079B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0079B3B6
GetLastError.KERNEL32(00000000), ref: 0079B407
CloseHandle.KERNEL32(?), ref: 0079B439
CloseHandle.KERNEL32(00000000), ref: 0079B44A
CloseHandle.KERNEL32(00000000), ref: 0079B45C
CloseHandle.KERNEL32(00000000), ref: 0079B46E
CloseHandle.KERNEL32(?), ref: 0079B4E3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 41b82f284256e195724f576c30cf610fe9f25c3c16daaf96057872b20220c5e9
Instruction ID: 2dd6ef691732084a6b7ab70e7b8270db7d3fba16c75bb02701d5cf3d6a20750d
Opcode Fuzzy Hash: 41b82f284256e195724f576c30cf610fe9f25c3c16daaf96057872b20220c5e9
Instruction Fuzzy Hash: C7F1AC31604340DFCB15EF28E995B6EBBE1AF85310F14855DF8898B2A2DB39EC44CB52

Function 0071D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0071D807
timeGetTime.WINMM ref: 0071DA07
Sleep.KERNELBASE(0000000A), ref: 0071DBB1
Sleep.KERNEL32(0000000A), ref: 00762B76
GetExitCodeProcess.KERNEL32(?,?), ref: 00762C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 00762C29
CloseHandle.KERNEL32(?), ref: 00762C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00762CA9

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: 225214fbc470c927fa9fb4ab72e1b610ecb1f6ed39631e446457305c07e5e2fd
Instruction ID: f82fb1cb92721b5671b42632a80fcc0d51ac00dfe5b886877876f40a349a80b4
Opcode Fuzzy Hash: 225214fbc470c927fa9fb4ab72e1b610ecb1f6ed39631e446457305c07e5e2fd
Instruction Fuzzy Hash: 0442D070608641EFD735CF28C888BAAB7A0BF85314F548519E8568B2D2D77CEC85CF92

Function 00712CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00712D07
RegisterClassExW.USER32(00000030), ref: 00712D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00712D42
InitCommonControlsEx.COMCTL32(?), ref: 00712D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00712D6F
LoadIconW.USER32(000000A9), ref: 00712D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00712D94

Strings

+, xrefs: 00712CF0
TaskbarCreated, xrefs: 00712D37
AutoIt v3 GUI, xrefs: 00712D23
0, xrefs: 00712CE9

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: dfe6825f45f290bb68e5d778acd7217887d9ccbd652295985936790c9ed2f015
Instruction ID: e1fe3b45651527b76380ed27353a5991d1fc725b37eff30921cbe47250dbdb5f
Opcode Fuzzy Hash: dfe6825f45f290bb68e5d778acd7217887d9ccbd652295985936790c9ed2f015
Instruction Fuzzy Hash: 9221F9B1902398EFDB01DF94EC89BDD7BB4FB49704F40811AF511AA290D7B95540CF58

Function 0075065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0075039A: CreateFileW.KERNELBASE(00000000,00000000,?,00750704,?,?,00000000,?,00750704,00000000,0000000C), ref: 007503B7

GetLastError.KERNEL32 ref: 0075076F
__dosmaperr.LIBCMT ref: 00750776
GetFileType.KERNELBASE(00000000), ref: 00750782
GetLastError.KERNEL32 ref: 0075078C
__dosmaperr.LIBCMT ref: 00750795
CloseHandle.KERNEL32(00000000), ref: 007507B5
CloseHandle.KERNEL32(?), ref: 007508FF
GetLastError.KERNEL32 ref: 00750931
__dosmaperr.LIBCMT ref: 00750938

Strings

H, xrefs: 007508BD

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 9c19d918f0722275fba9651391daa993402c04553b8ed26138bf1fce2925649d
Instruction ID: 2756dfd9e64cdc3823c23120e3f72f3330ee844166fcfcb294bb197b23a930b7
Opcode Fuzzy Hash: 9c19d918f0722275fba9651391daa993402c04553b8ed26138bf1fce2925649d
Instruction Fuzzy Hash: E4A12532A001449FDF19AF68D895BEE3BA0EB4A321F14415DFC11DF292DB799816CBD1

Function 0071344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00713A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007E1418,?,00712E7F,?,?,?,00000000), ref: 00713A78

Part of subcall function 00713357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00713379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0071356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0075318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007531CE
RegCloseKey.ADVAPI32(?), ref: 00753210
_wcslen.LIBCMT ref: 00753277
_wcslen.LIBCMT ref: 00753286

Strings

Include, xrefs: 00753184, 007531C5
\Include\, xrefs: 00713527
\, xrefs: 0075328C
Software\AutoIt v3\AutoIt, xrefs: 00713560

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 5509d257a4ef8cd9e6b89e035720fe04ef8019d99e7c66ccd20bc2a5a22026ce
Instruction ID: 641b74626531812f7e281e842b2567130f5a6fa06b5443884013a9f87e0bde13
Opcode Fuzzy Hash: 5509d257a4ef8cd9e6b89e035720fe04ef8019d99e7c66ccd20bc2a5a22026ce
Instruction Fuzzy Hash: CD718D71405340AEC314DF29DC869ABBBE8FF89740F40452EF545871A2EB7C9A8ACF65

Function 00712B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00712B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00712B9D
LoadIconW.USER32(00000063), ref: 00712BB3
LoadIconW.USER32(000000A4), ref: 00712BC5
LoadIconW.USER32(000000A2), ref: 00712BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00712BEF
RegisterClassExW.USER32(?), ref: 00712C40

Part of subcall function 00712CD4: GetSysColorBrush.USER32(0000000F), ref: 00712D07
Part of subcall function 00712CD4: RegisterClassExW.USER32(00000030), ref: 00712D31
Part of subcall function 00712CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00712D42
Part of subcall function 00712CD4: InitCommonControlsEx.COMCTL32(?), ref: 00712D5F
Part of subcall function 00712CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00712D6F
Part of subcall function 00712CD4: LoadIconW.USER32(000000A9), ref: 00712D85
Part of subcall function 00712CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00712D94

Strings

AutoIt v3, xrefs: 00712C2F
#, xrefs: 00712C16
0, xrefs: 00712C0F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 07bd633a6ddb6652be54ba343b786d814a85e4eaac00e7df9244790d5e58f00f
Instruction ID: 4982dca1d4aa2946c6a60bc830685cc4544640f3969abe2ee9725dc15f8a5a3d
Opcode Fuzzy Hash: 07bd633a6ddb6652be54ba343b786d814a85e4eaac00e7df9244790d5e58f00f
Instruction Fuzzy Hash: F2213D70E02358AFDB119F95EC96A9D7FB4FB4CB50F40801AE500EA7A0D7B91540CF98

Function 0071B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0071BB4E

Strings

p%~, xrefs: 0071BB32
x#~, xrefs: 00760207
p%~, xrefs: 0071B8DC
p#~, xrefs: 00760263
p#~, xrefs: 0071BB6B
x#~, xrefs: 00760168
p#~, xrefs: 0076024F
p#~, xrefs: 0071BA72

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#~$p#~$p#~$p#~$p%~$p%~$x#~$x#~
API String ID: 1385522511-3993589769
Opcode ID: 0a505d872b97696ea69f2eb60285f85285325c4ffd6ab2ec449e69f36b6b0256
Instruction ID: 89e136bec427604818833f11869aa4db7558e2c6158dfdc5454cde948fa105fc
Opcode Fuzzy Hash: 0a505d872b97696ea69f2eb60285f85285325c4ffd6ab2ec449e69f36b6b0256
Instruction Fuzzy Hash: 9A329074A04209DFDB24CF58C894ABEB7B9EF48314F148059ED06AB291D77CED82CB91

Function 00713170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0071316A,?,?), ref: 007131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0071316A,?,?), ref: 00713204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00713227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0071316A,?,?), ref: 00713232
CreatePopupMenu.USER32 ref: 00713246
PostQuitMessage.USER32(00000000), ref: 00713267

Strings

TaskbarCreated, xrefs: 0071322D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8598525eece451ce39067f810198165d680532bcd3012b95e53f0b90ae9d990d
Instruction ID: d7498f32f24b11cbad3cbb81253b2ba8205f76f692222e2ce03392ead23fc2e5
Opcode Fuzzy Hash: 8598525eece451ce39067f810198165d680532bcd3012b95e53f0b90ae9d990d
Instruction Fuzzy Hash: B9414731300288BBDB156B7C9C4EBFD3A29F74A340F448125F9029A1E2CB7DDAC197A5

Function 00711410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00711459
CoUninitialize.COMBASE ref: 007114F8
UnregisterHotKey.USER32(?), ref: 007116DD
DestroyWindow.USER32(?), ref: 007524B9
FreeLibrary.KERNEL32(?), ref: 0075251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0075254B

Strings

close all, xrefs: 00711454

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 17895ffb0cd78f85422b148b3d48f828e58f94d68ae87cbb31625220c23e7190
Instruction ID: 540d7b52b1be858296832f5b41640ae98a657845887050055c73fbdd30021dd6
Opcode Fuzzy Hash: 17895ffb0cd78f85422b148b3d48f828e58f94d68ae87cbb31625220c23e7190
Instruction Fuzzy Hash: E9D1A131701212DFCB19EF18C499AA9F7A0BF06701F5441ADE94A6B292DB39EC67CF50

Function 00712C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00712C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00712CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00711CAD,?), ref: 00712CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00711CAD,?), ref: 00712CCF

Strings

AutoIt v3, xrefs: 00712C89, 00712C8E, 00712C8F
edit, xrefs: 00712CAC

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a3b949660ac9a5c9714c627a93af04e0220dc3501074f5bc28d72a468e7fb54c
Instruction ID: dfd36fd927c4f82ca94494c4970cb2751ac708fe6d468624cc0fad9be2f9d430
Opcode Fuzzy Hash: a3b949660ac9a5c9714c627a93af04e0220dc3501074f5bc28d72a468e7fb54c
Instruction Fuzzy Hash: F1F0DA755412D07AEB311717AC8AE772EBDD7CBF50B80805AF900AA9A0C6791851DAB8

Function 00713B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00713B0F,SwapMouseButtons,00000004,?), ref: 00713B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00713B0F,SwapMouseButtons,00000004,?), ref: 00713B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00713B0F,SwapMouseButtons,00000004,?), ref: 00713B83

Strings

Control Panel\Mouse, xrefs: 00713B3E

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6c5452fc065eb7a4e93cd530fb7913faf89614a159613aa6855c33ed05ac17ca
Instruction ID: 0078ff801ee003af4fd72b8af98ec4cb76e4bac48958a350de0f80346895b6ad
Opcode Fuzzy Hash: 6c5452fc065eb7a4e93cd530fb7913faf89614a159613aa6855c33ed05ac17ca
Instruction Fuzzy Hash: A41127F5614208FFDB218FA9DC85AEFBBB8EF45744B10846AA805D7150E2359E809BA4

Function 00713923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007533A2

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00713A04

Strings

Line: , xrefs: 007533EB

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ad3ab6b0298e3919dfa58af1188cafdd1c0a18ed6675e99ee04de72b4181c753
Instruction ID: bd7a0b599e1d0cff4a3815d3206242eb45fa1ec06cc4b7e8de1586e7fe723869
Opcode Fuzzy Hash: ad3ab6b0298e3919dfa58af1188cafdd1c0a18ed6675e99ee04de72b4181c753
Instruction Fuzzy Hash: CC31C571409344AAD721EB18DC4ABEBB7ECAF44714F00451AF599930D1DB7CA689C7C6

Function 00712DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00752C8C

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

Part of subcall function 00712DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00712DC4

Strings

`e}, xrefs: 00752C85
X, xrefs: 00752C5A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e}
API String ID: 779396738-2683834941
Opcode ID: 0164105ea38a0198ec167846dc3ec67a85c8c89ed149bc93c7e9c5bf856b026e
Instruction ID: 5260650d06b0f85b87e6d1abacea3563a0e0ab950da70406ffa2e126c88eb735
Opcode Fuzzy Hash: 0164105ea38a0198ec167846dc3ec67a85c8c89ed149bc93c7e9c5bf856b026e
Instruction Fuzzy Hash: A7219671A00298DBDB41DF98D8497EE7BF89F49705F10805AE405A7282DBBC5A8D8F61

Function 0072FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00730668

Part of subcall function 007332A4: RaiseException.KERNEL32(?,?,?,0073068A,?,007E1444,?,?,?,?,?,?,0073068A,00711129,007D8738,00711129), ref: 00733304

__CxxThrowException@8.LIBVCRUNTIME ref: 00730685

Strings

Unknown exception, xrefs: 00730692

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: fb295e991040b356e7a8e2a0dc26024c734a70fa7851b3a02c3a0fc029660b39
Instruction ID: 3738ef3aa7bc16a0498bd7a634489059d13cb8c70dca95bfeb5e720267212109
Opcode Fuzzy Hash: fb295e991040b356e7a8e2a0dc26024c734a70fa7851b3a02c3a0fc029660b39
Instruction Fuzzy Hash: D7F0C234A0020DF7DB04B6A4E86AD9E777C6E40320F604532F824D6597EF79EA65C5C1

Function 007110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00711BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00711BF4
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00711BFC
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00711C07
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00711C12
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00711C1A
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00711C22

Part of subcall function 00711B4A: RegisterWindowMessageW.USER32(00000004,?,007112C4), ref: 00711BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0071136A
OleInitialize.OLE32 ref: 00711388
CloseHandle.KERNEL32(00000000,00000000), ref: 007524AB

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3d12395fc684213075d0232744f24e3bb8755de42ccc99fdd5e1b563f1f2dc13
Instruction ID: 55fc5a7b85a390aed54c42a564f7ea5afc2d3248a32d7752b327b437c4c949aa
Opcode Fuzzy Hash: 3d12395fc684213075d0232744f24e3bb8755de42ccc99fdd5e1b563f1f2dc13
Instruction Fuzzy Hash: 0F717EB49033C09EC785DF69A9876993AE0BB8D3543D4C22A911ACF3A1EB3C5491CF59

Function 0077C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00713923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00713A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0077C259
KillTimer.USER32(?,00000001,?,?), ref: 0077C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0077C270

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: cbcfb45c63eb10e59cfabbdb4b85d4a28c73fc2b24470b0962c1671b5b667b5c
Instruction ID: 8e12aa002fb6a9ceda885705988786615e48ad772155b7d70fef3aa54d0572eb
Opcode Fuzzy Hash: cbcfb45c63eb10e59cfabbdb4b85d4a28c73fc2b24470b0962c1671b5b667b5c
Instruction Fuzzy Hash: 1F31C570A04344AFEF23CF649895BE7BBECAB0A344F00849DD2DE97242C7785A84CB55

Function 007486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007485CC,?,007D8CC8,0000000C), ref: 00748704
GetLastError.KERNEL32(?,007485CC,?,007D8CC8,0000000C), ref: 0074870E
__dosmaperr.LIBCMT ref: 00748739

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: d9edd168f9b517d021ee5c9dc2a02ff6c2b364a2f9a3044e4896393e8738309d
Instruction ID: 220c78d434cec0b5602b0aaeef549645116e905eb5a9ee5840d40c0f354895e9
Opcode Fuzzy Hash: d9edd168f9b517d021ee5c9dc2a02ff6c2b364a2f9a3044e4896393e8738309d
Instruction Fuzzy Hash: 49018933A0526467D6E66734A889B7E27494B82B78F3A0119F818CB1D3DFACCC818193

Function 0071DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0071DB7B
DispatchMessageW.USER32(?), ref: 0071DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0071DB9F
Sleep.KERNELBASE(0000000A), ref: 0071DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00761CC9

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 0880fb337d42742b7d4b4b3e8a3f42a988bbc0f41096a2112f9229f5de96682d
Instruction ID: 0959bbbc4cf89211d7a123bbe614e4a405870366d319ba41c7ec1cf9ab29f411
Opcode Fuzzy Hash: 0880fb337d42742b7d4b4b3e8a3f42a988bbc0f41096a2112f9229f5de96682d
Instruction Fuzzy Hash: 5CF054306443409BE730C7648C49FDA73ACEB85310F508518E60A870C0DB3894849F25

Function 00721310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007217F6

Strings

CALL, xrefs: 007217C6

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 3080a263ca8f0ded8ac2a2cb3d05cb1dc477d22eae494c4bbc12a26ee95ad4ad
Instruction ID: 95f39f7418a0ebf6ff2b716d1e519465e902f3b8bf85a8ee810a38db45513dec
Opcode Fuzzy Hash: 3080a263ca8f0ded8ac2a2cb3d05cb1dc477d22eae494c4bbc12a26ee95ad4ad
Instruction Fuzzy Hash: 6622CB70608351DFC714DF14D484A2ABBF1BF99314FA4896DF8868B3A2D739E851CB82

Function 00713837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00713908

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b0ed89807fe0cba6536bc76611406b9f9caa42bd89f36f79cd9e9b464e2d90a9
Instruction ID: 66e2e1dfc3589fba36e3874dcc514136f424ccd4df000746995c296624b9695f
Opcode Fuzzy Hash: b0ed89807fe0cba6536bc76611406b9f9caa42bd89f36f79cd9e9b464e2d90a9
Instruction Fuzzy Hash: B531D270505300DFD721DF28D8857D7BBE8FB49708F00092EF99997290E7B9AA84CB56

Function 0072F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0072F661

Part of subcall function 0071D730: GetInputState.USER32 ref: 0071D807

Sleep.KERNEL32(00000000), ref: 0076F2DE

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: eb834e4d1c80d41eae97cc22a182dbcb257b35ec54cf4f633026b1c349e4e863
Instruction ID: 8706964f43dd2b6efa8d98429620fb361a5e0db4d69cc8140a8e6dccf3b3742a
Opcode Fuzzy Hash: eb834e4d1c80d41eae97cc22a182dbcb257b35ec54cf4f633026b1c349e4e863
Instruction Fuzzy Hash: B2F08231240215AFD310EF69D449B9AB7E5FF49760F004029E859C72A0DB74AC40CF94

Function 00714ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00714E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E9C
Part of subcall function 00714E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00714EAE
Part of subcall function 00714E90: FreeLibrary.KERNEL32(00000000,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714EFD

Part of subcall function 00714E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E62
Part of subcall function 00714E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00714E74
Part of subcall function 00714E59: FreeLibrary.KERNEL32(00000000,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E87

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 8fe67c9b368e29d9519de14325d62151ee7c813283ac5717759b8990d84b2c24
Instruction ID: 76af7969f5a0577337adbcd0faad85bf62a73e91abf4df71a3cd64f4a0ee156a
Opcode Fuzzy Hash: 8fe67c9b368e29d9519de14325d62151ee7c813283ac5717759b8990d84b2c24
Instruction Fuzzy Hash: B011EB31600205EBDF15BB68DC0AFED77A59F80711F10441DF542A62D1DE799A85D750

Function 00748402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00748440

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 53b033ee531f3662b986c7b0c6d20b4bb0eb6f716091fe4cba2d80b76bd444c7
Instruction ID: f30460c853e3dc0e3e3513be94dcb57c2beb8d9763100a9eb2d3614fc12aec4b
Opcode Fuzzy Hash: 53b033ee531f3662b986c7b0c6d20b4bb0eb6f716091fe4cba2d80b76bd444c7
Instruction Fuzzy Hash: 781118B590410EAFCB05DF58E94599E7BF5EF48314F144059FC08AB312DB35EA11CBA5

Function 0073E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1a243268a1c68ddd28128b956a7ceb449ee541cce34ddaf88e3c17b924417484
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 88F0CD32511A14D7F7313A659C0EB5B37989F52375F100719F525931D3DB7CE80285A6

Function 00743820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0d0a7271a6bd409d3eac5dad85aee32aa6fffc57d141abbbb920bd9ed82cfbe6
Instruction ID: baf43af9b646a94707b2f5615ce9bdf9c07b6fd36ae64d4b311f996c418f76aa
Opcode Fuzzy Hash: 0d0a7271a6bd409d3eac5dad85aee32aa6fffc57d141abbbb920bd9ed82cfbe6
Instruction Fuzzy Hash: 5EE0E532141224AAF62126679C05B9BB74DAB827B0F0A0022BC1C96481DB2DED0185F0

Function 00714F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714F6D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c11b6d10422cd28595214c7678423047eb02288be0cf4819301b5c5079df35d7
Instruction ID: b39c22409534f28a96a4f2beedde8827906a01dfd44a995f61bfe2f7a18688fe
Opcode Fuzzy Hash: c11b6d10422cd28595214c7678423047eb02288be0cf4819301b5c5079df35d7
Instruction Fuzzy Hash: 2FF0A070105301CFDB348F28D490892B7F8EF00319318897EE1DA86651C7399885DF00

Function 007A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007A2A66

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 1b4aff5d77f260064805788c68df850fb6716d1bed297515d1e991907346a233
Instruction ID: 8c07aa0e673b91d56d4c42682d10902553fb8fedd802c9175d66af25f3b5e7d4
Opcode Fuzzy Hash: 1b4aff5d77f260064805788c68df850fb6716d1bed297515d1e991907346a233
Instruction Fuzzy Hash: C1E0DF3238011AAECB10EA34DC849FA734CEB91395B108636BC2AC2101DB38998286A0

Function 007130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0071314E

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 945847f4eee698005b5f95895eb9710610e8ac161fa8b45af31a526106f11494
Instruction ID: cde9f29037e05a8d30cbb90b11d99c27e502a61487f44a4ba6581412cdb6456a
Opcode Fuzzy Hash: 945847f4eee698005b5f95895eb9710610e8ac161fa8b45af31a526106f11494
Instruction Fuzzy Hash: D9F0A7709003589FE753DB24DC8A7D57BBCA705708F0040E5A1489A182D77847C8CF45

Function 00712DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00712DC4

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6faf21b02cf0af1eddda0951b7f0fd8b36994c43d369bbe4e98e88740bdc7243
Instruction ID: ef46e7dde26e139298ecb2fe795f6294e96c75ef564f41c83da2b11f1bb84556
Opcode Fuzzy Hash: 6faf21b02cf0af1eddda0951b7f0fd8b36994c43d369bbe4e98e88740bdc7243
Instruction Fuzzy Hash: D6E0CD726041245BC72192589C09FEA77EDDFC8791F054071FD09D7288D964AD848550

Function 00712B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00713837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00713908

Part of subcall function 0071D730: GetInputState.USER32 ref: 0071D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00712B6B

Part of subcall function 007130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0071314E

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 3af3390a6e78bbfa73126e08ad70e50686c00815381e8b541e7ad39f310b5f4d
Instruction ID: 409194b16441804dff6b74a42844c6ffe8a26902afca06ce8ac2de5d6dce600e
Opcode Fuzzy Hash: 3af3390a6e78bbfa73126e08ad70e50686c00815381e8b541e7ad39f310b5f4d
Instruction Fuzzy Hash: 7AE0263230428483CB04BB7CA85B4EDA3998BD6351F40043EF142472E3CE2C89C64352

Function 0075039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00750704,?,?,00000000,?,00750704,00000000,0000000C), ref: 007503B7

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 355314f27c768120cf49cee82f4b5c06d1c41d98c15c983ea39391b747edfdcd
Instruction ID: 4dae7c9d816b162cea2ea98dab8e5618de76efff89b4ddcf5f45c17c5ab07e1e
Opcode Fuzzy Hash: 355314f27c768120cf49cee82f4b5c06d1c41d98c15c983ea39391b747edfdcd
Instruction Fuzzy Hash: 32D06C3214010DBBDF028F84DD06EDA3BAAFB88714F018000BE1856020C736E821AB94

Function 00711CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00711CBC

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 93ace0ad0194841b87b462004dad1eb3a08eef01334c53c28c6b65d760432aa2
Instruction ID: 7b27006ae3dbb585dc09542d98860080c415c026221e8c6ba1212d1f650abdde
Opcode Fuzzy Hash: 93ace0ad0194841b87b462004dad1eb3a08eef01334c53c28c6b65d760432aa2
Instruction Fuzzy Hash: E8C09B36281344AFF2154784BD9BF107758A34CB00F54C001F6095D5E3C7B51830D658

Non-executed Functions

Function 007A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007A96C9
SendMessageW.USER32 ref: 007A96F2
GetKeyState.USER32(00000011), ref: 007A978B
GetKeyState.USER32(00000009), ref: 007A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007A97AE
GetKeyState.USER32(00000010), ref: 007A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007A97E9
SendMessageW.USER32 ref: 007A9810
SendMessageW.USER32(?,00001030,?,007A7E95), ref: 007A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007A9941
SetCapture.USER32(?), ref: 007A994A
ClientToScreen.USER32(?,?), ref: 007A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007A99D6
ReleaseCapture.USER32 ref: 007A99E1
GetCursorPos.USER32(?), ref: 007A9A19
ScreenToClient.USER32(?,?), ref: 007A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 007A9A80
SendMessageW.USER32 ref: 007A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 007A9AEB
SendMessageW.USER32 ref: 007A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007A9B4A
GetCursorPos.USER32(?), ref: 007A9B68
ScreenToClient.USER32(?,?), ref: 007A9B75
GetParent.USER32(?), ref: 007A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 007A9BFA
SendMessageW.USER32 ref: 007A9C2B
ClientToScreen.USER32(?,?), ref: 007A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 007A9CDE
SendMessageW.USER32 ref: 007A9D01
ClientToScreen.USER32(?,?), ref: 007A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007A9D82

Part of subcall function 00729944: GetWindowLongW.USER32(?,000000EB), ref: 00729952

GetWindowLongW.USER32(?,000000F0), ref: 007A9E05

Strings

F, xrefs: 007A9D07
p#~, xrefs: 007A9990
@GUI_DRAGID, xrefs: 007A997D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#~
API String ID: 3429851547-1555356086
Opcode ID: a81494756b5c16d922db1a6d2933ba0c91873e23e13bb3b0c71040077a71e5a5
Instruction ID: 6a82f58d750d80f826d47a86aeee34baf1f2e70868d32edbe6bfb59c7a7a74e7
Opcode Fuzzy Hash: a81494756b5c16d922db1a6d2933ba0c91873e23e13bb3b0c71040077a71e5a5
Instruction Fuzzy Hash: DF429D34605240EFD725CF24CC88EAABBE5FF8A320F144659F699872A1D739E860CF55

Function 007A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 007A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 007A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 007A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 007A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 007A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 007A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007A4A7E
IsMenu.USER32(?), ref: 007A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A4B20
GetWindowLongW.USER32(?,000000F0), ref: 007A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 007A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 007A4C82
wsprintfW.USER32 ref: 007A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 007A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 007A4D5A

Strings

%d/%02d/%02d, xrefs: 007A4CA8

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 44bf4942d07013e576dd051c1f049ac2386a27cc24b32a9f34ed5e6517faed13
Instruction ID: 30c6300bd6b80a34e4908a5955d2e2492ee48131dc943114950bd07f17795a1d
Opcode Fuzzy Hash: 44bf4942d07013e576dd051c1f049ac2386a27cc24b32a9f34ed5e6517faed13
Instruction Fuzzy Hash: 7F12D071600214ABEB258F28DC49FAE7BF8EFC6310F144269F516EA1E1DBBD9940CB50

Function 0072F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0072F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0076F474
IsIconic.USER32(00000000), ref: 0076F47D
ShowWindow.USER32(00000000,00000009), ref: 0076F48A
SetForegroundWindow.USER32(00000000), ref: 0076F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0076F4AA
GetCurrentThreadId.KERNEL32 ref: 0076F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0076F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0076F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0076F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0076F4DE
SetForegroundWindow.USER32(00000000), ref: 0076F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F4F6
keybd_event.USER32(00000012,00000000), ref: 0076F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F50B
keybd_event.USER32(00000012,00000000), ref: 0076F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F519
keybd_event.USER32(00000012,00000000), ref: 0076F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F528
keybd_event.USER32(00000012,00000000), ref: 0076F52D
SetForegroundWindow.USER32(00000000), ref: 0076F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0076F557

Strings

Shell_TrayWnd, xrefs: 0076F46F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ad45ca6c94f6a93eea2836f35a993232b7eee342b020b3f77d46d15c4c93711b
Instruction ID: c74e06e898cf58708ede0b832b91664226dcd9e869fee5993b54badd4cbcc2b9
Opcode Fuzzy Hash: ad45ca6c94f6a93eea2836f35a993232b7eee342b020b3f77d46d15c4c93711b
Instruction Fuzzy Hash: C3318671A40218BFEB216BB55C4AFBF7E6CEB85B50F204065FA01F61D1CBB85D10AE64

Function 00771201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077170D
Part of subcall function 007716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0077173A
Part of subcall function 007716C3: GetLastError.KERNEL32 ref: 0077174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00771286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007712A8
CloseHandle.KERNEL32(?), ref: 007712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007712D1
GetProcessWindowStation.USER32 ref: 007712EA
SetProcessWindowStation.USER32(00000000), ref: 007712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00771310

Part of subcall function 007710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007711FC), ref: 007710D4
Part of subcall function 007710BF: CloseHandle.KERNEL32(?,?,007711FC), ref: 007710E9

Strings

winsta0, xrefs: 007712CC
Z}, xrefs: 00771392
, xrefs: 0077125A
default, xrefs: 0077130B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z}
API String ID: 22674027-3716028957
Opcode ID: e62c606862cfbebad838c9b699c1d405002b67a62d9c5baee46d65d7bc8d700c
Instruction ID: d3b4d6251fc08764519caa10097faab7ddcc3c74bb6bbace1a1b9e2037359d67
Opcode Fuzzy Hash: e62c606862cfbebad838c9b699c1d405002b67a62d9c5baee46d65d7bc8d700c
Instruction Fuzzy Hash: 1581AB71A00248BFDF218FA8DC49FEE7BB9EF45744F14C129F918A62A0D7388944CB65

Function 00770B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00771114
Part of subcall function 007710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771120
Part of subcall function 007710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 0077112F
Part of subcall function 007710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771136
Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0077114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00770BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00770C00
GetLengthSid.ADVAPI32(?), ref: 00770C17
GetAce.ADVAPI32(?,00000000,?), ref: 00770C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00770C6D
GetLengthSid.ADVAPI32(?), ref: 00770C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00770C8C
HeapAlloc.KERNEL32(00000000), ref: 00770C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00770CB4
CopySid.ADVAPI32(00000000), ref: 00770CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00770CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00770D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00770D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770D45
HeapFree.KERNEL32(00000000), ref: 00770D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770D55
HeapFree.KERNEL32(00000000), ref: 00770D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770D65
HeapFree.KERNEL32(00000000), ref: 00770D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00770D78
HeapFree.KERNEL32(00000000), ref: 00770D7F

Part of subcall function 00771193: GetProcessHeap.KERNEL32(00000008,00770BB1,?,00000000,?,00770BB1,?), ref: 007711A1
Part of subcall function 00771193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00770BB1,?), ref: 007711A8
Part of subcall function 00771193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00770BB1,?), ref: 007711B7

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 28f3d4fc6f9c1a95f6163a31f2b6b251e1c4e60423151022542d778f4d71e806
Instruction ID: a79a72d81b488964055420e2883e5a6b6d4bd599990f97b037976d16129a087d
Opcode Fuzzy Hash: 28f3d4fc6f9c1a95f6163a31f2b6b251e1c4e60423151022542d778f4d71e806
Instruction Fuzzy Hash: 12715C71A0020AFBDF11DFA4DC49BEEBBB8BF45340F048515E919A6291D779A905CFA0

Function 0078EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(007ACC08), ref: 0078EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0078EB37
GetClipboardData.USER32(0000000D), ref: 0078EB43
CloseClipboard.USER32 ref: 0078EB4F
GlobalLock.KERNEL32(00000000), ref: 0078EB87
CloseClipboard.USER32 ref: 0078EB91
GlobalUnlock.KERNEL32(00000000), ref: 0078EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0078EBC9
GetClipboardData.USER32(00000001), ref: 0078EBD1
GlobalLock.KERNEL32(00000000), ref: 0078EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0078EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0078EC38
GetClipboardData.USER32(0000000F), ref: 0078EC44
GlobalLock.KERNEL32(00000000), ref: 0078EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0078EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0078EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0078ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0078ECF3
CountClipboardFormats.USER32 ref: 0078ED14
CloseClipboard.USER32 ref: 0078ED59

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0bab003d0e0320b9390f0a55d49cbc6ea106e04e9e5cf06a8ebadb4c11ce8279
Instruction ID: 7ff2d144c836c6dbad879efa604d19d99da0c70b2948f4a286ddd7a8435cb60c
Opcode Fuzzy Hash: 0bab003d0e0320b9390f0a55d49cbc6ea106e04e9e5cf06a8ebadb4c11ce8279
Instruction Fuzzy Hash: 2661EF74244201EFD301EF24C889F6ABBE4AF85714F088519F456872E2DB39ED4ACB62

Function 0078698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007869BE
FindClose.KERNEL32(00000000), ref: 00786A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00786A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00786A75

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00786AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00786ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00786B32
%03d, xrefs: 00786DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00786B6A
%02d, xrefs: 00786C00, 00786C0A, 00786C5A, 00786CAA, 00786CFA, 00786D4A
%4d, xrefs: 00786BB1

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 562bcd879568ef63ad33bd485137ce873c6d95c7d3f6825f48d5f86038c7ccbb
Instruction ID: 7ffda116ebeb2cbccff88cbb81b9775a738d55b85e881619ee921dade9aafed1
Opcode Fuzzy Hash: 562bcd879568ef63ad33bd485137ce873c6d95c7d3f6825f48d5f86038c7ccbb
Instruction Fuzzy Hash: D8D15FB2508340AFC314EBA4D896EABB7FCAF88704F04491DF585D7191EB78DA45CB62

Function 00789642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00789663
GetFileAttributesW.KERNEL32(?), ref: 007896A1
SetFileAttributesW.KERNEL32(?,?), ref: 007896BB
FindNextFileW.KERNEL32(00000000,?), ref: 007896D3
FindClose.KERNEL32(00000000), ref: 007896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0078974A
SetCurrentDirectoryW.KERNEL32(007D6B7C), ref: 00789768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00789772
FindClose.KERNEL32(00000000), ref: 0078977F
FindClose.KERNEL32(00000000), ref: 0078978F

Strings

*.*, xrefs: 007896F5

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 93c6126d0f99e7c40292689ab43ee0ee243e72afea715aac616d014d1b76eb01
Instruction ID: 858c53429e59d10ad98046e1903c59807454d7089f3e72114eb0827220df6c2d
Opcode Fuzzy Hash: 93c6126d0f99e7c40292689ab43ee0ee243e72afea715aac616d014d1b76eb01
Instruction Fuzzy Hash: 6831D5726802197EDF11AFB4DC08AEE77ACAF4A320F188156F905E2190EB3CDE408B54

Function 0078979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00789819
FindClose.KERNEL32(00000000), ref: 00789824
FindFirstFileW.KERNEL32(*.*,?), ref: 00789840
SetCurrentDirectoryW.KERNEL32(?), ref: 00789890
SetCurrentDirectoryW.KERNEL32(007D6B7C), ref: 007898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007898B8
FindClose.KERNEL32(00000000), ref: 007898C5
FindClose.KERNEL32(00000000), ref: 007898D5

Part of subcall function 0077DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0077DB00

Strings

*.*, xrefs: 0078983B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: aed0af55bc730b3888182c04a3562b5680cb5ad48e1b07822a8069f282657d21
Instruction ID: 46cd3f0ec63e8c1e6efcd3a4ce6290e8e6a1d0c281f81b25f855111afa7bb3e6
Opcode Fuzzy Hash: aed0af55bc730b3888182c04a3562b5680cb5ad48e1b07822a8069f282657d21
Instruction Fuzzy Hash: 0C31E57258021ABEEF10AFB4DC48AEE37ACAF46320F188156E950A21D1DB39DD448B64

Function 0079BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0079C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079C9F1
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA68
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0079BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0079BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0079C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0079C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0079C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0079C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0079C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0079C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0079C382
RegCloseKey.ADVAPI32(00000000), ref: 0079C38F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 276e6d2b0cdc95f8063d8edee3c4113b284afc392794b707296ed3eb16c52ca8
Instruction ID: ed15d1b0746906dad85432a15a451fb6f358487b1da47371d7fbc3be250a8008
Opcode Fuzzy Hash: 276e6d2b0cdc95f8063d8edee3c4113b284afc392794b707296ed3eb16c52ca8
Instruction Fuzzy Hash: 91025B71604200EFDB15DF28D895E2ABBE5AF89304F18C49DF84ACB2A2D735EC45CB52

Function 00788195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00788257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00788267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00788273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00788310
SetCurrentDirectoryW.KERNEL32(?), ref: 00788324
SetCurrentDirectoryW.KERNEL32(?), ref: 00788356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0078838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00788395

Strings

*.*, xrefs: 0078839B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: bd9edf07b6185b93a98b33d185296ee8198aba7e26d99652cedd5496b9697f4b
Instruction ID: 6fba0a85c048567482ed5dcfcfe7098b29670df480dd8df3f8dc156f1a006c0b
Opcode Fuzzy Hash: bd9edf07b6185b93a98b33d185296ee8198aba7e26d99652cedd5496b9697f4b
Instruction Fuzzy Hash: DA617BB25443059FCB10EF64C8449AEB3E9FF89310F44891EF999C7251EB39E945CB92

Function 0077D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

Part of subcall function 0077E199: GetFileAttributesW.KERNEL32(?,0077CF95), ref: 0077E19A

FindFirstFileW.KERNEL32(?,?), ref: 0077D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0077D1DD
MoveFileW.KERNEL32(?,?), ref: 0077D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0077D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0077D237

Part of subcall function 0077D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0077D21C,?,?), ref: 0077D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0077D253
FindClose.KERNEL32(00000000), ref: 0077D264

Strings

\*.*, xrefs: 0077D0CD, 0077D0D6, 0077D0EB

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: be0c871c67662cc5346ffa71317debb57d520037972d43d8d722098143122fdc
Instruction ID: 1f49a11783cd33b1f511c938a3580366ca277e130ce0a6f379f41f4f6855aa5c
Opcode Fuzzy Hash: be0c871c67662cc5346ffa71317debb57d520037972d43d8d722098143122fdc
Instruction Fuzzy Hash: 91618C3180110DEFCF15EBE4C9969EDB7B9AF55340F248065E50A77192EB38AF4ACB60

Function 0078ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0078ED91
EmptyClipboard.USER32 ref: 0078ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0078EDAC
CloseClipboard.USER32 ref: 0078EEA3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 81dc2018dd5b35acd2b2d6e76b076b0457d2b0da4d7cb6fee5e29de10933396b
Instruction ID: b3dc44cb50ab052d5fb7f293f49f538a7bceeae591fce03841f2272534dfe90b
Opcode Fuzzy Hash: 81dc2018dd5b35acd2b2d6e76b076b0457d2b0da4d7cb6fee5e29de10933396b
Instruction Fuzzy Hash: F9418D35244611EFE721EF15D888B59BBE5FF45318F14C099E4158B6A2C739EC42CB94

Function 0077E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077170D
Part of subcall function 007716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0077173A
Part of subcall function 007716C3: GetLastError.KERNEL32 ref: 0077174A

ExitWindowsEx.USER32(?,00000000), ref: 0077E932

Strings

, xrefs: 0077E95C
@, xrefs: 0077E925
, xrefs: 0077E920
SeShutdownPrivilege, xrefs: 0077E902

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 0a0e9755ed3d4f0c1e54f7d341ad550eddc1e42f33232dda7ade74d32f1b6513
Instruction ID: 4ac8a1da5beee408550004aed758433446311a5863956aaee349a67a270a4d24
Opcode Fuzzy Hash: 0a0e9755ed3d4f0c1e54f7d341ad550eddc1e42f33232dda7ade74d32f1b6513
Instruction Fuzzy Hash: D9012B73610210BBEF5426749C89BBB725C97087C4F15C462FA06E21D1D6AC7C408695

Function 00791204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00791276
WSAGetLastError.WSOCK32 ref: 00791283
bind.WSOCK32(00000000,?,00000010), ref: 007912BA
WSAGetLastError.WSOCK32 ref: 007912C5
closesocket.WSOCK32(00000000), ref: 007912F4
listen.WSOCK32(00000000,00000005), ref: 00791303
WSAGetLastError.WSOCK32 ref: 0079130D
closesocket.WSOCK32(00000000), ref: 0079133C

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 47335f9a358128dab459d3b5408c19b90a1a5232dfa1c3e9869a847cd8a3357d
Instruction ID: f581364c2dc70ccfe56072e5df8c08002543a07f46a255e19c6a8cca276a01d1
Opcode Fuzzy Hash: 47335f9a358128dab459d3b5408c19b90a1a5232dfa1c3e9869a847cd8a3357d
Instruction Fuzzy Hash: 6F418431600101AFDB10EF68D488B69BBE6BF86314F58C198D8569F2D2C779ED81CBE1

Function 0077D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

Part of subcall function 0077E199: GetFileAttributesW.KERNEL32(?,0077CF95), ref: 0077E19A

FindFirstFileW.KERNEL32(?,?), ref: 0077D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0077D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0077D481
FindClose.KERNEL32(00000000), ref: 0077D498
FindClose.KERNEL32(00000000), ref: 0077D4A1

Strings

\*.*, xrefs: 0077D3F2

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 617ef96ba5d6e4ffc7c1029e71a398054fa54e6d113355d54847c9e5edd9824c
Instruction ID: 48e10a85b0e9c74252726a5ea6374990367a8fd1cd3b0c1da4c5a09b27049853
Opcode Fuzzy Hash: 617ef96ba5d6e4ffc7c1029e71a398054fa54e6d113355d54847c9e5edd9824c
Instruction Fuzzy Hash: 2D318171008381ABC711EF64C8558EFB7B8BE91350F44891DF4D5521D1EB28AE49C767

Function 0074E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0074E645

Strings

1#INF, xrefs: 0074F852
1#IND, xrefs: 0074F83D
1#QNAN, xrefs: 0074F84B
1#SNAN, xrefs: 0074F844

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6438fa1dae4be82e3f1e67f6d38bb40d6ac640762a464eda0afb28ce18a09e8f
Instruction ID: b94f35600fa1faed84426f93ab01cc4148812555cb312560ec175ac0d9ad1d44
Opcode Fuzzy Hash: 6438fa1dae4be82e3f1e67f6d38bb40d6ac640762a464eda0afb28ce18a09e8f
Instruction Fuzzy Hash: BEC23972E086288FDB25CE28DD447EAB7B5FB48315F1541EAD84DE7241E778AE818F40

Function 0078648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007864DC
CoInitialize.OLE32(00000000), ref: 00786639
CoCreateInstance.OLE32(007AFCF8,00000000,00000001,007AFB68,?), ref: 00786650
CoUninitialize.OLE32 ref: 007868D4

Strings

.lnk, xrefs: 007864BA, 00786524, 007865E0

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 02986613a8c3cd88651a7b4077b10be7eb24a244a33e96234c5826a62059cc2c
Instruction ID: b5e507368f04c98dbfce830ca91f85da0fafd7c3864cf5ddf2751edc04662272
Opcode Fuzzy Hash: 02986613a8c3cd88651a7b4077b10be7eb24a244a33e96234c5826a62059cc2c
Instruction Fuzzy Hash: 3FD15D71548301AFC304EF24C8959ABB7E8FF98704F00496DF5958B291DB74ED46CBA2

Function 007922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007922E8

Part of subcall function 0078E4EC: GetWindowRect.USER32(?,?), ref: 0078E504

GetDesktopWindow.USER32 ref: 00792312
GetWindowRect.USER32(00000000), ref: 00792319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00792355
GetCursorPos.USER32(?), ref: 00792381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007923DF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 74626ba06ae9e3f32bfdbd6df191f89e4cc1576afe3b89ae312d9380aa37dded
Instruction ID: 251b3c70d79bc3e8cc5b3627ad737d4d9e2cbdc03e739c03e570955870b0e2a4
Opcode Fuzzy Hash: 74626ba06ae9e3f32bfdbd6df191f89e4cc1576afe3b89ae312d9380aa37dded
Instruction Fuzzy Hash: 5931E072504315AFCB21EF14D849B5BBBA9FFC9310F004919F98997182DB38EA09CB96

Function 00789B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00789B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00789C8B

Part of subcall function 00783874: GetInputState.USER32 ref: 007838CB
Part of subcall function 00783874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00783966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00789BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00789C75

Strings

*.*, xrefs: 00789B5D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 86b073a4ac8725bb02d0592948e40be599f75e6d8c24b089cf6af01876d24107
Instruction ID: a90d64912a4ddcf9ee2f3db1ae3159fdb9dd2a2be9e2a67a55a1f03b3bc84655
Opcode Fuzzy Hash: 86b073a4ac8725bb02d0592948e40be599f75e6d8c24b089cf6af01876d24107
Instruction Fuzzy Hash: 66418371940209EFDF15EF74C849AEEBBB4FF45310F244156E905A2191EB399E84CF64

Function 0072997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00729A4E
GetSysColor.USER32(0000000F), ref: 00729B23
SetBkColor.GDI32(?,00000000), ref: 00729B36

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: fa809e35345170dc9e7ca2c602f505803d98e37d457e3317320fb0adc8c3934d
Instruction ID: 537bb205f96940ef3e425cb51287367c28107cd6367a87638e964c25096f45ba
Opcode Fuzzy Hash: fa809e35345170dc9e7ca2c602f505803d98e37d457e3317320fb0adc8c3934d
Instruction Fuzzy Hash: 41A14BB0109564FEE72D9A3CAC8DD7B26ADDF87354F188209FB03CA591CA2D9D41C275

Function 00791806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0079304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0079307A
Part of subcall function 0079304E: _wcslen.LIBCMT ref: 0079309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0079185D
WSAGetLastError.WSOCK32 ref: 00791884
bind.WSOCK32(00000000,?,00000010), ref: 007918DB
WSAGetLastError.WSOCK32 ref: 007918E6
closesocket.WSOCK32(00000000), ref: 00791915

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 05a676cb686d0d096d18536a321371709b4f72738e5fa3d793365e6b9cae3269
Instruction ID: b58b9c2e3cb7a583d2fb73c7095b2db2ab23c087bce01bb604ccd77e3dc0044c
Opcode Fuzzy Hash: 05a676cb686d0d096d18536a321371709b4f72738e5fa3d793365e6b9cae3269
Instruction Fuzzy Hash: 5D51B271A00210AFEB10AF28D88AF6A77E5AB45718F48C098F9155F3C3C779AD41CBE1

Function 007A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007A1CC0
IsWindowEnabled.USER32 ref: 007A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 007A1CDB
IsIconic.USER32 ref: 007A1CE9
IsZoomed.USER32 ref: 007A1CF7

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 62c98ec723058b74ebb758a46ebebb1a5503e756fbe57cb08991250d4c5f13a7
Instruction ID: a8996c36dca701b868b75ecbc45157b8a3a4aa0f26dac9a65b8e974d398cc0dc
Opcode Fuzzy Hash: 62c98ec723058b74ebb758a46ebebb1a5503e756fbe57cb08991250d4c5f13a7
Instruction Fuzzy Hash: 2B21B5317402109FE7218F2AC844B6A7BE5EFC6325F598158E846CB352DB79DC42CBA4

Function 00718060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0071843C
VUUU, xrefs: 00755DF0
VUUU, xrefs: 007183E8
ERCP, xrefs: 0071813C
VUUU, xrefs: 007183FA

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: df8e9dc1cdb6a7926c90eeb52d33befd0598dd8548cd29112a85b89358718b2d
Instruction ID: 6f557e7a13bc18746ad785e39757a3d4a7b738f0cd969186fb62d65c51621c92
Opcode Fuzzy Hash: df8e9dc1cdb6a7926c90eeb52d33befd0598dd8548cd29112a85b89358718b2d
Instruction Fuzzy Hash: F1A29F70E0061ACBDF64CF58C8907EDB7B1BB54311F2481AAEC15A7285EB789DC5CB91

Function 00778298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007782AA

Strings

|, xrefs: 007782DA
(, xrefs: 007782F0
tb}, xrefs: 007784F4

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb}$|
API String ID: 1659193697-2483859856
Opcode ID: 06ca9abe8df5813ffe82be1799a0d1ab9c3b2158c5582010cce5b058332239b8
Instruction ID: a241425c70ab24491b6eaa44b3166cd77de142b95661e282271aac67f5c28c39
Opcode Fuzzy Hash: 06ca9abe8df5813ffe82be1799a0d1ab9c3b2158c5582010cce5b058332239b8
Instruction Fuzzy Hash: B8323474A00605DFCB68CF69C084A6AB7F0FF48750B15C56EE49ADB3A1EB74E981CB41

Function 0077AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0077AAAC
SetKeyboardState.USER32(00000080), ref: 0077AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0077AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0077AB88

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 32e0fa2ea806937e60ccd7e3bb6284240c35afdf3502e4d20e6411c8ac2fb7bb
Instruction ID: f7b293f2b0219cd9f7f119fe342ad18b58da321774cfe073e7bc186f8075620e
Opcode Fuzzy Hash: 32e0fa2ea806937e60ccd7e3bb6284240c35afdf3502e4d20e6411c8ac2fb7bb
Instruction Fuzzy Hash: E33109B1A40248BEFF35CA64CC05BFE77A6ABC5350F04C21AF189561E1D37C9985C766

Function 0074BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0074BB7F

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

GetTimeZoneInformation.KERNEL32 ref: 0074BB91
WideCharToMultiByte.KERNEL32(00000000,?,007E121C,000000FF,?,0000003F,?,?), ref: 0074BC09
WideCharToMultiByte.KERNEL32(00000000,?,007E1270,000000FF,?,0000003F,?,?,?,007E121C,000000FF,?,0000003F,?,?), ref: 0074BC36

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 6705edb71f69fe3b7b964306c2a611753f532707a779766239f05196f37f635d
Instruction ID: 22fa56a5a1d48a073939ae7add3f9a112ad3eb0a06da71f2a50633785c7e7ae9
Opcode Fuzzy Hash: 6705edb71f69fe3b7b964306c2a611753f532707a779766239f05196f37f635d
Instruction Fuzzy Hash: 2C31B070A04245EFCB11DF69CCC182DBBB8FF4A35075586AAE150DB2A1D738DD41CB64

Function 0078CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0078CE89
GetLastError.KERNEL32(?,00000000), ref: 0078CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0078CEFE

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e9ead9153a08f7de0269bb3caec01bcef9ac18df9910645065bfe02d507bfe0c
Instruction ID: 5ab7a1b3cc7ec420ee4d53d9262dfa284f086548df018b9464d9b5e09cb0678b
Opcode Fuzzy Hash: e9ead9153a08f7de0269bb3caec01bcef9ac18df9910645065bfe02d507bfe0c
Instruction Fuzzy Hash: 8B21CFB2540305EBEB32EF65C949BA7B7FCEB40314F10841EE646D2151EB78EE048B64

Function 00785C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00785CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00785D17
FindClose.KERNEL32(?), ref: 00785D5F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ce78ccbf684e5c05e418c5a5ee7bb26b4b550b23b436658532e5322696a1d5c4
Instruction ID: 5caa924bceda6421d0d6e14505dfd43ae1edbb1c833121143203ab90be7874f7
Opcode Fuzzy Hash: ce78ccbf684e5c05e418c5a5ee7bb26b4b550b23b436658532e5322696a1d5c4
Instruction Fuzzy Hash: 15519A75704A01DFC714DF28C498A96B7E4FF49314F14855EE95A8B3A2CB38EC44CBA1

Function 00742622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0074271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00742724
UnhandledExceptionFilter.KERNEL32(?), ref: 00742731

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8636de60ace649e46909e61b952a10aac7fee11139386ba5090c5d235afd6f0e
Instruction ID: 900e284fc14a955f19388db890ddb076f9fd90f0d7a85a3fb04be8894caacda3
Opcode Fuzzy Hash: 8636de60ace649e46909e61b952a10aac7fee11139386ba5090c5d235afd6f0e
Instruction Fuzzy Hash: CF31D57494122CABCB21DF64DD887DCBBB8AF08310F5081EAE40CA7261E7349F818F45

Function 007851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00785238
SetErrorMode.KERNEL32(00000000), ref: 007852A1

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 470bd785796b26f8d892bd122243fe070f897c7f61540a6105675284aa374ae5
Instruction ID: 90bb344ff3262e5ec305e0776f52d376dd1277b17bb60e7ed54efc3fd2a2e9d7
Opcode Fuzzy Hash: 470bd785796b26f8d892bd122243fe070f897c7f61540a6105675284aa374ae5
Instruction Fuzzy Hash: 10315075A00518DFDB00DF54D888EADBBF5FF49314F088099E8059B392DB35E856CB90

Function 007716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0072FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00730668
Part of subcall function 0072FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00730685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0077173A
GetLastError.KERNEL32 ref: 0077174A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: de3d253ce0d89adb7ae291b7144a6e2545366d7955df46284ca7488c850d095e
Instruction ID: 006df684b40a2ef75372a37d626e28427f634c7938695d93609e416c9fcde467
Opcode Fuzzy Hash: de3d253ce0d89adb7ae291b7144a6e2545366d7955df46284ca7488c850d095e
Instruction Fuzzy Hash: 4D1191B2504304BFDB189F54EC86D6BB7BDEB44754B20C52EE05657241EB74BC418B64

Function 0077D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0077D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0077D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0077D650

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6c0d9351c165cef0156cadfeffa3ece59667236d4e04fc6272c4073093d1bfb3
Instruction ID: e160c162093a01a06ebec37c6d1e6b3681c2ad03cd159bce7f979925ac246f02
Opcode Fuzzy Hash: 6c0d9351c165cef0156cadfeffa3ece59667236d4e04fc6272c4073093d1bfb3
Instruction Fuzzy Hash: 52115E75E05228BFDB218F95DC45FAFBBBCEB45B90F108115F908E7290D6744E058BA1

Function 00771663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0077168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007716A1
FreeSid.ADVAPI32(?), ref: 007716B1

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a13338226f4e1463696f20c1c32ccd2f5bca4f598ae4c6730894de406d796f45
Instruction ID: a06a0ffde052be720ac62903b1d0535bc6a15ff69b92f30ebc399cc4fb198497
Opcode Fuzzy Hash: a13338226f4e1463696f20c1c32ccd2f5bca4f598ae4c6730894de406d796f45
Instruction Fuzzy Hash: 4DF0F47195030DFBDF01DFE49C89AAEBBBCEB08644F508565E601E2181E778AA448B54

Function 0076D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0076D28C

Strings

X64, xrefs: 0076D2A8

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 494fac3842971052d2fca4a7269eb05d02fa0dd167468eb3d23120fe1533d802
Instruction ID: f72d0ec976e44be8fd900533816f1512d22994b5ad2ca17f3e92a5d765834ca4
Opcode Fuzzy Hash: 494fac3842971052d2fca4a7269eb05d02fa0dd167468eb3d23120fe1533d802
Instruction Fuzzy Hash: 34D0CAB481116DEECBA0CBA0EC88DEAB3BCBB04305F104292F506A2000DB789A488F20

Function 0073CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: daae3e6d4a2dbff54cf49b291f8839ea577bbfb18e533db465d9402f8d9dbaf9
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: F2022D72E002199FEF15CFA9C8806ADFBF1EF48314F258169E919F7381D735AA418B90

Function 0071CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00760C40
p#~, xrefs: 0071CF7F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#~
API String ID: 0-3866028822
Opcode ID: c43e7265a31b2932ec9fbf72569071f5fdf567072b4f90d82f9bb266cc193a47
Instruction ID: 9bb3ff8076c1c36e097326131e4496056075bcae88daab8d156064b3d33845e5
Opcode Fuzzy Hash: c43e7265a31b2932ec9fbf72569071f5fdf567072b4f90d82f9bb266cc193a47
Instruction Fuzzy Hash: 50328070940218DFCF15DF98D885AEEB7B5FF05304F148059E806AB2D2D779AD86CBA1

Function 007868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00786918
FindClose.KERNEL32(00000000), ref: 00786961

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 824c8a2bb04a4b028012572a06a8a7410fdb07a2b3ed8054d228fd6f4bf978b6
Instruction ID: 637e530f3fad9467de3aa12b805b9eff45e83af646291ab18d8bb8416a9b5e66
Opcode Fuzzy Hash: 824c8a2bb04a4b028012572a06a8a7410fdb07a2b3ed8054d228fd6f4bf978b6
Instruction Fuzzy Hash: 9E118E71604200AFD710DF69D488A16BBE5FF85328F14C69DE4698F6A2CB38EC45CB91

Function 007837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00794891,?,?,00000035,?), ref: 007837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00794891,?,?,00000035,?), ref: 007837F4

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ed7faf894b2313ac16443a80f83f8ea3812ec7525aa6679e1e8764374a638b7a
Instruction ID: 9e25effdb0cc1a91e4dbf5f7a34d88a463d1f46c90f752d66f75e622daa19a71
Opcode Fuzzy Hash: ed7faf894b2313ac16443a80f83f8ea3812ec7525aa6679e1e8764374a638b7a
Instruction Fuzzy Hash: 1FF0EC706052147AD71027794C4DFDB369DEFC5B61F000275F505D22C1D9749944C7B0

Function 0077B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0077B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0077B270

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 636b5af045a3ca469cc033cf41a700b0eec0e909264a9e96989fd3ce56041af1
Instruction ID: 3a82427765ddae691a036731353a69b65502cea8e43467958376d625109ca565
Opcode Fuzzy Hash: 636b5af045a3ca469cc033cf41a700b0eec0e909264a9e96989fd3ce56041af1
Instruction Fuzzy Hash: C2F01D7180424DABDF059FA0C805BBE7BB4FF09309F10C009F955A5192C37D86119F98

Function 007710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007711FC), ref: 007710D4
CloseHandle.KERNEL32(?,?,007711FC), ref: 007710E9

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3e851499326822167af941bef608273514d676965c833cd79700639003495908
Instruction ID: 87c8f9bc81b1ab12f6e6c824503114ca8c6864d0cd184aa0a67b87fb9717aceb
Opcode Fuzzy Hash: 3e851499326822167af941bef608273514d676965c833cd79700639003495908
Instruction Fuzzy Hash: A4E04F32004610FEEB262B11FC09E7377A9EF04310B10C82DF4A6804B1DB666C90DB54

Function 0074676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00746766,?,?,00000008,?,?,0074FEFE,00000000), ref: 00746998

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 70b4a4e4b461d8a138d0c5ba0b7c8f1543a90893c78c0c1db1a1b1613ece04d3
Instruction ID: 7ae972dcdc914ef9c67f1d5c013db30c36c3acfa136c903ca9ebf6ec8c41be89
Opcode Fuzzy Hash: 70b4a4e4b461d8a138d0c5ba0b7c8f1543a90893c78c0c1db1a1b1613ece04d3
Instruction Fuzzy Hash: ABB13A71610608DFD719CF28C48AB657BE0FF46364F25C658E899CF2A2C339E991CB41

Function 0072B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0076851F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 19bba0cb93b2f0ec7d3eb8e7ec8c916e8382cd43b6dfa3238b19e5df71313222
Instruction ID: cf08e47dcb5e5b5d909b0b1fed935b0b451a0f5847a6a15bb03ee41766231c96
Opcode Fuzzy Hash: 19bba0cb93b2f0ec7d3eb8e7ec8c916e8382cd43b6dfa3238b19e5df71313222
Instruction Fuzzy Hash: 4E124071900229DFCB54DF58D880AEEB7F5FF48710F14819AE849EB255EB389E81CB91

Function 0078EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0078EABD

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6916a5b826447627815c10868500bbaec976fcac7505d3e6be37ccfe5010cf55
Instruction ID: f25727e56b4a2aa9b75f43b1a001027f99e19c04d0618a56d7a973812295c804
Opcode Fuzzy Hash: 6916a5b826447627815c10868500bbaec976fcac7505d3e6be37ccfe5010cf55
Instruction Fuzzy Hash: 18E01A32240204AFC710EF59D808E9AB7E9AF98B60F04C416FC49C7291DB78E8818B91

Function 007309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007303EE), ref: 007309DA

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 993be9517cb20bae495fb910fdc548ca9f7819efee2c491ee7c1bf6a70b0ae6c
Instruction ID: db1a77139aa106494364c2c9db253bd7165492016a29353edf7576696d33badc
Opcode Fuzzy Hash: 993be9517cb20bae495fb910fdc548ca9f7819efee2c491ee7c1bf6a70b0ae6c
Instruction Fuzzy Hash:

Function 0073781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0073798B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: f8191f6f199374d7a7de4d3bb88afd30f1a8f5fdc7f4dc601de2d919780b7f4b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2A517BF160C745ABFB3C8568889E7FE63C99B12300F184A09E982DB383C61DEE41D352

Function 00782046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&~, xrefs: 00782053

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: 0&~
API String ID: 0-2940855197
Opcode ID: d99bda3efd3b98660a66f5769668f672f82ecfdec9c89d466e79d9f1823139bf
Instruction ID: 23a9c30f300783b5595706dec1a54ec2d1ff898a85e86232ecfee897233ffde6
Opcode Fuzzy Hash: d99bda3efd3b98660a66f5769668f672f82ecfdec9c89d466e79d9f1823139bf
Instruction Fuzzy Hash: D32108322612108BDB28CE79C81267A73E9A754310F14862EE0A3C77C1DE79A905C784

Function 00746DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a339bef2efb18e2ada37f51dd80d93e66ee8d36b7876cb01f817cc1e1ed47e
Instruction ID: 22e22bc5b31753577da14bfc814d629730718cce7a124dcdbf0083324ba6bf15
Opcode Fuzzy Hash: c9a339bef2efb18e2ada37f51dd80d93e66ee8d36b7876cb01f817cc1e1ed47e
Instruction Fuzzy Hash: 64322522D29F414DDB279635CC22335A64DAFB73C5F15D737E81AB59AAEB2DC4838100

Function 0072CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e699f4f1c5674846153a35a5bdbe24d12dea3de762b667191215d5113a896f96
Instruction ID: c1119d207840d97d6aa02c00fb6546fc0faa0234f2570b27361c7a66f0119b3d
Opcode Fuzzy Hash: e699f4f1c5674846153a35a5bdbe24d12dea3de762b667191215d5113a896f96
Instruction Fuzzy Hash: ED321431A001158BDF2ACF68D89467D7BA1EB55300F28816ADCCBDB291E73CDE81DB61

Function 00717920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217eab829701cebda7847a9dad522450cddf2c6d76982d5b27b44affa260b59e
Instruction ID: 6df75fee7115c8fcb1ad3a95c0214df383bb5496b31084d9499c01030bdf6364
Opcode Fuzzy Hash: 217eab829701cebda7847a9dad522450cddf2c6d76982d5b27b44affa260b59e
Instruction Fuzzy Hash: 4222D2B0A04609DFDF14CF68D895AEEB3F6FF44300F204129E816A7291EB79AD55CB50

Function 007191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0a7b7c1d947111a7a5671d8be77cf23987ca602530bbfafe61f2d0e730f656
Instruction ID: 1e97ac94efa82c04c7ad305575cb51394b32ed07f54bb2273f93c29978fecb21
Opcode Fuzzy Hash: cf0a7b7c1d947111a7a5671d8be77cf23987ca602530bbfafe61f2d0e730f656
Instruction Fuzzy Hash: CE02F6B0E00209EBDF04DF64D885AEEB7B5FF44300F108169E9169B291EB79EE55CB91

Function 00749EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a38ead9f39fd03880e77736ec5f73749892a885a1ca446dadc68435b197f593
Instruction ID: 22b3489974c46dca195f3c4537c54cc90fafa9c45a3f3fe417de64ce35ec1eec
Opcode Fuzzy Hash: 8a38ead9f39fd03880e77736ec5f73749892a885a1ca446dadc68435b197f593
Instruction Fuzzy Hash: 06B1EF20D2AF414DD22396398835337B69CAFBB6D5F92D31BFC2675D22EB2686C34140

Function 00731C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 747b0c9e019a034b9de7d67fc5b7c3da95c9e076cf59fd8d8f445c97d31a785a
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 289189732090E34AFB29463E857403EFFE15A523A2B5A079DD4F2CB1C6FE18D954D620

Function 00731F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: e681d032b82fd8801e80e00bc3afa74a24427d3bc257f3d54628b00ace2db6f9
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 009156722090E349FB6D423D857403EFFE15A923A1B1A079DD4F2CB1C7EE28D959E620

Function 007319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 2e7442406410d10b90ae99023f84cb40d72b1cf45a2ec00d4cd01b45524e4982
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1891577220D0E34EFB2D467A857403DFFE15A923A2B5A479ED4F2CA1C2FD18D564D620

Function 00737A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd0d2c3257da00639d646b22c01c1629f9e3bf052da45c9275d2e636b0d6bd4
Instruction ID: 623a69fd8901438e650cf29196f87b6b738da55f9ad7a3129dbb2d8bdc5558a5
Opcode Fuzzy Hash: dfd0d2c3257da00639d646b22c01c1629f9e3bf052da45c9275d2e636b0d6bd4
Instruction Fuzzy Hash: 2E615CF1208749A6FE7C5A2C8C95BBEA3A8DF41700F14491DF843DB283D61D9E42C366

Function 00737CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd21dba53f14f859ba0de681d46060ed441d4903cf556a69dd17ba3737f8276
Instruction ID: cd8a879b8a2401a0b19c43e13ec49133553584e1da7a1fd6f33f025e24f753f4
Opcode Fuzzy Hash: 7fd21dba53f14f859ba0de681d46060ed441d4903cf556a69dd17ba3737f8276
Instruction Fuzzy Hash: D4616BF1758709A6FE3C5A288896BBF2398DF41700F104959F943DF283D62EAD41C356

Function 00731706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 228bda9c24756fb4c75185dcb6c225ed39b42796dd5b22932373e3461a26a414
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 3A8193726080E309FB2D823A853407EFFE15A923B1B5E079DD4F2CA1C3EE28D554E620

Function 00792ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00792B30
DeleteObject.GDI32(00000000), ref: 00792B43
DestroyWindow.USER32 ref: 00792B52
GetDesktopWindow.USER32 ref: 00792B6D
GetWindowRect.USER32(00000000), ref: 00792B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00792CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00792CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792CF8
GetClientRect.USER32(00000000,?), ref: 00792D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00792D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D80
GlobalLock.KERNEL32(00000000), ref: 00792D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D98
GlobalUnlock.KERNEL32(00000000), ref: 00792DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792DA8
GlobalFree.KERNEL32(00000000), ref: 00792DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,007AFC38,00000000), ref: 00792DDB
GlobalFree.KERNEL32(00000000), ref: 00792DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00792E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00792E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0079303F

Strings

AutoIt v3, xrefs: 00792CF2
DISPLAY, xrefs: 00792EA2
static, xrefs: 00792D3A, 00792E91
, xrefs: 00792FC5

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 02befa9a0c82a01c9c0a75fd745a77be05bf0973dfb9a4d6ba6e3945aba49f63
Instruction ID: c1038f47d585b850984fe188bf91fe37d0f53c34bd38ea7eb998faeea107e17e
Opcode Fuzzy Hash: 02befa9a0c82a01c9c0a75fd745a77be05bf0973dfb9a4d6ba6e3945aba49f63
Instruction Fuzzy Hash: D5027E71600204FFDB15DF64DC89EAE7BB9FB49310F008158F915AB2A1DB38AD01CB64

Function 007A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007A712F
GetSysColorBrush.USER32(0000000F), ref: 007A7160
GetSysColor.USER32(0000000F), ref: 007A716C
SetBkColor.GDI32(?,000000FF), ref: 007A7186
SelectObject.GDI32(?,?), ref: 007A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 007A71C0
GetSysColor.USER32(00000010), ref: 007A71C8
CreateSolidBrush.GDI32(00000000), ref: 007A71CF
FrameRect.USER32(?,?,00000000), ref: 007A71DE
DeleteObject.GDI32(00000000), ref: 007A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 007A7230
FillRect.USER32(?,?,?), ref: 007A7262
GetWindowLongW.USER32(?,000000F0), ref: 007A7284

Part of subcall function 007A73E8: GetSysColor.USER32(00000012), ref: 007A7421
Part of subcall function 007A73E8: SetTextColor.GDI32(?,?), ref: 007A7425
Part of subcall function 007A73E8: GetSysColorBrush.USER32(0000000F), ref: 007A743B
Part of subcall function 007A73E8: GetSysColor.USER32(0000000F), ref: 007A7446
Part of subcall function 007A73E8: GetSysColor.USER32(00000011), ref: 007A7463
Part of subcall function 007A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007A7471
Part of subcall function 007A73E8: SelectObject.GDI32(?,00000000), ref: 007A7482
Part of subcall function 007A73E8: SetBkColor.GDI32(?,00000000), ref: 007A748B
Part of subcall function 007A73E8: SelectObject.GDI32(?,?), ref: 007A7498
Part of subcall function 007A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007A74B7
Part of subcall function 007A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007A74CE
Part of subcall function 007A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007A74DB

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: d8e1cfd8f1afcddaa42471299330b173e2fa2213c8f981b603bf27fc0f60110e
Instruction ID: c1d833a297b8b297f6d1daa8806396e47f3a606c5ba0eede3470e098bae3167b
Opcode Fuzzy Hash: d8e1cfd8f1afcddaa42471299330b173e2fa2213c8f981b603bf27fc0f60110e
Instruction Fuzzy Hash: 52A19C72508305BFDB069F60DC48A6BBBE9FBCA320F104B19F962961E1D738E944CB51

Function 00728D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00728E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00766AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00766AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00766F43

Part of subcall function 00728F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00728BE8,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 00728FC5

SendMessageW.USER32(?,00001053), ref: 00766F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00766F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00766FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00766FB7

Strings

0, xrefs: 00766DCF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5cf960e0bc177573c301937f2194a77b082775510c01acbf8398033157868eec
Instruction ID: b391f4e94040ef4cd4d46059eb55ea3ffd03a5bcf3b3695a5811d5d342211faa
Opcode Fuzzy Hash: 5cf960e0bc177573c301937f2194a77b082775510c01acbf8398033157868eec
Instruction Fuzzy Hash: A912C330602251EFDB25CF24D884BA5B7E5FB49300F958469F896CB262CB3AEC51CF55

Function 00792711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0079273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0079286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00792900
GetClientRect.USER32(00000000,?), ref: 0079290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00792955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00792964
GetStockObject.GDI32(00000011), ref: 00792974
SelectObject.GDI32(00000000,00000000), ref: 00792978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00792988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00792991
DeleteDC.GDI32(00000000), ref: 0079299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00792A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00792A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00792A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00792A77
GetStockObject.GDI32(00000011), ref: 00792A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00792A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00792A97

Strings

AutoIt v3, xrefs: 007928F8
msctls_progress32, xrefs: 00792A13
DISPLAY, xrefs: 0079295A
static, xrefs: 0079294F, 00792A71

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ef465bcdc2fd621a0ebc047f127f0758a802ec6c6c2009459480ba0329bfecfc
Instruction ID: 3c85a15974266b009cbf1326dfd01d56ec5e317e21ff6ab51d09c1c6584c2c20
Opcode Fuzzy Hash: ef465bcdc2fd621a0ebc047f127f0758a802ec6c6c2009459480ba0329bfecfc
Instruction Fuzzy Hash: C7B14EB1A00215BFDB14DFA8DC8AEAE7BB9EB49710F008114F915EB291D778AD41CB94

Function 00784ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00784AED
GetDriveTypeW.KERNEL32(?,007ACB68,?,\\.\,007ACC08), ref: 00784BCA
SetErrorMode.KERNEL32(00000000,007ACB68,?,\\.\,007ACC08), ref: 00784D36

Strings

RAMDisk, xrefs: 00784BF4
1394, xrefs: 00784C9F
SSA, xrefs: 00784CA6
Fibre, xrefs: 00784CAD
SAS, xrefs: 00784CC9
Removable, xrefs: 00784C10, 00784C15
RAID, xrefs: 00784CBB
CDROM, xrefs: 00784BFB
Virtual, xrefs: 00784CE5
SCSI, xrefs: 00784C8A
Unknown, xrefs: 00784BED, 00784C83
ATA, xrefs: 00784C98
SSD, xrefs: 00784C4A
USB, xrefs: 00784CB4
FileBackedVirtual, xrefs: 00784CEC
SATA, xrefs: 00784CD0
\\.\, xrefs: 00784B3F
Network, xrefs: 00784C02
ATAPI, xrefs: 00784C91
MMC, xrefs: 00784CDE
iSCSI, xrefs: 00784CC2
PhysicalDrive, xrefs: 00784B76
Fixed, xrefs: 00784C09

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4acd804f0e23125ff8d188f92bdac33c2167b8cce1ea84a80044afe9e56bc5af
Instruction ID: cc126940e35461b3c12a4c137c417d5931f29c2df85563d7bbc1eb128b2cf26c
Opcode Fuzzy Hash: 4acd804f0e23125ff8d188f92bdac33c2167b8cce1ea84a80044afe9e56bc5af
Instruction Fuzzy Hash: 7361B370785107EBCB14FF28CA959A8B7F5AB44340B248016F806AB791DBFDED41DB61

Function 007A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007A7421
SetTextColor.GDI32(?,?), ref: 007A7425
GetSysColorBrush.USER32(0000000F), ref: 007A743B
GetSysColor.USER32(0000000F), ref: 007A7446
CreateSolidBrush.GDI32(?), ref: 007A744B
GetSysColor.USER32(00000011), ref: 007A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007A7471
SelectObject.GDI32(?,00000000), ref: 007A7482
SetBkColor.GDI32(?,00000000), ref: 007A748B
SelectObject.GDI32(?,?), ref: 007A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 007A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 007A7572
DrawFocusRect.USER32(?,?), ref: 007A757D
GetSysColor.USER32(00000011), ref: 007A758E
SetTextColor.GDI32(?,00000000), ref: 007A7596
DrawTextW.USER32(?,007A70F5,000000FF,?,00000000), ref: 007A75A8
SelectObject.GDI32(?,?), ref: 007A75BF
DeleteObject.GDI32(?), ref: 007A75CA
SelectObject.GDI32(?,?), ref: 007A75D0
DeleteObject.GDI32(?), ref: 007A75D5
SetTextColor.GDI32(?,?), ref: 007A75DB
SetBkColor.GDI32(?,?), ref: 007A75E5

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ed5ad329c764fc4a3422584d0190d5c9019689073ef490a1a24f34eb9541a7c7
Instruction ID: d9068959950ecebb2df0f9b7249635de96628bbe75cd9bfcd5189e73a71b16d4
Opcode Fuzzy Hash: ed5ad329c764fc4a3422584d0190d5c9019689073ef490a1a24f34eb9541a7c7
Instruction Fuzzy Hash: 26616272D00218BFDF059FA4DC49A9E7FB9EB4A320F118125F911A72A1D7789940CB94

Function 007A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007A1128
GetDesktopWindow.USER32 ref: 007A113D
GetWindowRect.USER32(00000000), ref: 007A1144
GetWindowLongW.USER32(?,000000F0), ref: 007A1199
DestroyWindow.USER32(?), ref: 007A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 007A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 007A1245
IsWindowVisible.USER32(00000000), ref: 007A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007A12D0
GetWindowRect.USER32(00000000,?), ref: 007A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 007A130E
GetMonitorInfoW.USER32(00000000,?), ref: 007A1328
CopyRect.USER32(?,?), ref: 007A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007A13AA

Strings

tooltips_class32, xrefs: 007A11E6
(, xrefs: 007A131B
0, xrefs: 007A10D3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6d652756a919b59a4110630ce22425126f06b37f57d111bceccfbb35d96202f2
Instruction ID: 782dc17fbec0acaf029921461ac602e0b5be55932ca5b835e16f62a83bda18f0
Opcode Fuzzy Hash: 6d652756a919b59a4110630ce22425126f06b37f57d111bceccfbb35d96202f2
Instruction Fuzzy Hash: F7B1A071604340EFE714DF64C888B6BBBE4FF89350F408A18F9999B2A1D735D845CB96

Function 00728891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00728968
GetSystemMetrics.USER32(00000007), ref: 00728970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0072899B
GetSystemMetrics.USER32(00000008), ref: 007289A3
GetSystemMetrics.USER32(00000004), ref: 007289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00728A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00728A3C
GetClientRect.USER32(00000000,000000FF), ref: 00728A5A
GetStockObject.GDI32(00000011), ref: 00728A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00728A81

Part of subcall function 0072912D: GetCursorPos.USER32(?), ref: 00729141
Part of subcall function 0072912D: ScreenToClient.USER32(00000000,?), ref: 0072915E
Part of subcall function 0072912D: GetAsyncKeyState.USER32(00000001), ref: 00729183
Part of subcall function 0072912D: GetAsyncKeyState.USER32(00000002), ref: 0072919D

SetTimer.USER32(00000000,00000000,00000028,007290FC), ref: 00728AA8

Strings

AutoIt v3 GUI, xrefs: 00728A20

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 89d7d0c439e4ca71de77e43e8aa67e56dcf13b45239ce88f1f5c99c708b51046
Instruction ID: 0dd3d6f3f47ba72a18efbe996c5f4f997bb4bdaaaffd93b17bc9b4f36e94b4e1
Opcode Fuzzy Hash: 89d7d0c439e4ca71de77e43e8aa67e56dcf13b45239ce88f1f5c99c708b51046
Instruction Fuzzy Hash: 7DB1A071A01259EFDB14DF68DC85BAE3BB5FB48314F518129FA05AB290DB38E840CF55

Function 00770D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00771114
Part of subcall function 007710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771120
Part of subcall function 007710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 0077112F
Part of subcall function 007710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771136
Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0077114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00770DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00770E29
GetLengthSid.ADVAPI32(?), ref: 00770E40
GetAce.ADVAPI32(?,00000000,?), ref: 00770E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00770E96
GetLengthSid.ADVAPI32(?), ref: 00770EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00770EB5
HeapAlloc.KERNEL32(00000000), ref: 00770EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00770EDD
CopySid.ADVAPI32(00000000), ref: 00770EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00770F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00770F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00770F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770F6E
HeapFree.KERNEL32(00000000), ref: 00770F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770F7E
HeapFree.KERNEL32(00000000), ref: 00770F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770F8E
HeapFree.KERNEL32(00000000), ref: 00770F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00770FA1
HeapFree.KERNEL32(00000000), ref: 00770FA8

Part of subcall function 00771193: GetProcessHeap.KERNEL32(00000008,00770BB1,?,00000000,?,00770BB1,?), ref: 007711A1
Part of subcall function 00771193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00770BB1,?), ref: 007711A8
Part of subcall function 00771193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00770BB1,?), ref: 007711B7

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5cec4432f3190834fb43302b69ad515fa6b80d0944febbd8eed5dc3f7cee670d
Instruction ID: 2645551991a30bcc0b5cded3c28126c47a0d355c033c54bc94b51c5c03b3310c
Opcode Fuzzy Hash: 5cec4432f3190834fb43302b69ad515fa6b80d0944febbd8eed5dc3f7cee670d
Instruction Fuzzy Hash: 39715C72A0020AFBDF21DFA4DC49BAEBBB8BF45340F048115F919A6191D7799A05CFA0

Function 0079C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,007ACC08,00000000,?,00000000,?,?), ref: 0079C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0079C5A4
_wcslen.LIBCMT ref: 0079C5F4
_wcslen.LIBCMT ref: 0079C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0079C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0079C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0079C84D
RegCloseKey.ADVAPI32(?), ref: 0079C881
RegCloseKey.ADVAPI32(00000000), ref: 0079C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0079C960

Strings

REG_DWORD, xrefs: 0079C804
REG_QWORD, xrefs: 0079C8C3
REG_MULTI_SZ, xrefs: 0079C6F5
REG_SZ, xrefs: 0079C644
REG_BINARY, xrefs: 0079C913
REG_EXPAND_SZ, xrefs: 0079C5CD

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 02252a722ce7765ad8e3f0dd22a0cde6aee32bebca1a9f5b7e4baf366eed958a
Instruction ID: 6fed43151c1e7ff8b7e2e84299a3485540fc2bc4a2d0e29aa8c2cee2ca46d8cd
Opcode Fuzzy Hash: 02252a722ce7765ad8e3f0dd22a0cde6aee32bebca1a9f5b7e4baf366eed958a
Instruction Fuzzy Hash: F5126835604200DFDB15DF18D895A6AB7E5EF88714F14889CF84A9B3A2DB39FD81CB81

Function 007A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007A09C6
_wcslen.LIBCMT ref: 007A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007A0A54
_wcslen.LIBCMT ref: 007A0A8A
_wcslen.LIBCMT ref: 007A0B06
_wcslen.LIBCMT ref: 007A0B81

Part of subcall function 0072F9F2: _wcslen.LIBCMT ref: 0072F9FD

Part of subcall function 00772BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00772BFA

Strings

UNCHECK, xrefs: 007A0D3E
GETITEMCOUNT, xrefs: 007A0C1E
CHECK, xrefs: 007A0A85, 007A0AA0
GETTOTALCOUNT, xrefs: 007A09F2, 007A0A17
GETTEXT, xrefs: 007A0C97
GETSELECTED, xrefs: 007A0C4E
EXISTS, xrefs: 007A0B7C, 007A0B97
ISCHECKED, xrefs: 007A0CE1
EXPAND, xrefs: 007A0BF8
COLLAPSE, xrefs: 007A0B01, 007A0B1C
SELECT, xrefs: 007A0D11

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 7c2c45f5a005b4d06800eefe41716ef6ab77a8b477f66cb18c2aec9cf5998212
Instruction ID: 22102b2c419446e4d3948f6fe2a1e7885ffef863ef856305f2adeda4cc06149d
Opcode Fuzzy Hash: 7c2c45f5a005b4d06800eefe41716ef6ab77a8b477f66cb18c2aec9cf5998212
Instruction Fuzzy Hash: 3DE19B72208301DFC714DF28C45096AB7E2BFD9314B148A5DF89A9B3A2D739ED85CB91

Function 0079C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
_wcslen.LIBCMT ref: 0079C9F1
_wcslen.LIBCMT ref: 0079CA68
_wcslen.LIBCMT ref: 0079CA9E
_wcslen.LIBCMT ref: 0079CAF9
_wcslen.LIBCMT ref: 0079CB2F
_wcslen.LIBCMT ref: 0079CB7F

Strings

HKEY_USERS, xrefs: 0079CBDF
HKCC, xrefs: 0079CBAC
HKEY_CURRENT_CONFIG, xrefs: 0079CB79, 0079CB7E
HKEY_CLASSES_ROOT, xrefs: 0079CAF3, 0079CAF8
HKCU, xrefs: 0079CBCE
HKEY_CURRENT_USER, xrefs: 0079CBBD
HKLM, xrefs: 0079CA98, 0079CA9D
HKCR, xrefs: 0079CB29, 0079CB2E
HKU, xrefs: 0079CBF0
HKEY_LOCAL_MACHINE, xrefs: 0079CA62, 0079CA67

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 048d6748928f87a8de04e0264cc3e1e36c776c55dbcdc73eec03849d1f5f9155
Instruction ID: 62368458ed893a8d339d501f93f39e7cfd5c960ae59f3af31f748630178d38ee
Opcode Fuzzy Hash: 048d6748928f87a8de04e0264cc3e1e36c776c55dbcdc73eec03849d1f5f9155
Instruction Fuzzy Hash: 8371257260016A8BCF22DE3CED525BE33A1AF61760F544529F856A7285F63CDD80C3A0

Function 007A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007A835A
_wcslen.LIBCMT ref: 007A836E
_wcslen.LIBCMT ref: 007A8391
_wcslen.LIBCMT ref: 007A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,007A361A,?), ref: 007A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007A8501
FreeLibrary.KERNEL32(?), ref: 007A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007A851D
DestroyIcon.USER32(?), ref: 007A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007A8555

Strings

.icl, xrefs: 007A8368
.exe, xrefs: 007A8388
.dll, xrefs: 007A83AB

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 3c546f22ae403b8729255c5bceaf18d94430bc23034349420aa746d493149c4c
Instruction ID: bf52bd6586f31cf91310295902d3f75159927da9ee6e7efa8fe7d0dc06ca1abc
Opcode Fuzzy Hash: 3c546f22ae403b8729255c5bceaf18d94430bc23034349420aa746d493149c4c
Instruction Fuzzy Hash: 3061C271940215FEEB18DF64CC45BBE77A8BF89721F108609F815D61D1EB7CA990C7A0

Function 00717778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0071785F, 007178B1
#OnAutoItStartRegister, xrefs: 00717817
#comments-end, xrefs: 007178D9
Cannot parse #include, xrefs: 00755279
', xrefs: 00755169
#pragma compile, xrefs: 007177D3
#include-once, xrefs: 0071782F
#cs, xrefs: 00717873, 007178C5
#notrayicon, xrefs: 007177E7
Bad directive syntax error, xrefs: 0075519A
", xrefs: 00755153
#include, xrefs: 00717847
#ce, xrefs: 007178ED
#requireadmin, xrefs: 007177FF
Unterminated group of comments, xrefs: 0075528C

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 58eeb27a7fa4f424d6b16e8b6cc6e92391b31b1003ed6189953ba80901722b59
Instruction ID: f09dcaa43f1ea316fb7c046ec9da676070d14e6097179b7961adf3a857325e1c
Opcode Fuzzy Hash: 58eeb27a7fa4f424d6b16e8b6cc6e92391b31b1003ed6189953ba80901722b59
Instruction Fuzzy Hash: 858104B0A40605FBDB25AF64CC56FEE3BB4AF55700F044024F905AA1D2EB7CD985C7A2

Function 00783E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00783EF8
_wcslen.LIBCMT ref: 00783F03
_wcslen.LIBCMT ref: 00783F5A
_wcslen.LIBCMT ref: 00783F98
GetDriveTypeW.KERNEL32(?), ref: 00783FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0078401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00784059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00784087

Strings

set cd door , xrefs: 00784028
closed, xrefs: 00783F08, 00783F2D, 00783F46, 00783F7E, 00783F97
close, xrefs: 00783EFE, 00783F18
open, xrefs: 00783F54, 00783F59
open , xrefs: 00783FE5
close cd wait, xrefs: 00784072
wait, xrefs: 00784044
type cdaudio alias cd wait, xrefs: 00784001

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e1877105dbd22fac164fa355b112e8223b948f0b3fb24eb0549e000088be0e14
Instruction ID: 9f2a12bb83ca36d50cc4f52dd1e51e1cf8516699bcddb021f200bc3a06f08958
Opcode Fuzzy Hash: e1877105dbd22fac164fa355b112e8223b948f0b3fb24eb0549e000088be0e14
Instruction Fuzzy Hash: 8371E472604202DFC710EF28C8819ABB7F4EF94764F10492DF99597291EB39ED45CB91

Function 00775A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00775A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00775A40
SetWindowTextW.USER32(?,?), ref: 00775A57
GetDlgItem.USER32(?,000003EA), ref: 00775A6C
SetWindowTextW.USER32(00000000,?), ref: 00775A72
GetDlgItem.USER32(?,000003E9), ref: 00775A82
SetWindowTextW.USER32(00000000,?), ref: 00775A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00775AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00775AC3
GetWindowRect.USER32(?,?), ref: 00775ACC
_wcslen.LIBCMT ref: 00775B33
SetWindowTextW.USER32(?,?), ref: 00775B6F
GetDesktopWindow.USER32 ref: 00775B75
GetWindowRect.USER32(00000000), ref: 00775B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00775BD3
GetClientRect.USER32(?,?), ref: 00775BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00775C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00775C2F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6b1e3756d91422d41eeb58383f73d4eae82763a1a3f3fd97cae9e14b9ead0468
Instruction ID: 64f358efd5f5c4895115346bb6da2064ba583947efab3f6fc9e95215ece1deb0
Opcode Fuzzy Hash: 6b1e3756d91422d41eeb58383f73d4eae82763a1a3f3fd97cae9e14b9ead0468
Instruction Fuzzy Hash: FF717E71900B09EFDF21DFA8CE85A6EBBF5FF48744F108918E146A25A0D7B8E944CB54

Function 0078FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0078FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0078FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0078FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0078FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0078FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0078FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0078FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0078FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0078FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0078FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0078FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0078FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0078FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0078FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0078FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0078FECC
GetCursorInfo.USER32(?), ref: 0078FEDC
GetLastError.KERNEL32 ref: 0078FF1E

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: f38323cfafc4eddfca1c530700f5dc27ed5885216f3a6998476b240c92dd823d
Instruction ID: 93c183cf7058ec3dda3cae4da97633749976d27d422d23f86e2269b20a6cef5c
Opcode Fuzzy Hash: f38323cfafc4eddfca1c530700f5dc27ed5885216f3a6998476b240c92dd823d
Instruction Fuzzy Hash: E94151B0D44319AADB109FBA8C8985EBFE8FF04754B54852AE119E7281DB78A9018F91

Function 007730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0077318D
_wcslen.LIBCMT ref: 007731F8

Strings

NAME, xrefs: 00773335, 00773346
REGEXPCLASS, xrefs: 00773255, 00773266
INSTANCE, xrefs: 00773453
[}, xrefs: 0077339A
CLASS, xrefs: 00773188, 007731A5
CLASSNN, xrefs: 007731F3, 00773204
TEXT, xrefs: 0077347C

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[}
API String ID: 176396367-3465173759
Opcode ID: 27aa810b7de3fb5dd477533edb78d0a41f9c724d367dd1a9bd59df2230b9f62b
Instruction ID: 579df7f60cf39c993509c270a1abbcc8f0516337bc5cfdfcb879e0e638c306fb
Opcode Fuzzy Hash: 27aa810b7de3fb5dd477533edb78d0a41f9c724d367dd1a9bd59df2230b9f62b
Instruction Fuzzy Hash: 37E1E732A00516EBCF189F78C4556FDBBB0BF44790F54C12AE45AF7241DB38AE85A790

Function 007300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007300C6

Part of subcall function 007300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007E070C,00000FA0,9C70F9CB,?,?,?,?,007523B3,000000FF), ref: 0073011C
Part of subcall function 007300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007523B3,000000FF), ref: 00730127
Part of subcall function 007300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007523B3,000000FF), ref: 00730138
Part of subcall function 007300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0073014E
Part of subcall function 007300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0073015C
Part of subcall function 007300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0073016A
Part of subcall function 007300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00730195
Part of subcall function 007300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007301A0

___scrt_fastfail.LIBCMT ref: 007300E7

Part of subcall function 007300A3: __onexit.LIBCMT ref: 007300A9

Strings

WakeAllConditionVariable, xrefs: 00730162
SleepConditionVariableCS, xrefs: 00730154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00730122
InitializeConditionVariable, xrefs: 00730148
kernel32.dll, xrefs: 00730133

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a66d3b3912eebb0b712965ec9c228ec33c01245181882190efe500a9f5e641e2
Instruction ID: 15c34a5f8dd2c40da9e2568fefe82ec49589ed6ea8b58984281bc4a832319f22
Opcode Fuzzy Hash: a66d3b3912eebb0b712965ec9c228ec33c01245181882190efe500a9f5e641e2
Instruction Fuzzy Hash: E021FCB2B45714BBF7125BB4AC59B6E73A4DB86B51F004135F801A7292DBBC5C008AD4

Function 007844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,007ACC08), ref: 00784527
_wcslen.LIBCMT ref: 0078453B
_wcslen.LIBCMT ref: 00784599
_wcslen.LIBCMT ref: 007845F4
_wcslen.LIBCMT ref: 0078463F
_wcslen.LIBCMT ref: 007846A7

Part of subcall function 0072F9F2: _wcslen.LIBCMT ref: 0072F9FD

GetDriveTypeW.KERNEL32(?,007D6BF0,00000061), ref: 00784743

Strings

ramdisk, xrefs: 007846F1
unknown, xrefs: 00784708
all, xrefs: 00784531, 00784536
removable, xrefs: 007845EA, 007845EF
fixed, xrefs: 00784635, 0078463A
network, xrefs: 0078469D, 007846A2
cdrom, xrefs: 0078458F, 00784594

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: f97d70a35ebb89afca7cee98d0bffbd3dd32295b7c5196c32aa864887c7d85b3
Instruction ID: 30fe9aef8bba7dc4809cf2f8f6ee5958d5d3e7afa540d71a4f6d41a341d46b65
Opcode Fuzzy Hash: f97d70a35ebb89afca7cee98d0bffbd3dd32295b7c5196c32aa864887c7d85b3
Instruction Fuzzy Hash: 08B116716483039FC710EF28C894A6EB7E5BFA5720F50491DF496C7291E778E984CB52

Function 007A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

DragQueryPoint.SHELL32(?,?), ref: 007A9147

Part of subcall function 007A7674: ClientToScreen.USER32(?,?), ref: 007A769A
Part of subcall function 007A7674: GetWindowRect.USER32(?,?), ref: 007A7710
Part of subcall function 007A7674: PtInRect.USER32(?,?,007A8B89), ref: 007A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 007A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 007A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 007A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 007A9277
DragFinish.SHELL32(?), ref: 007A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007A9371

Strings

@GUI_DROPID, xrefs: 007A929E
p#~, xrefs: 007A92BB
@GUI_DRAGFILE, xrefs: 007A9320
@GUI_DRAGID, xrefs: 007A92E9

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#~
API String ID: 221274066-3354685542
Opcode ID: a924b41c5e18998f6b10a37b34d3464104f816357884f50ee7abacce945ef7a5
Instruction ID: 25f49c682e3a98667729743ea3b7071271ef2e46cf2e57e6bcefaeb058758de6
Opcode Fuzzy Hash: a924b41c5e18998f6b10a37b34d3464104f816357884f50ee7abacce945ef7a5
Instruction Fuzzy Hash: D3617C71108301AFC701DF64DC89DAFBBE8EFC9750F404A1EF691921A1DB389A49CB96

Function 00793FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007ACC08), ref: 007940BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007940CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,007ACC08), ref: 007940F2
FreeLibrary.KERNEL32(00000000,?,007ACC08), ref: 0079413E
StringFromGUID2.OLE32(?,?,00000028,?,007ACC08), ref: 007941A8
SysFreeString.OLEAUT32(00000009), ref: 00794262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007942C8
SysFreeString.OLEAUT32(?), ref: 007942F2

Strings

GetModuleHandleExW, xrefs: 007940C7
kernel32.dll, xrefs: 007940B6

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 67b8a284ef2f357c6b4c550a8f5c742d54f442fa91e1a3a4b2c7a034008a7f1e
Instruction ID: ace589bb67e0d17b1294d25076652e67d16f3909cb1a8744928066a374cb7486
Opcode Fuzzy Hash: 67b8a284ef2f357c6b4c550a8f5c742d54f442fa91e1a3a4b2c7a034008a7f1e
Instruction Fuzzy Hash: D5123D75A00119EFDF14CF94D884EAEBBB5FF49314F248098E905AB261D735ED46CBA0

Function 0071326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(007E1990), ref: 00752F8D
GetMenuItemCount.USER32(007E1990), ref: 0075303D
GetCursorPos.USER32(?), ref: 00753081
SetForegroundWindow.USER32(00000000), ref: 0075308A
TrackPopupMenuEx.USER32(007E1990,00000000,?,00000000,00000000,00000000), ref: 0075309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007530A9

Strings

0, xrefs: 0071327D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 52f25020c0b27414e6948b5b5251264ebdde973c55858936677a4495d91527e9
Instruction ID: 152908fb2f9e8ea74dc9dcf880c94cddecf0e4a42a6b4ca7e8e6825e1f6863aa
Opcode Fuzzy Hash: 52f25020c0b27414e6948b5b5251264ebdde973c55858936677a4495d91527e9
Instruction Fuzzy Hash: FA712970644205FEEB219F28DC49FEABF65FF06364F204206F9196A1E1C7F9A954C790

Function 007A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 007A6DEB

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007A6E94
DestroyWindow.USER32(?), ref: 007A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00710000,00000000), ref: 007A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007A6EFD
GetDesktopWindow.USER32 ref: 007A6F16
GetWindowRect.USER32(00000000), ref: 007A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007A6F4D

Part of subcall function 00729944: GetWindowLongW.USER32(?,000000EB), ref: 00729952

Strings

0, xrefs: 007A6D98
tooltips_class32, xrefs: 007A6E58, 007A6EDD

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 0d4cec7dea2598c09cce24782bf768c9cd7b1931cc61e8fa2e207144d0a7f859
Instruction ID: 61393156d6ad619e0f50f5898277428101b89250b538c1c64a3a092d0b6f8f97
Opcode Fuzzy Hash: 0d4cec7dea2598c09cce24782bf768c9cd7b1931cc61e8fa2e207144d0a7f859
Instruction Fuzzy Hash: 43717870144284AFDB21CF18DC48EAABBF9FBCA304F48455EF999872A1C778E905CB15

Function 0078C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0078C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0078C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0078C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0078C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0078C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0078C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0078C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0078C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0078C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0078C5F0
InternetCloseHandle.WININET(00000000), ref: 0078C5FB

Strings

, xrefs: 0078C575

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 56a2a935119f150ffdd9e2b23bebb6ad14a637bc9e0ce92b2c93dd8199a7d923
Instruction ID: fc7d3826c9b263824a7f1fea31687b5a0b84e9babcc1f2cb0fc8a34edb93df34
Opcode Fuzzy Hash: 56a2a935119f150ffdd9e2b23bebb6ad14a637bc9e0ce92b2c93dd8199a7d923
Instruction Fuzzy Hash: 75516EB1540204BFEB22AF60C948ABB7BFCFF49754F108419F94596250DB38E954DB70

Function 007A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 007A8592
GetFileSize.KERNEL32(00000000,00000000), ref: 007A85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 007A85AD
CloseHandle.KERNEL32(00000000), ref: 007A85BA
GlobalLock.KERNEL32(00000000), ref: 007A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007A85D7
GlobalUnlock.KERNEL32(00000000), ref: 007A85E0
CloseHandle.KERNEL32(00000000), ref: 007A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007A85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,007AFC38,?), ref: 007A8611
GlobalFree.KERNEL32(00000000), ref: 007A8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 007A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 007A8671
DeleteObject.GDI32(00000000), ref: 007A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007A86AF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 201d3b6513a259901d43bffa495593dd8f07e07b96a4666cbd01ff112ad35f38
Instruction ID: 15e5fc193d8c7b011943669548eb765e01080317df1699e9f726980c15e7f308
Opcode Fuzzy Hash: 201d3b6513a259901d43bffa495593dd8f07e07b96a4666cbd01ff112ad35f38
Instruction Fuzzy Hash: 5C41FA75600208FFDB129FA5DC48EAA7BB8FF8A711F148158F905E7260DB389901CB65

Function 007814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00781502
VariantCopy.OLEAUT32(?,?), ref: 0078150B
VariantClear.OLEAUT32(?), ref: 00781517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00781657
VariantInit.OLEAUT32(?), ref: 00781708
SysFreeString.OLEAUT32(?), ref: 0078178C
VariantClear.OLEAUT32(?), ref: 007817D8
VariantClear.OLEAUT32(?), ref: 007817E7
VariantInit.OLEAUT32(00000000), ref: 00781823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00781625
Default, xrefs: 007816AF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 115ecb186baeb016d4fa238746cc79cc249cda7a5e6d254a2d897ae12ebb00ed
Instruction ID: 2d6a94b6b96e87ba7ea690f0c652f1a8e30db7b415073ed811c9e96d6b61bfdc
Opcode Fuzzy Hash: 115ecb186baeb016d4fa238746cc79cc249cda7a5e6d254a2d897ae12ebb00ed
Instruction Fuzzy Hash: AFD12572A40115EBDB00BF65E889BBDB7B9BF46700F50805AF446AB180DB3CED52DB61

Function 0079B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 0079C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079C9F1
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA68
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0079B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0079B80A
RegCloseKey.ADVAPI32(?), ref: 0079B87E
RegCloseKey.ADVAPI32(?), ref: 0079B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0079B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0079B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0079B922
FreeLibrary.KERNEL32(00000000), ref: 0079B983
RegCloseKey.ADVAPI32(00000000), ref: 0079B994

Strings

advapi32.dll, xrefs: 0079B8ED
RegDeleteKeyExW, xrefs: 0079B8FE

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 73f6588a85b0ab8bfc12711fddff83326c187c3429bb01040e813b770ee57604
Instruction ID: a4e8b71d5d10f2c5c6317a77f5065edf400ed363a5db4885f46fb191f5311599
Opcode Fuzzy Hash: 73f6588a85b0ab8bfc12711fddff83326c187c3429bb01040e813b770ee57604
Instruction Fuzzy Hash: 4BC19F30204201EFDB14DF18E599F2ABBE5BF84314F14855CF55A4B2A2CB79EC86CB91

Function 0079255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007925E8
CreateCompatibleDC.GDI32(?), ref: 007925F4
SelectObject.GDI32(00000000,?), ref: 00792601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0079266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007926D0
SelectObject.GDI32(?,?), ref: 007926D8
DeleteObject.GDI32(?), ref: 007926E1
DeleteDC.GDI32(?), ref: 007926E8
ReleaseDC.USER32(00000000,?), ref: 007926F3

Strings

(, xrefs: 0079268D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 777b70c948f39f30d73f080b1780d0b4ee594a28a5864780e0f64b2842e613b3
Instruction ID: 7acb154ea546c7639b4f5687e10ca0bf6cbf77bf1492f15ca269d03c28f27ebf
Opcode Fuzzy Hash: 777b70c948f39f30d73f080b1780d0b4ee594a28a5864780e0f64b2842e613b3
Instruction Fuzzy Hash: 296113B5E00219EFCF05DFA4D884AAEBBF5FF48310F208429E955A7251E734A941CF94

Function 0074DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0074DAA1

Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D659
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D66B
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D67D
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D68F
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6A1
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6B3
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6C5
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6D7
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6E9
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6FB
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D70D
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D71F
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D731

_free.LIBCMT ref: 0074DA96

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 0074DAB8
_free.LIBCMT ref: 0074DACD
_free.LIBCMT ref: 0074DAD8
_free.LIBCMT ref: 0074DAFA
_free.LIBCMT ref: 0074DB0D
_free.LIBCMT ref: 0074DB1B
_free.LIBCMT ref: 0074DB26
_free.LIBCMT ref: 0074DB5E
_free.LIBCMT ref: 0074DB65
_free.LIBCMT ref: 0074DB82
_free.LIBCMT ref: 0074DB9A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2236a7c2cc877088aaad6c78fe7d9836e7d9c2afcd62775bda157e989cb610d3
Instruction ID: d625ca373adeb312f2c68f3a5941913f580ea98a507d686cfac3a1406c6ec626
Opcode Fuzzy Hash: 2236a7c2cc877088aaad6c78fe7d9836e7d9c2afcd62775bda157e989cb610d3
Instruction Fuzzy Hash: 2F315C71604205DFEB32AA39E849B5677E9FF00310F55442AF498E72A2DB39BC51CB20

Function 0077365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0077369C
_wcslen.LIBCMT ref: 007736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00773797
GetClassNameW.USER32(?,?,00000400), ref: 0077380C
GetDlgCtrlID.USER32(?), ref: 0077385D
GetWindowRect.USER32(?,?), ref: 00773882
GetParent.USER32(?), ref: 007738A0
ScreenToClient.USER32(00000000), ref: 007738A7
GetClassNameW.USER32(?,?,00000100), ref: 00773921
GetWindowTextW.USER32(?,?,00000400), ref: 0077395D

Strings

%s%u, xrefs: 00773734

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 87d4bf53057a4a192d7d825b694fe61144d1fc3a02859461c9ee34c4a9f65909
Instruction ID: 0a157ad61caa41298e01fbbbd8396955b7cfbd73a6417f340410c011b5642f27
Opcode Fuzzy Hash: 87d4bf53057a4a192d7d825b694fe61144d1fc3a02859461c9ee34c4a9f65909
Instruction Fuzzy Hash: 9B91C671204606EFDB19DF24C885BAAF7A8FF44394F00C519FA9DC2190DB38EA55DBA1

Function 00774954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00774994
GetWindowTextW.USER32(?,?,00000400), ref: 007749DA
_wcslen.LIBCMT ref: 007749EB
CharUpperBuffW.USER32(?,00000000), ref: 007749F7
_wcsstr.LIBVCRUNTIME ref: 00774A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00774A64
GetWindowTextW.USER32(?,?,00000400), ref: 00774A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00774AE6
GetClassNameW.USER32(?,?,00000400), ref: 00774B20
GetWindowRect.USER32(?,?), ref: 00774B8B

Strings

ThumbnailClass, xrefs: 00774A6F, 00774AF1

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8f7e29016109780ce8c948b72b783c3a7a87eca3a5b63adb4c9b72f3bfb33fd8
Instruction ID: b80187898ff3fdcd98f2d282ea8ba80aa5dfec2051367c60f56f4bc6fe25d952
Opcode Fuzzy Hash: 8f7e29016109780ce8c948b72b783c3a7a87eca3a5b63adb4c9b72f3bfb33fd8
Instruction Fuzzy Hash: 8391AC71104205AFDF05DF14C985BAAB7E8FF84394F04C46AFD899A0A6DB38ED45CBA1

Function 0077BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(007E1990,000000FF,00000000,00000030), ref: 0077BFAC
SetMenuItemInfoW.USER32(007E1990,00000004,00000000,00000030), ref: 0077BFE1
Sleep.KERNEL32(000001F4), ref: 0077BFF3
GetMenuItemCount.USER32(?), ref: 0077C039
GetMenuItemID.USER32(?,00000000), ref: 0077C056
GetMenuItemID.USER32(?,-00000001), ref: 0077C082
GetMenuItemID.USER32(?,?), ref: 0077C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0077C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0077C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0077C145

Strings

0, xrefs: 0077BF3D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 71f8d5e546079917a08d8cb3719246734da0e279d779bded42e2ee023a40d041
Instruction ID: a7bfa67228042f0517a0d35ff7eccad2de7153000658226fe777c80134a4bb25
Opcode Fuzzy Hash: 71f8d5e546079917a08d8cb3719246734da0e279d779bded42e2ee023a40d041
Instruction Fuzzy Hash: 876196B0900249EFDF12CF64DC88AFE7BB8EB49384F548059F915A7251D739AD15CB60

Function 0079CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0079CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0079CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0079CD48

Part of subcall function 0079CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0079CCAA
Part of subcall function 0079CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0079CCBD
Part of subcall function 0079CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0079CCCF
Part of subcall function 0079CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0079CD05
Part of subcall function 0079CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0079CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0079CCF3

Strings

advapi32.dll, xrefs: 0079CCB8
RegDeleteKeyExW, xrefs: 0079CCC9

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 58e169e97069616d224fbc28461a152562e840171f07749c4c9fd59011c9b10a
Instruction ID: a63672db045f136fd85fd1487ff8c56c669713044f75bb7298e0b8f5f4807505
Opcode Fuzzy Hash: 58e169e97069616d224fbc28461a152562e840171f07749c4c9fd59011c9b10a
Instruction Fuzzy Hash: C63160B1A01129BBDF228B54EC88EFFBB7CEF46750F004165F905E6240D6389E45DAB4

Function 00783D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00783D40
_wcslen.LIBCMT ref: 00783D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00783D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00783DBE
RemoveDirectoryW.KERNEL32(?), ref: 00783DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00783E55
CloseHandle.KERNEL32(00000000), ref: 00783E60
CloseHandle.KERNEL32(00000000), ref: 00783E6B

Strings

\, xrefs: 00783D77
:, xrefs: 00783D82
\??\%s, xrefs: 00783D5B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 6d6cc309248cf78872c0e4499fbd14f1886cceb70334834f2d1a0bc7b35b3088
Instruction ID: 660c9a330f12500435ef8bb9b071ad2757052d5227faab6c6779f19a514d973c
Opcode Fuzzy Hash: 6d6cc309248cf78872c0e4499fbd14f1886cceb70334834f2d1a0bc7b35b3088
Instruction Fuzzy Hash: 3231B471A40119BBDB21ABA4DC49FEF37BCEF89B00F1040B5F505D6151EB7897458B24

Function 0077E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0077E6B4

Part of subcall function 0072E551: timeGetTime.WINMM(?,?,0077E6D4), ref: 0072E555

Sleep.KERNEL32(0000000A), ref: 0077E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0077E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0077E727
SetActiveWindow.USER32 ref: 0077E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0077E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0077E773
Sleep.KERNEL32(000000FA), ref: 0077E77E
IsWindow.USER32 ref: 0077E78A
EndDialog.USER32(00000000), ref: 0077E79B

Strings

BUTTON, xrefs: 0077E719

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 993587705f88a52d6687f4e800783f540a6df186af052a5903f9bfcd1c07ed30
Instruction ID: 74d56d9d27ecbd12462fe3f6c4273f3e61cd924b960b7103ff96781692dbb6a9
Opcode Fuzzy Hash: 993587705f88a52d6687f4e800783f540a6df186af052a5903f9bfcd1c07ed30
Instruction Fuzzy Hash: BF2184B0301245BFEF015F24ECC9A253B6DF79D389B10C465F509C55A2DBBDAC119A6C

Function 0077E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0077EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0077EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0077EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0077EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0077EAA7

Strings

close PlayMe, xrefs: 0077EA6E, 0077EA9B
play PlayMe wait, xrefs: 0077EA91
open , xrefs: 0077EA0C
play PlayMe, xrefs: 0077EAA2
status PlayMe mode, xrefs: 0077EA58
alias PlayMe, xrefs: 0077EA36

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 50481ae339408c38273122dc77c8e5c4a29b42b76c6ee6d1497f5b80fe56555d
Instruction ID: 342595b667d5a48f4992cdaad74addaccd65374cbdfddc172ce18fd6857fed3b
Opcode Fuzzy Hash: 50481ae339408c38273122dc77c8e5c4a29b42b76c6ee6d1497f5b80fe56555d
Instruction Fuzzy Hash: 5711C671A50219B9DB20A7A5DC5ADFF6B7CEBD5F40F00442AB815A20D0EE782E45C5B0

Function 00775CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00775CE2
GetWindowRect.USER32(00000000,?), ref: 00775CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00775D59
GetDlgItem.USER32(?,00000002), ref: 00775D69
GetWindowRect.USER32(00000000,?), ref: 00775D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00775DCF
GetDlgItem.USER32(?,000003E9), ref: 00775DDD
GetWindowRect.USER32(00000000,?), ref: 00775DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00775E31
GetDlgItem.USER32(?,000003EA), ref: 00775E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00775E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00775E67

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5f1c3069313b18bd95384a4c04f19d248a823568df520585c285669abc4b9338
Instruction ID: da4c34ed71b9b7bcdc6e471035cfdaacab6c5b67fef080ffd939503cc2cb7dac
Opcode Fuzzy Hash: 5f1c3069313b18bd95384a4c04f19d248a823568df520585c285669abc4b9338
Instruction Fuzzy Hash: 0B510E71B00605AFDF19CF68DD89AAEBBB5FB88340F148229F519E7290D7B49E04CB50

Function 00728BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00728F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00728BE8,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 00728FC5

DestroyWindow.USER32(?), ref: 00728C81
KillTimer.USER32(00000000,?,?,?,?,00728BBA,00000000,?), ref: 00728D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00766973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 007669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 007669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00728BBA,00000000), ref: 007669D4
DeleteObject.GDI32(00000000), ref: 007669E6

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 15edd979b51235ebf9f8e73cddcc28a73998165aeb65717879ac996720e6f53a
Instruction ID: 806e62fe21244b42d05081aaeb0594f06c8dc144e0111865dc50edfa3495d1ff
Opcode Fuzzy Hash: 15edd979b51235ebf9f8e73cddcc28a73998165aeb65717879ac996720e6f53a
Instruction Fuzzy Hash: A161BD30103760DFCB629F14EA49B2A77F1FB44312F95855CE4429A560CB3EB880CFA6

Function 00729838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00729944: GetWindowLongW.USER32(?,000000EB), ref: 00729952

GetSysColor.USER32(0000000F), ref: 00729862

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 7835aafe431d30363b66c9f02048d9d1181407f626babc299413983b7dd7cf54
Instruction ID: 4d9f738a6cf78cea092895015859589f94ba7e4d424af10846e6d1ea95ffe4e4
Opcode Fuzzy Hash: 7835aafe431d30363b66c9f02048d9d1181407f626babc299413983b7dd7cf54
Instruction Fuzzy Hash: 0841D471500654AFDB255F38EC88BB93BA5EB57370F1C8645FAA28B1E2D7389C41DB10

Function 00748D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.s, xrefs: 0074903A, 00748FD0, 00748FF2

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: .s
API String ID: 0-1621786184
Opcode ID: 0a2c03f8e5a15180aabee92d8c4f41024f92b0465e446c58626dab10440bef17
Instruction ID: 5f24f82084dc2d8cb25200c8417c9dc9588f06d112c06876d3b777f25eb0c7f8
Opcode Fuzzy Hash: 0a2c03f8e5a15180aabee92d8c4f41024f92b0465e446c58626dab10440bef17
Instruction Fuzzy Hash: ACC1E475E0424AEFDF11DFA8D845BAEBBB0BF09310F144199F514AB3A2C7789941CB61

Function 007796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0075F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00779717
LoadStringW.USER32(00000000,?,0075F7F8,00000001), ref: 00779720

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0075F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00779742
LoadStringW.USER32(00000000,?,0075F7F8,00000001), ref: 00779745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00779866

Strings

^ ERROR, xrefs: 007797FB
Line %d:, xrefs: 007797A0
Line %d (File "%s"):, xrefs: 0077978F
%s (%d) : ==> %s: %s %s, xrefs: 0077984A
Error: , xrefs: 0077981D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: dd34ea3cea8ce4c0b254f0710500c69203bd5d134acedb07e6a4dc55f0a87136
Instruction ID: e1d34adf31fc0a5483b78541497c1a408c562206105c159e49f974ee0ea1b5df
Opcode Fuzzy Hash: dd34ea3cea8ce4c0b254f0710500c69203bd5d134acedb07e6a4dc55f0a87136
Instruction Fuzzy Hash: CB412C72801219EADF04EBE4DE9ADEEB778AF55340F504025F60572092EB396F89CB61

Function 007706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00770804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0077082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00770837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0077083C

Strings

SOFTWARE\Classes\, xrefs: 0077070E
\IPC$, xrefs: 00770784
\CLSID, xrefs: 00770724

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 1730bb1184b533f6b04555e74676e42127a24534818df67221bcaf3ccb084bc8
Instruction ID: 3e84a2599c5ce989d04024ff7d96e5a74f2fff3331168affcda1f7820dc8f4d1
Opcode Fuzzy Hash: 1730bb1184b533f6b04555e74676e42127a24534818df67221bcaf3ccb084bc8
Instruction Fuzzy Hash: EC41FC71C10229EBDF15EB94DC99CEDB778FF44350F148126E915A31A1EB386E44CB90

Function 00793C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00793C5C
CoInitialize.OLE32(00000000), ref: 00793C8A
CoUninitialize.OLE32 ref: 00793C94
_wcslen.LIBCMT ref: 00793D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00793DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00793ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00793F0E
CoGetObject.OLE32(?,00000000,007AFB98,?), ref: 00793F2D
SetErrorMode.KERNEL32(00000000), ref: 00793F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00793FC4
VariantClear.OLEAUT32(?), ref: 00793FD8

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 45d4dca5080aab846e6abb0d921ded7caf8036c5df244bf06cd3a8cda3faedc7
Instruction ID: 12d05e6351322a7470e843501cedb6a979c10bda55cf6e0147376642a274fcea
Opcode Fuzzy Hash: 45d4dca5080aab846e6abb0d921ded7caf8036c5df244bf06cd3a8cda3faedc7
Instruction Fuzzy Hash: 16C13571608205EFDB00DF68D88492BBBE9FF89744F04491DF98A9B250D738EE45CB52

Function 00787A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00787AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00787B8F
SHGetDesktopFolder.SHELL32(?), ref: 00787BA3
CoCreateInstance.OLE32(007AFD08,00000000,00000001,007D6E6C,?), ref: 00787BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00787C74
CoTaskMemFree.OLE32(?,?), ref: 00787CCC
SHBrowseForFolderW.SHELL32(?), ref: 00787D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00787D7A
CoTaskMemFree.OLE32(00000000), ref: 00787D81
CoTaskMemFree.OLE32(00000000), ref: 00787DD6
CoUninitialize.OLE32 ref: 00787DDC

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: fa64d3828a83c85c834cdffc8d35a5e339467a59e3d7853b9332488c5d78e7f1
Instruction ID: a1ea3237c0ce135112af93e70a82eea2a6065efbe5b2ddffa36e4a590da1865b
Opcode Fuzzy Hash: fa64d3828a83c85c834cdffc8d35a5e339467a59e3d7853b9332488c5d78e7f1
Instruction Fuzzy Hash: 10C11B75A04109EFCB14DFA4C888DAEBBF9FF48314B148499E91A9B361D734ED81CB90

Function 007A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A5515
CharNextW.USER32(00000158), ref: 007A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A55AC

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 0b6edd0e069b134ccdcdce7c63c734ddeedf1cd7903ccfcde53a9210ac6c03fa
Instruction ID: de204444eb45672ebab9863bf6542c4133ebe5d19e1a20031217fc2dac6980d3
Opcode Fuzzy Hash: 0b6edd0e069b134ccdcdce7c63c734ddeedf1cd7903ccfcde53a9210ac6c03fa
Instruction Fuzzy Hash: C2619D31900608EFDF11CF54CC84DFE7BB9EB8B721F108245F925AA290D7789A80DB60

Function 0076FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0076FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0076FB08
VariantInit.OLEAUT32(?), ref: 0076FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0076FB3A
VariantCopy.OLEAUT32(?,?), ref: 0076FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0076FBA1
VariantClear.OLEAUT32(?), ref: 0076FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0076FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0076FBCC
VariantClear.OLEAUT32(?), ref: 0076FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0076FBE9

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a51e3726dbcff2d934ad68cc285ea7fba784dcabe92c3cb215bfba4dedb9a95a
Instruction ID: cfc1656868a028d2709063e0e973b9c691d4aaca8aa68b7edbf421f72d861bd1
Opcode Fuzzy Hash: a51e3726dbcff2d934ad68cc285ea7fba784dcabe92c3cb215bfba4dedb9a95a
Instruction Fuzzy Hash: E3415475900119EFCB01DF68D8589ADBFB9FF49354F00C065E906A7251CB38A945CF94

Function 00779C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00779CA1
GetAsyncKeyState.USER32(000000A0), ref: 00779D22
GetKeyState.USER32(000000A0), ref: 00779D3D
GetAsyncKeyState.USER32(000000A1), ref: 00779D57
GetKeyState.USER32(000000A1), ref: 00779D6C
GetAsyncKeyState.USER32(00000011), ref: 00779D84
GetKeyState.USER32(00000011), ref: 00779D96
GetAsyncKeyState.USER32(00000012), ref: 00779DAE
GetKeyState.USER32(00000012), ref: 00779DC0
GetAsyncKeyState.USER32(0000005B), ref: 00779DD8
GetKeyState.USER32(0000005B), ref: 00779DEA

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d88205d8b2a43ea41832cba4dae28516970f65b1467d1d29d8b1aaa19f112197
Instruction ID: a34b9af03e56ca108fcf7fd684ac3f68c4a5163906ba4c6e4a1b0f753623f224
Opcode Fuzzy Hash: d88205d8b2a43ea41832cba4dae28516970f65b1467d1d29d8b1aaa19f112197
Instruction Fuzzy Hash: 8A41EB346057C96DFF31877484043B5BEA06F12384F08C05ADBCA566C2EBEC99D4C7A2

Function 0079055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007905BC
inet_addr.WSOCK32(?), ref: 0079061C
gethostbyname.WSOCK32(?), ref: 00790628
IcmpCreateFile.IPHLPAPI ref: 00790636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007907B9
WSACleanup.WSOCK32 ref: 007907BF

Strings

Ping, xrefs: 00790676

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2221deec32f89b2e1e371b25058698702ccf1c2ee05f2dc3c89e3e0d8cbb9c7c
Instruction ID: ec90d4ccca555170b95abd6d23679d94407de49c2155d58e49524ca47fcbaed3
Opcode Fuzzy Hash: 2221deec32f89b2e1e371b25058698702ccf1c2ee05f2dc3c89e3e0d8cbb9c7c
Instruction Fuzzy Hash: 8E918F75614201EFDB20CF19E488F16BBE0AF84328F1585A9E4698B6A2C738EC41CFD1

Function 00798CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00798CF3

Part of subcall function 00778E54: _wcslen.LIBCMT ref: 00778E77

_wcslen.LIBCMT ref: 00798D4E
_wcslen.LIBCMT ref: 00798D9C
_wcslen.LIBCMT ref: 00798DDC
_wcslen.LIBCMT ref: 00798E6E

Strings

none, xrefs: 00798E65, 00798E6A
winapi, xrefs: 00798D96, 00798D9B
stdcall, xrefs: 00798DD6, 00798DDB
cdecl, xrefs: 00798D48, 00798D4D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b26d95b1406ff9adae0b60c5bfb1601feba799f053981d0f7e3d48299e3a11d3
Instruction ID: 68b8f763237af72f3898132b6ccb41d26f01dd23ee748aa11ebd05fe0c4bbd78
Opcode Fuzzy Hash: b26d95b1406ff9adae0b60c5bfb1601feba799f053981d0f7e3d48299e3a11d3
Instruction Fuzzy Hash: 1B51C131A00116EBCF54DF6CD9519BEB3A5BF6A320B204229E526E73C4EB39ED40C791

Function 0079372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00793774
CoUninitialize.OLE32 ref: 0079377F
CoCreateInstance.OLE32(?,00000000,00000017,007AFB78,?), ref: 007937D9
IIDFromString.OLE32(?,?), ref: 0079384C
VariantInit.OLEAUT32(?), ref: 007938E4
VariantClear.OLEAUT32(?), ref: 00793936

Strings

NULL Pointer assignment, xrefs: 0079381E
Failed to create object, xrefs: 007937E4, 0079389A
Invalid parameter, xrefs: 00793865

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1bc51be3fdb8f964dcaaa18552aadd8a58a65c20271358b01975bb9818285fa1
Instruction ID: 8449756ee865153a3acd7457757dd13fa9854e49ea10fd2cb126d6ae603342a5
Opcode Fuzzy Hash: 1bc51be3fdb8f964dcaaa18552aadd8a58a65c20271358b01975bb9818285fa1
Instruction Fuzzy Hash: D7618FB0608301EFDB11DF54D889F6ABBE4EF49714F004909F5859B291D778EE48CBA6

Function 00783388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007833CF

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007833F0

Strings

^ ERROR , xrefs: 0078349E
"%s" (%d) : ==> %s:, xrefs: 00783522
Incorrect parameters to object property !, xrefs: 007834AB
Line %d (File "%s"):, xrefs: 00783443, 0078345C
Error: , xrefs: 007834D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00783504

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 8b1937190c3870a64b761b89a14aff8a241323911190c20b698dd8ed11d30fba
Instruction ID: dcb822214164a15fb6e55ac32d2eeeb22b5a04948406def78c38482f842510f5
Opcode Fuzzy Hash: 8b1937190c3870a64b761b89a14aff8a241323911190c20b698dd8ed11d30fba
Instruction Fuzzy Hash: 0151A1B1801209FADF15EBA4CD5AEEEB778AF04740F108065F50972191EB3D2F98DB60

Function 0077B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0077B5FC
_wcslen.LIBCMT ref: 0077B608
_wcslen.LIBCMT ref: 0077B64D
_wcslen.LIBCMT ref: 0077B68C
_wcslen.LIBCMT ref: 0077B6C7

Strings

EXISTS, xrefs: 0077B686, 0077B68B
KEYS, xrefs: 0077B647, 0077B64C
REMOVE, xrefs: 0077B602, 0077B607
APPEND, xrefs: 0077B6C1, 0077B6C6

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: fdf75f613284c4c4ebdc7cc58e3938fb600a7d2313240745d94afb35de0f9226
Instruction ID: 0234136423d9755658c416cb3a812a16d69a0f2f1585bf5f15205fbe7df9d44d
Opcode Fuzzy Hash: fdf75f613284c4c4ebdc7cc58e3938fb600a7d2313240745d94afb35de0f9226
Instruction Fuzzy Hash: E641DB32A00126DBCF105F7DC8906BE77B5AFA17E4B24812AE629D7284E73DDD81C790

Function 00785393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00785416
GetLastError.KERNEL32 ref: 00785420
SetErrorMode.KERNEL32(00000000,READY), ref: 007854A7

Strings

INVALID, xrefs: 00785459
UNKNOWN, xrefs: 00785444
READY, xrefs: 00785460, 00785468
READONLY, xrefs: 00785452
NOTREADY, xrefs: 0078544B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 06a6bbcbf2ee43283ec7805604b052b28a087f430dec391e557d3db823d77cff
Instruction ID: 5b47cbfa90dfdfe6d3ba97940a1ad761a30be29dc75deea0d3c9f9ac0b2d7c4e
Opcode Fuzzy Hash: 06a6bbcbf2ee43283ec7805604b052b28a087f430dec391e557d3db823d77cff
Instruction Fuzzy Hash: 8E31C375A40644EFDB10EF68C488AAABBF4FF45305F148065E509CB392DB79DD86CB90

Function 007A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 007A3C79
SetMenu.USER32(?,00000000), ref: 007A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A3D10
IsMenu.USER32(?), ref: 007A3D24
CreatePopupMenu.USER32 ref: 007A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007A3D5B
DrawMenuBar.USER32 ref: 007A3D63

Strings

0, xrefs: 007A3C54
F, xrefs: 007A3D4E

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 2c3cf050c0897e2bee7e8e8cde114fa81defd51c1498f9994f559ceadbc08ffe
Instruction ID: cb37d3cb225638b8564d07d2185cab250dc1e193453b521516427f702c21a6c0
Opcode Fuzzy Hash: 2c3cf050c0897e2bee7e8e8cde114fa81defd51c1498f9994f559ceadbc08ffe
Instruction Fuzzy Hash: 10416B75A01209EFDB14CF64D884EEA7BB5FF8A351F144129F946A7360D738AA10CF94

Function 00771EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00771F64
GetDlgCtrlID.USER32 ref: 00771F6F
GetParent.USER32 ref: 00771F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00771F8E
GetDlgCtrlID.USER32(?), ref: 00771F97
GetParent.USER32(?), ref: 00771FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00771FAE

Strings

ListBox, xrefs: 00771F21
ComboBox, xrefs: 00771EEC

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b6c3671e18102fafb7f465a816c7ff7a11ad7e8ce720faa8603f5749d5823891
Instruction ID: 676a8086067f978802b1ac300a7e2bf70b734f8e20104687444d67883697ab2f
Opcode Fuzzy Hash: b6c3671e18102fafb7f465a816c7ff7a11ad7e8ce720faa8603f5749d5823891
Instruction Fuzzy Hash: C421B070900214BBCF05EFA4CC99DEEBBB8AF46390B108196FA65672D1CB3C59059B64

Function 007A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 007A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 007A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 007A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 007A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 007A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 007A3C13

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8878165e2fbb03f15021f7bedb0ed621ad4a0b4a3b100f133a51872119bba73d
Instruction ID: f5977a6a3632517722006a40c6ef30ed1361ad8613f2146a7ef80ae23c68d3da
Opcode Fuzzy Hash: 8878165e2fbb03f15021f7bedb0ed621ad4a0b4a3b100f133a51872119bba73d
Instruction Fuzzy Hash: 09618E75900248EFDB10DF68CC81EEE77F8EB49710F104199FA15AB291C778AE41DB60

Function 0077B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0077B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B165
GetWindowThreadProcessId.USER32(00000000), ref: 0077B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0077B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B21D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2ba24b83eae2e55d404b625ca3df072aa898b403cfb74af5beb41f99899044cf
Instruction ID: 9e553bdb81490b2954950294fbf33e7f4b49b7653afcbdd327f3dc05a9c1e26d
Opcode Fuzzy Hash: 2ba24b83eae2e55d404b625ca3df072aa898b403cfb74af5beb41f99899044cf
Instruction Fuzzy Hash: D831BD71501208BFDF119F24DC89B6D7BAABB96395F10C804FA08DB191D7BC9E008F68

Function 00742C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00742C94

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 00742CA0
_free.LIBCMT ref: 00742CAB
_free.LIBCMT ref: 00742CB6
_free.LIBCMT ref: 00742CC1
_free.LIBCMT ref: 00742CCC
_free.LIBCMT ref: 00742CD7
_free.LIBCMT ref: 00742CE2
_free.LIBCMT ref: 00742CED
_free.LIBCMT ref: 00742CFB

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ce7b3cc3c49480840254e3318bbd9c4c20df97c8dca47403a806ebe281e5e7f3
Instruction ID: b6a43f5aa0e407b4ce2e8f7a30c21fcd7a924bc9f2c1cbcabb2f7372238f5c79
Opcode Fuzzy Hash: ce7b3cc3c49480840254e3318bbd9c4c20df97c8dca47403a806ebe281e5e7f3
Instruction Fuzzy Hash: A9118076100108EFDB02EF55D886CDD3BA5FF05350F9144A5FA48AB232DB35EA619F90

Function 00787DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00787FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00787FC1
GetFileAttributesW.KERNEL32(?), ref: 00787FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00788005
SetCurrentDirectoryW.KERNEL32(?), ref: 00788017
SetCurrentDirectoryW.KERNEL32(?), ref: 00788060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007880B0

Strings

*.*, xrefs: 00788066

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: b78b0e9ff3d08d2d6f06ece8cc991f09c91bec867616b5f5147170d28a975661
Instruction ID: 3d7b99ba003dc667f0906e4badac13a8b25b9c44c357e623a1a185b8f942c624
Opcode Fuzzy Hash: b78b0e9ff3d08d2d6f06ece8cc991f09c91bec867616b5f5147170d28a975661
Instruction Fuzzy Hash: E181A172548201DBCB28FF54C4849AAB3E8BF89310F644C5EF88AD7251EB79ED45CB52

Function 00715BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00715C7A

Part of subcall function 00715D0A: GetClientRect.USER32(?,?), ref: 00715D30
Part of subcall function 00715D0A: GetWindowRect.USER32(?,?), ref: 00715D71
Part of subcall function 00715D0A: ScreenToClient.USER32(?,?), ref: 00715D99

GetDC.USER32 ref: 007546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00754708
SelectObject.GDI32(00000000,00000000), ref: 00754716
SelectObject.GDI32(00000000,00000000), ref: 0075472B
ReleaseDC.USER32(?,00000000), ref: 00754733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007547C4

Strings

U, xrefs: 00754693

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: fcd3a5e2b7d0551d9b00312002bb0f5bffd60130e38d076e23e53121d4f2a90d
Instruction ID: b882137ff5d1dda9f164b1d720a07bfd4376c252d2416993c6b014c04b0d60b7
Opcode Fuzzy Hash: fcd3a5e2b7d0551d9b00312002bb0f5bffd60130e38d076e23e53121d4f2a90d
Instruction Fuzzy Hash: 0E711330400205EFCF258F68C984AFA3BB1FF8A31AF144669ED515A1A6C7799CC5DF60

Function 0078359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007835E4

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

LoadStringW.USER32(007E2390,?,00000FFF,?), ref: 0078360A

Strings

^ ERROR, xrefs: 007836C9
"%s" (%d) : ==> %s:, xrefs: 00783742
Line %d (File "%s"):, xrefs: 0078366B
Error: , xrefs: 007836EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00783724

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 849e504b765fcbe03ba525af43bf68a4c8b7e2c33bb0dbcbae7fd206bb3cb52d
Instruction ID: 0221c687b5867931140c44528a02a70f4ca45806f5d2dceb61dfae1914f56991
Opcode Fuzzy Hash: 849e504b765fcbe03ba525af43bf68a4c8b7e2c33bb0dbcbae7fd206bb3cb52d
Instruction Fuzzy Hash: E55191B1800209FADF15EBA4CC96EEDBB34AF04740F144125F615721A1EB386BD9DFA4

Function 0078C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0078C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0078C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0078C2CA
GetLastError.KERNEL32 ref: 0078C322
SetEvent.KERNEL32(?), ref: 0078C336
InternetCloseHandle.WININET(00000000), ref: 0078C341

Strings

, xrefs: 0078C2BB

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 991ef556da168dd44b2c96aa79d6283a2c6b37a78535445d44b090f8b3dc9d8c
Instruction ID: 9ed4e96060f9088913b8be0951e92af6d8bb65d55b717a1173c7acf9571b0d9f
Opcode Fuzzy Hash: 991ef556da168dd44b2c96aa79d6283a2c6b37a78535445d44b090f8b3dc9d8c
Instruction Fuzzy Hash: D8319CB1640208BFD723AFA49C88AAB7BFCEB4A744F14851EF446D2640DB38DD058B71

Function 0077989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00753AAF,?,?,Bad directive syntax error,007ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007798BC
LoadStringW.USER32(00000000,?,00753AAF,?), ref: 007798C3

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00779987

Strings

., xrefs: 0077996D
Error: , xrefs: 00779955
Line %d:, xrefs: 00779912
Line %d (File "%s"):, xrefs: 0077992D
%s (%d) : ==> %s.: %s %s, xrefs: 007798F1

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 543a2e67ee8667919d6c91072a7c630d9058999f0d71c87e10ec000d949eb11f
Instruction ID: 63fe143c677f1d9655ab7cc246022260f11e3aefd5d6f3985f756100ff289c9a
Opcode Fuzzy Hash: 543a2e67ee8667919d6c91072a7c630d9058999f0d71c87e10ec000d949eb11f
Instruction Fuzzy Hash: 0321917180021AFBDF11AF90CC1AEEE7775FF18340F044426F619620A2EB79A658DB60

Function 0077209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0077214D

Strings

smallicons, xrefs: 00772115
details, xrefs: 007720FB
largeicons, xrefs: 007720E1
list, xrefs: 0077212F
SHELLDLL_DefView, xrefs: 007720CC

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: df633578cf622d63d50d479da97db8c293ccd2fc5e735c9d4a595c9b2db204c6
Instruction ID: 468c0601891aae59edc9cdcaa6a6fac9484dac1266361fa21c9e29455dd385c1
Opcode Fuzzy Hash: df633578cf622d63d50d479da97db8c293ccd2fc5e735c9d4a595c9b2db204c6
Instruction Fuzzy Hash: F51129B668870EFAFE056624DC0BDA637ACEB05364F608117FB18B51D3FE6D68035618

Function 0074CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0074CEB7
_free.LIBCMT ref: 0074CF22
_free.LIBCMT ref: 0074CF48
_free.LIBCMT ref: 0074CF71
_free.LIBCMT ref: 0074CFA9
_free.LIBCMT ref: 0074CFDA
_free.LIBCMT ref: 0074D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0074D09C
_free.LIBCMT ref: 0074D0B5

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: a8b5646e8415a4f22581f623f1698c8d06727119f7dfe4d48fe3002950c5d474
Instruction ID: 8f3c71c923197a8a6a034b36ddb193dd0a9dcdd40d60a8691aa195c04a01bf6c
Opcode Fuzzy Hash: a8b5646e8415a4f22581f623f1698c8d06727119f7dfe4d48fe3002950c5d474
Instruction Fuzzy Hash: 61616B73A06340EFDF22AFB49C89A6E7BA5EF05310F04416DF940AB252DB7D9D4587A0

Function 007A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 007A5186
ShowWindow.USER32(?,00000000), ref: 007A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007A51D1

Part of subcall function 007A6FBA: DeleteObject.GDI32(00000000), ref: 007A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 007A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 007A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 007A5296

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: afd2f2385d4ee35b0e7da531ae241b62a88712b923c00a685bf8aeac89bb6807
Instruction ID: 8702e731ae5570ba536d7f5b738a1637fc5aec39b63a84a083f617c8f9a18d0a
Opcode Fuzzy Hash: afd2f2385d4ee35b0e7da531ae241b62a88712b923c00a685bf8aeac89bb6807
Instruction Fuzzy Hash: 19519070A41A08FEEF349F28DC4ABE93B65FB87321F148211F615962E1C77DA990DB41

Function 00728B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00766890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00728874,00000000,00000000,00000000,000000FF,00000000), ref: 00766901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0076691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00728874,00000000,00000000,00000000,000000FF,00000000), ref: 0076692D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2efea9f047332c8f8c57a0e0634f5859b518b1948e7b0b0bebc4cd87f458848f
Instruction ID: c322a1d137ec193d85169d28f928d754c2731438a3aeb6a7035f8a9607823914
Opcode Fuzzy Hash: 2efea9f047332c8f8c57a0e0634f5859b518b1948e7b0b0bebc4cd87f458848f
Instruction Fuzzy Hash: E35178B0A01209EFDB20CF24DC95FAA7BB5FB88750F14851CF916972A0DB79E990DB50

Function 0078C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0078C182
GetLastError.KERNEL32 ref: 0078C195
SetEvent.KERNEL32(?), ref: 0078C1A9

Part of subcall function 0078C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0078C272
Part of subcall function 0078C253: GetLastError.KERNEL32 ref: 0078C322
Part of subcall function 0078C253: SetEvent.KERNEL32(?), ref: 0078C336
Part of subcall function 0078C253: InternetCloseHandle.WININET(00000000), ref: 0078C341

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: a86942dbc3231edef32a4409d5029b58db770a4abeb3eb23d5199aa6647ae432
Instruction ID: 85922222b3b36ceea9b08277edfb018b42acbed4a27901c3a23637768fe4fec0
Opcode Fuzzy Hash: a86942dbc3231edef32a4409d5029b58db770a4abeb3eb23d5199aa6647ae432
Instruction Fuzzy Hash: 43318C71640605BFDB23AFB5DC48A66BBF8FF59300B04841DF95686660DB39E8149BB0

Function 007725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00773A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00773A57
Part of subcall function 00773A3D: GetCurrentThreadId.KERNEL32 ref: 00773A5E
Part of subcall function 00773A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007725B3), ref: 00773A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00772601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00772605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0077260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00772623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00772627

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: bcd81176dd1d628cfd7623935c5363bd69ec4795edef0e17b5502f1dba743bc2
Instruction ID: f349deb9227eaa5c586b99ac1e2baa8a9e0ed3f947f17a84d099687f19856b23
Opcode Fuzzy Hash: bcd81176dd1d628cfd7623935c5363bd69ec4795edef0e17b5502f1dba743bc2
Instruction Fuzzy Hash: DA01D471390214BBFB106768DC8FF593F59DB8EB52F108041F328AE0D1C9EA28459E6D

Function 00771803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00771449,?,?,00000000), ref: 0077180C
HeapAlloc.KERNEL32(00000000,?,00771449,?,?,00000000), ref: 00771813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00771449,?,?,00000000), ref: 00771828
GetCurrentProcess.KERNEL32(?,00000000,?,00771449,?,?,00000000), ref: 00771830
DuplicateHandle.KERNEL32(00000000,?,00771449,?,?,00000000), ref: 00771833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00771449,?,?,00000000), ref: 00771843
GetCurrentProcess.KERNEL32(00771449,00000000,?,00771449,?,?,00000000), ref: 0077184B
DuplicateHandle.KERNEL32(00000000,?,00771449,?,?,00000000), ref: 0077184E
CreateThread.KERNEL32(00000000,00000000,00771874,00000000,00000000,00000000), ref: 00771868

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 5df737b31a9b1c9511d4f859aa5092f8466e04aa022ca3f9bd325a26d7da0bda
Instruction ID: 87898c13a66add17a974d5164bee916431b6f46fe9492503eb0096984702e29c
Opcode Fuzzy Hash: 5df737b31a9b1c9511d4f859aa5092f8466e04aa022ca3f9bd325a26d7da0bda
Instruction Fuzzy Hash: AC01ACB5340308BFE611ABA5DC4AF573BACEB8AB11F418411FA05DB191DA7498008B25

Function 00743E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00743F0B
__alldvrm.LIBCMT ref: 0074410C
__alldvrm.LIBCMT ref: 0074412E

Strings

}}s, xrefs: 007440CD
}}s, xrefs: 00743E96, 00743EF1, 00743F0A, 00744090
}}s, xrefs: 00743E8A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}s$}}s$}}s
API String ID: 1036877536-1291969072
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 1fa862bddcd80b2cdcd3967b96d5e0370edb57413298658c437698e8910e90ca
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: D9A14672E003869FEB25CF18C8917AEBBF4EF61350F1841AEE5959B282C73C8985D750

Function 0079A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0077D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0077D501
Part of subcall function 0077D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0077D50F
Part of subcall function 0077D4DC: CloseHandle.KERNELBASE(00000000), ref: 0077D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0079A16D
GetLastError.KERNEL32 ref: 0079A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0079A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0079A268
GetLastError.KERNEL32(00000000), ref: 0079A273
CloseHandle.KERNEL32(00000000), ref: 0079A2C4

Strings

SeDebugPrivilege, xrefs: 0079A18F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d64aba492dc875eb11f58b9e4f29aa23bc956df80c3897ea62f871a3272205d2
Instruction ID: 84648d28c6efe1296582c53bcaa36a178e6a4445885b19195b87d3ebb621ee05
Opcode Fuzzy Hash: d64aba492dc875eb11f58b9e4f29aa23bc956df80c3897ea62f871a3272205d2
Instruction Fuzzy Hash: A461AF71209241AFDB20DF18D498F15BBE1AF84318F18848CE4664B7A3C77AEC85CBD2

Function 007A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 007A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007A3954
_wcslen.LIBCMT ref: 007A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007A39F4

Strings

SysListView32, xrefs: 007A38F7

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d756ce45eaa60cdf7b18a02cb6bcf03caf9d70a92634e29fafa0fd87611293a5
Instruction ID: 2d1d3c296e243c2087eee341f568cc2062283eed0b45ecc767097bedb288c194
Opcode Fuzzy Hash: d756ce45eaa60cdf7b18a02cb6bcf03caf9d70a92634e29fafa0fd87611293a5
Instruction Fuzzy Hash: 5F41C671A00218BBEF21DF64CC49FEA77A9EF49354F100226F958E7281D7799E80CB90

Function 0077BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0077BCFD
IsMenu.USER32(00000000), ref: 0077BD1D
CreatePopupMenu.USER32 ref: 0077BD53
GetMenuItemCount.USER32(01115618), ref: 0077BDA4
InsertMenuItemW.USER32(01115618,?,00000001,00000030), ref: 0077BDCC

Strings

0, xrefs: 0077BCA8
2, xrefs: 0077BD37

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 709c07dc7a65a1a3da338779e45787830b191d7086e5a438020e98173b439735
Instruction ID: 043329400da1f108a0cee8bdc7de2762ec673f105c2d9153dcd542e9d413edc9
Opcode Fuzzy Hash: 709c07dc7a65a1a3da338779e45787830b191d7086e5a438020e98173b439735
Instruction Fuzzy Hash: 03518070B00305EFDF25CFA8D888BAEBBF4AF45394F24C169E41997291D778A941CB61

Function 00732D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00732D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00732D53
_ValidateLocalCookies.LIBCMT ref: 00732DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00732E0C
_ValidateLocalCookies.LIBCMT ref: 00732E61

Strings

csm, xrefs: 00732DF6
&Hs, xrefs: 00732DFE, 00732E07, 00732E18

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hs$csm
API String ID: 1170836740-1354961900
Opcode ID: 0207d7eaccc7ae423911718996c31001eb868b48f4ed3b4653b238bda937314e
Instruction ID: cbf83cd26fe9113664fd4031fe5b3581529f6dfd4801e48612d675d9881b3f06
Opcode Fuzzy Hash: 0207d7eaccc7ae423911718996c31001eb868b48f4ed3b4653b238bda937314e
Instruction Fuzzy Hash: EE419374A10209EBDF10DF68C849A9EBBB5BF44324F148155E915AB353D739EA06CBE0

Function 0077C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0077C913

Strings

blank, xrefs: 0077C895
question, xrefs: 0077C8CC
warning, xrefs: 0077C8FC
info, xrefs: 0077C8B4
stop, xrefs: 0077C8E4

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b3004f869a13d7faeaeaff0e4f2bf438feaea3cc9ef7cba6cdec3223dfc8e256
Instruction ID: daa68b2b1e5c4ac8de3066ee2b5346ae93924b72dbad2f4af70c1fb0b1e87d64
Opcode Fuzzy Hash: b3004f869a13d7faeaeaff0e4f2bf438feaea3cc9ef7cba6cdec3223dfc8e256
Instruction Fuzzy Hash: 9011EE3168930AFEEB065B549C82CDA67ACDF193A4B10842FF508A5282D76C7D005669

Function 0077DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0077DE42
gethostname.WSOCK32(?,00000100), ref: 0077DE5C
gethostbyname.WSOCK32(?), ref: 0077DE69
inet_ntoa.WSOCK32(?), ref: 0077DEAB
_strcat.LIBCMT ref: 0077DEB9
WSACleanup.WSOCK32 ref: 0077DEDE

Strings

0.0.0.0, xrefs: 0077DE87

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 7b35a8727dd6a082b2b8c7cc53ed613ba5e86a0e6209f6efd3d3a159d4123a69
Instruction ID: 2256a2199d3172eaf9781dfef8be688cde475d3d43fb15d06aad71b2c4f553d9
Opcode Fuzzy Hash: 7b35a8727dd6a082b2b8c7cc53ed613ba5e86a0e6209f6efd3d3a159d4123a69
Instruction Fuzzy Hash: F7110672904114FBDF36AB309C0AEEE77BCDF55751F0041A9F40996092EFBD9E818AA0

Function 0077ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0077ED2A
_wcslen.LIBCMT ref: 0077ED3B
_wcslen.LIBCMT ref: 0077ED79
_wcslen.LIBCMT ref: 0077EDAF
_wcslen.LIBCMT ref: 0077EDDF
_wcslen.LIBCMT ref: 0077EDEF
_wcslen.LIBCMT ref: 0077EE2B
_wcslen.LIBCMT ref: 0077EE5A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 374e45c2ede5f48277fa5513aac3a517a23a8a33dfd6ae53a2db0396b6dcbae7
Instruction ID: d27baaf659fcf280150b40660b486edef22881bc1c04af6a2d0cfec3c3412e67
Opcode Fuzzy Hash: 374e45c2ede5f48277fa5513aac3a517a23a8a33dfd6ae53a2db0396b6dcbae7
Instruction Fuzzy Hash: 80419666C10118B5EB21EBF4888EACF77A8AF49710F508462F518E3123FB3CE655C3A5

Function 0072F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 0072F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 0076F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 0076F454

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0181240a7d32f1a239a6565589521c509766db7eb923d938e15fa7cedbe97c8f
Instruction ID: aaa872d5f42dd3b604d00f0b5aafbc98e9c0a6addc0113da47d67118295efcad
Opcode Fuzzy Hash: 0181240a7d32f1a239a6565589521c509766db7eb923d938e15fa7cedbe97c8f
Instruction Fuzzy Hash: AE410A31608690BEC7399B2DF88872A7BB5AB96314F54843DE4C7D6661DA3DB8C0CB11

Function 007A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007A2D1B
GetDC.USER32(00000000), ref: 007A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 007A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 007A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007A2DE1

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6ba767d388ac09378804cf26e1d44bdc63c3a23a752d26f7c916e672b321e3ed
Instruction ID: 7d7bd8a1d2d54d25b90b6c3c2c37ea6c3335fd060f2ce4f3bc0291cfc67eaf5c
Opcode Fuzzy Hash: 6ba767d388ac09378804cf26e1d44bdc63c3a23a752d26f7c916e672b321e3ed
Instruction Fuzzy Hash: 9A318072201214BFEB158F54CC89FEB3FADEF8A715F048155FE089A292C6799C51C7A4

Function 00775622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00775637
_memcmp.LIBVCRUNTIME ref: 00775659
_memcmp.LIBVCRUNTIME ref: 00775671
_memcmp.LIBVCRUNTIME ref: 00775684
_memcmp.LIBVCRUNTIME ref: 0077569E
_memcmp.LIBVCRUNTIME ref: 007756B1
_memcmp.LIBVCRUNTIME ref: 007756C9
_memcmp.LIBVCRUNTIME ref: 007756E4

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1f48fc5ac123f200f7c0f433b8038486604562e021d690073858156da749252e
Instruction ID: 9f5cdf6266d20c1969ab24c6d755083bde103c94d6bdaed90506daffad9363ad
Opcode Fuzzy Hash: 1f48fc5ac123f200f7c0f433b8038486604562e021d690073858156da749252e
Instruction Fuzzy Hash: 6821FCA1740A09B7EA1857218D82FFA335CAF517D4F848120FD0CDA542F7ADEE1082F5

Function 00794FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0079502E, 00795383
Not an Object type, xrefs: 00795007

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bce51717ed59c1fc527467d3724397b1d50dc16ad0495abcb7b20555019e0f6d
Instruction ID: 091218591e2498ce87cb8a9748c28ffec8dca6af14bfd5fd8502ea3b2c01d1c4
Opcode Fuzzy Hash: bce51717ed59c1fc527467d3724397b1d50dc16ad0495abcb7b20555019e0f6d
Instruction Fuzzy Hash: 35D1E471A0061AAFDF11CFA8E885BAEB7B5FF48344F148169E915AB281E374DD41CB90

Function 00751522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 007515CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00751651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007516E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007516FB

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00751777
__freea.LIBCMT ref: 007517A2
__freea.LIBCMT ref: 007517AE

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7f04e7bfc9461c7b176e496d607b810a75c5d89ebd97454612885a6fdc0bd8c3
Instruction ID: e3bcdbfa30defbe245a3376009d1589fad420cbb2a65c49ef194ce2465f74dd1
Opcode Fuzzy Hash: 7f04e7bfc9461c7b176e496d607b810a75c5d89ebd97454612885a6fdc0bd8c3
Instruction Fuzzy Hash: 6B91D571E002169ADB208E78C885BEE7BB5DF49313F984659EC01E7141EBBDCD48C760

Function 00794523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00794648
VariantInit.OLEAUT32(?), ref: 00794749
VariantClear.OLEAUT32(?), ref: 00794753
VariantClear.OLEAUT32(?), ref: 007947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0079472C
Null Object assignment in FOR..IN loop, xrefs: 007945D8, 00794706, 007947BE

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0242f82af90ed75098cb27ea95a19536a199611ae61f0cde4dccbd00af1f952e
Instruction ID: 57da5829f894b22822e49af9a33af9ff3f90da0972e4413065a4073307675847
Opcode Fuzzy Hash: 0242f82af90ed75098cb27ea95a19536a199611ae61f0cde4dccbd00af1f952e
Instruction Fuzzy Hash: 12919471A00219EBDF24CFA4DC48FAE7BB8EF46714F108559F505AB280D7789942CFA0

Function 00781187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0078125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00781284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0078135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00781430

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 68761571e62faa0e929e591d00ff3d2b1fcd906f192097b1c3b72246cebb4f22
Instruction ID: c58f0240b76f4c088f7d9e479dd4be0860ab5a4fb8985a9a9b5c25ed038da7d4
Opcode Fuzzy Hash: 68761571e62faa0e929e591d00ff3d2b1fcd906f192097b1c3b72246cebb4f22
Instruction Fuzzy Hash: 5591D471A40218EFDB01EF98C888BBE77B9FF45325F504029E905E7291D77CA946CB94

Function 0072948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5e263921f4defef66cafa9e19f203cefb1f42a99350fcf2e3ffa308719413d2b
Instruction ID: 1db8bfb72d5145652abec93baf0134b1f96d1a98a68990e29a41a9bfac568acd
Opcode Fuzzy Hash: 5e263921f4defef66cafa9e19f203cefb1f42a99350fcf2e3ffa308719413d2b
Instruction Fuzzy Hash: 75915C71E00219EFCB15CFA9DC84AEEBBB8FF49320F148055E915B7291D378A951CB60

Function 00793947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0079396B
CharUpperBuffW.USER32(?,?), ref: 00793A7A
_wcslen.LIBCMT ref: 00793A8A
VariantClear.OLEAUT32(?), ref: 00793C1F

Part of subcall function 00780CDF: VariantInit.OLEAUT32(00000000), ref: 00780D1F
Part of subcall function 00780CDF: VariantCopy.OLEAUT32(?,?), ref: 00780D28
Part of subcall function 00780CDF: VariantClear.OLEAUT32(?), ref: 00780D34

Strings

AUTOIT.ERROR, xrefs: 00793A80, 00793A85
Incorrect Parameter format, xrefs: 007939A6, 00793BA1

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 2258d3928beb7d6350e2563c79eebb989b527776ed82de6830bd701f53d7f29f
Instruction ID: 486d14978b32bb3dc3e34b91c8cb593a2fd92ca05da94d29e879775daeea1db3
Opcode Fuzzy Hash: 2258d3928beb7d6350e2563c79eebb989b527776ed82de6830bd701f53d7f29f
Instruction Fuzzy Hash: 249144756083059FCB04EF28D48596AB7E5FF89314F14882DF8899B351DB38EE45CB92

Function 00794BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0077000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?,?,0077035E), ref: 0077002B
Part of subcall function 0077000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770046
Part of subcall function 0077000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770054
Part of subcall function 0077000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?), ref: 00770064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00794C51
_wcslen.LIBCMT ref: 00794D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00794DCF
CoTaskMemFree.OLE32(?), ref: 00794DDA

Strings

NULL Pointer assignment, xrefs: 00794E23, 00794E52

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: c4465fa0171a2ca5f26711f2dd830170346cf0ee0ebbecacebba3ac32d36c97f
Instruction ID: a826c8bec5a95e51e26e92f8b7ef1400dbebae25387448eafb4f7f08564c63f1
Opcode Fuzzy Hash: c4465fa0171a2ca5f26711f2dd830170346cf0ee0ebbecacebba3ac32d36c97f
Instruction Fuzzy Hash: 7F911771D00219EFDF15DFA4D895EEEB7B8BF08310F108169E919A7291DB389A45CFA0

Function 007A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007A2183
GetMenuItemCount.USER32(00000000), ref: 007A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007A21DD
_wcslen.LIBCMT ref: 007A2213
GetMenuItemID.USER32(?,?), ref: 007A224D
GetSubMenu.USER32(?,?), ref: 007A225B

Part of subcall function 00773A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00773A57
Part of subcall function 00773A3D: GetCurrentThreadId.KERNEL32 ref: 00773A5E
Part of subcall function 00773A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007725B3), ref: 00773A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007A22E3

Part of subcall function 0077E97B: Sleep.KERNEL32 ref: 0077E9F3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 598d780d91d80aa498626412f72a764bace394f9f084e7319b0e1ef62a4e19cc
Instruction ID: 5f496f74baad75f0e164df5f4c66a4e0a5cd03224669a34c737b03a01ffbc9f8
Opcode Fuzzy Hash: 598d780d91d80aa498626412f72a764bace394f9f084e7319b0e1ef62a4e19cc
Instruction Fuzzy Hash: C1718135A00205EFCB15DF68C845AAEB7F5FF89310F158559E816EB392DB38ED428B90

Function 007A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01115550), ref: 007A7F37
IsWindowEnabled.USER32(01115550), ref: 007A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 007A801E
SendMessageW.USER32(01115550,000000B0,?,?), ref: 007A8051
IsDlgButtonChecked.USER32(?,?), ref: 007A8089
GetWindowLongW.USER32(01115550,000000EC), ref: 007A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007A80C3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3c4edfcfaa1dbe97fb2fd9842830cf83a4addba1c842c604a13b4f7a8dffac58
Instruction ID: 81494061b779caa36139122ad32bc755e05c6e369050f132fc9ae74d1bbf7e0f
Opcode Fuzzy Hash: 3c4edfcfaa1dbe97fb2fd9842830cf83a4addba1c842c604a13b4f7a8dffac58
Instruction Fuzzy Hash: 2A71BF35608244EFEF29DF54CC84FAA7BB5EF8B300F144299F94597261CB39AA46CB10

Function 0077AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0077AEF9
GetKeyboardState.USER32(?), ref: 0077AF0E
SetKeyboardState.USER32(?), ref: 0077AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0077AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0077AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0077AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0077B020

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 222692f3ca71d8dbf98498b7378c586ef855c07494137cda8107be305461aac1
Instruction ID: f839fcb0f75cd0a06b3deb4fdb94dbffd986f4999fd90ed1407a26f67d0aa1e9
Opcode Fuzzy Hash: 222692f3ca71d8dbf98498b7378c586ef855c07494137cda8107be305461aac1
Instruction Fuzzy Hash: 7F51C0A06087D53DFF3682348849BBABEA95B46384F08C589E1DD958C2C3DCE888D761

Function 0077ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0077AD19
GetKeyboardState.USER32(?), ref: 0077AD2E
SetKeyboardState.USER32(?), ref: 0077AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0077ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0077ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0077AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0077AE38

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0772cbb387c9055a35cae5a5b89b6487cdac92207deeaee35665a6b35020ef3b
Instruction ID: ea15915b231fe0a9e65c5539d6a12179a46f456cf7f5996246cb9231d428082b
Opcode Fuzzy Hash: 0772cbb387c9055a35cae5a5b89b6487cdac92207deeaee35665a6b35020ef3b
Instruction Fuzzy Hash: F051A3A16047D53DFF3783248C56BBE7EA96B86340F08C589E1DD46882D29CAC94D752

Function 0074542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00753CD6,?,?,?,?,?,?,?,?,00745BA3,?,?,00753CD6,?,?), ref: 00745470
__fassign.LIBCMT ref: 007454EB
__fassign.LIBCMT ref: 00745506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00753CD6,00000005,00000000,00000000), ref: 0074552C
WriteFile.KERNEL32(?,00753CD6,00000000,00745BA3,00000000,?,?,?,?,?,?,?,?,?,00745BA3,?), ref: 0074554B
WriteFile.KERNEL32(?,?,00000001,00745BA3,00000000,?,?,?,?,?,?,?,?,?,00745BA3,?), ref: 00745584

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bf03449d3132c7b7934d3329b0ae1782cad7f96788510cb015565ff195c46e50
Instruction ID: 10bf75a695019a5eb57b5524ba20365d7e455ab97ff693bd6fef1dce28cb63fe
Opcode Fuzzy Hash: bf03449d3132c7b7934d3329b0ae1782cad7f96788510cb015565ff195c46e50
Instruction Fuzzy Hash: 2851E670A00649AFDB11CFA8D885AEEFBFAEF09300F14411AF555E7292E7349A51CB60

Function 007910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0079304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0079307A
Part of subcall function 0079304E: _wcslen.LIBCMT ref: 0079309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00791112
WSAGetLastError.WSOCK32 ref: 00791121
WSAGetLastError.WSOCK32 ref: 007911C9
closesocket.WSOCK32(00000000), ref: 007911F9

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 32c704fbb015dfe37e782e4ab78e3fa7e23fd2a6ea55ab3f9be9c6800e7d89e0
Instruction ID: 443a8aaf88ddbaacbe4aaf25af00f731db032f0474a022cc33d394f72780b2cf
Opcode Fuzzy Hash: 32c704fbb015dfe37e782e4ab78e3fa7e23fd2a6ea55ab3f9be9c6800e7d89e0
Instruction Fuzzy Hash: B541F431600209FFDB119F58D888BA9BBEAFF85324F148059F9159B291D778ED81CBA1

Function 0077CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0077CF22,?), ref: 0077DDFD

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0077CF22,?), ref: 0077DE16

lstrcmpiW.KERNEL32(?,?), ref: 0077CF45
MoveFileW.KERNEL32(?,?), ref: 0077CF7F
_wcslen.LIBCMT ref: 0077D005
_wcslen.LIBCMT ref: 0077D01B
SHFileOperationW.SHELL32(?), ref: 0077D061

Strings

\*.*, xrefs: 0077CFF3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 57a80be3a6d7426630cc611d64db7763978f18860d8ce00b6cf31345cbc61ddf
Instruction ID: 0a7a506feae95326bdfbbdbe4bbc846970fe3cccbb7fec4fbae78eac38b043bf
Opcode Fuzzy Hash: 57a80be3a6d7426630cc611d64db7763978f18860d8ce00b6cf31345cbc61ddf
Instruction Fuzzy Hash: F74157729052189EDF17EFA4C985BDDB7B9AF09380F0440E6E509E7142EA38AA44CB50

Function 007A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 007A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 007A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 007A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A2F0B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 23aebe6b5ca12811621ccb2092da6542b400fb75c878d063ddb77841c4a8c8ee
Instruction ID: c310c7d8a3e36e395a4c7a68bfb87f3074e547fdeab5bd17e06dd89eb09ee7bd
Opcode Fuzzy Hash: 23aebe6b5ca12811621ccb2092da6542b400fb75c878d063ddb77841c4a8c8ee
Instruction Fuzzy Hash: 8631F230609290EFEB21CF5CDC89F6537E1EB8A710F1542A4F9008F2B2CB79A881DB45

Function 00777726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00777769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0077778F
SysAllocString.OLEAUT32(00000000), ref: 00777792
SysAllocString.OLEAUT32(?), ref: 007777B0
SysFreeString.OLEAUT32(?), ref: 007777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007777DE
SysAllocString.OLEAUT32(?), ref: 007777EC

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dc94e21a2581204b017bb9579b070910d39d1676ee872da0b6587054db701deb
Instruction ID: 09a9dcb49e9006cf5908129c2e009c96f134ff7a7f7c4ed34da84dff5c16c833
Opcode Fuzzy Hash: dc94e21a2581204b017bb9579b070910d39d1676ee872da0b6587054db701deb
Instruction Fuzzy Hash: 97219C76604219BFDF199FA8DC89CBB77ACEB093A4700C025FA08DB150D6789C41C7A8

Function 007777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00777842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00777868
SysAllocString.OLEAUT32(00000000), ref: 0077786B
SysAllocString.OLEAUT32 ref: 0077788C
SysFreeString.OLEAUT32 ref: 00777895
StringFromGUID2.OLE32(?,?,00000028), ref: 007778AF
SysAllocString.OLEAUT32(?), ref: 007778BD

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3952221629029407c4c102486b225feea54e79d5ea8813fedfd5be869305737c
Instruction ID: 9e3dcb49674d962a2c720522d141ad1aedd61244d11c3c988cc51fe0af1a02c4
Opcode Fuzzy Hash: 3952221629029407c4c102486b225feea54e79d5ea8813fedfd5be869305737c
Instruction Fuzzy Hash: 36218E71608204BF9F159BA8DC8CDBA77ECEB493A0710C125F919CB2A1DA78DC41CB69

Function 007804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0078052E

Strings

nul, xrefs: 00780567

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b40fa0838365418bacb923c96461c477e7681888106ead078c16920ae6fd27bd
Instruction ID: 7b8f6bda2c5ffe09df9b6f25b1e90c2463d79f61a8da658618865e81941c0a9d
Opcode Fuzzy Hash: b40fa0838365418bacb923c96461c477e7681888106ead078c16920ae6fd27bd
Instruction Fuzzy Hash: F2218071640305AFDB20AF29DC08E9A77F4BF85724F204A19F8A1D62E0D7749968CFB0

Function 007805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00780601

Strings

nul, xrefs: 00780639

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ec328e11b76ccff67adcac441180115cad45139a064b99ef8e98e3e47f8efb8d
Instruction ID: c91ddfd124518ab22963c918711ac8f18e4687b9b3f0c2015bb1eba70a67dbd6
Opcode Fuzzy Hash: ec328e11b76ccff67adcac441180115cad45139a064b99ef8e98e3e47f8efb8d
Instruction Fuzzy Hash: 8521B775640305AFDB60AF68CC08A5A77F4BF85720F204B19F8B1D32D0E7749864CBA0

Function 007A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0071600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0071604C
Part of subcall function 0071600E: GetStockObject.GDI32(00000011), ref: 00716060
Part of subcall function 0071600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0071606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007A4145

Strings

Msctls_Progress32, xrefs: 007A40E3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: af3995b0c90db14dfc0402c096d5c7453315158fbb1fda31bb7ec055b6f5b108
Instruction ID: 1b83b845f1595856cc86a4abe0b7f6901d3b5097a2e3b11519934f9dc5678275
Opcode Fuzzy Hash: af3995b0c90db14dfc0402c096d5c7453315158fbb1fda31bb7ec055b6f5b108
Instruction Fuzzy Hash: 5E11B6B214011DBEEF119F64CC85EE77F9DEF49798F004211B618A6150C6769C61DBA4

Function 0074D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0074D7A3: _free.LIBCMT ref: 0074D7CC

_free.LIBCMT ref: 0074D82D

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 0074D838
_free.LIBCMT ref: 0074D843
_free.LIBCMT ref: 0074D897
_free.LIBCMT ref: 0074D8A2
_free.LIBCMT ref: 0074D8AD
_free.LIBCMT ref: 0074D8B8

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b320a4b62d0a679d12d76f64c39e08dea60116b76b557046721243a63fd439b6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D111DD71541B04EBE932BFB1CC4BFCB7BDC6F05700F804825B2D9A65A2DB79B9164A50

Function 0077DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0077DA74
LoadStringW.USER32(00000000), ref: 0077DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0077DA91
LoadStringW.USER32(00000000), ref: 0077DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0077DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0077DAB9

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 54ca8737d381320f9bdd0e509c3768f78c1f120ad13d7826effbdc8666f8b3c9
Instruction ID: 338dbc0c5e1da14efc52f98b726e3c234bd3d4ebef394f32c4e02f25a59f4b12
Opcode Fuzzy Hash: 54ca8737d381320f9bdd0e509c3768f78c1f120ad13d7826effbdc8666f8b3c9
Instruction Fuzzy Hash: E50162F25002087FEB11DBA0DD89EE7336CEB09741F408496B70AE2041EA789E844F74

Function 0078096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0110ECF0,0110ECF0), ref: 0078097B
EnterCriticalSection.KERNEL32(0110ECD0,00000000), ref: 0078098D
TerminateThread.KERNEL32(?,000001F6), ref: 0078099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007809A9
CloseHandle.KERNEL32(?), ref: 007809B8
InterlockedExchange.KERNEL32(0110ECF0,000001F6), ref: 007809C8
LeaveCriticalSection.KERNEL32(0110ECD0), ref: 007809CF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8ff25daf169209225ff19b02cd595b3a0898eadb738b21e244c51b329fcfd4f6
Instruction ID: 21c661b928f8a2bb304b205e712d579faaef1b687436dda6ecf709f7da615aa3
Opcode Fuzzy Hash: 8ff25daf169209225ff19b02cd595b3a0898eadb738b21e244c51b329fcfd4f6
Instruction Fuzzy Hash: E8F04431542502FBD7425F94EE8DBD67B35FF42702F405015F101508A0CB78A475CF95

Function 00715D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00715D30
GetWindowRect.USER32(?,?), ref: 00715D71
ScreenToClient.USER32(?,?), ref: 00715D99
GetClientRect.USER32(?,?), ref: 00715ED7
GetWindowRect.USER32(?,?), ref: 00715EF8

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: bd86771ee0a4adb37cdb616d5640542bc3f8d304354d3abfe2add92e660f48e2
Instruction ID: bab8dfe7f80b3d07cd17da5d6480cb68adf285f2a32c966f5e531b30352ed936
Opcode Fuzzy Hash: bd86771ee0a4adb37cdb616d5640542bc3f8d304354d3abfe2add92e660f48e2
Instruction Fuzzy Hash: 2AB17B34A0064ADBDB14CFA8C4807EEB7F1FF84314F14851AE8A9D7290D738AA95DB54

Function 007401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007400D6
__allrem.LIBCMT ref: 007400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0074010B
__allrem.LIBCMT ref: 00740122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00740140

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 934cd40fed86ad28cbe13f1e092e33dd65c2e715ff2e28a3c58434ae9a1df0b8
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: CF81F676A00706EBE720AE39CC45B6F73E9AF51364F24453AFA51D7682E778DD008B90

Function 00791D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00793149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0079101C,00000000,?,?,00000000), ref: 00793195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00791DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00791DE1
WSAGetLastError.WSOCK32 ref: 00791DF2
inet_ntoa.WSOCK32(?), ref: 00791E8C
htons.WSOCK32(?,?,?,?,?), ref: 00791EDB
_strlen.LIBCMT ref: 00791F35

Part of subcall function 007739E8: _strlen.LIBCMT ref: 007739F2

Part of subcall function 00716D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0072CF58,?,?,?), ref: 00716DBA
Part of subcall function 00716D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0072CF58,?,?,?), ref: 00716DED

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 244447ed86aea623d108b63ed0a4eb4e576ec0ff66a00ebeeeccf0737ff6169c
Instruction ID: d834b730b5a71771cf3ae54e5c814547960bfb44a927a7c7fa8f3a97e84c5d7a
Opcode Fuzzy Hash: 244447ed86aea623d108b63ed0a4eb4e576ec0ff66a00ebeeeccf0737ff6169c
Instruction Fuzzy Hash: 93A10331204341EFCB14DF24D889E6AB7E5AF85308F94894CF4565B2E2DB39ED82CB91

Function 007461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007382D9,007382D9,?,?,?,0074644F,00000001,00000001,8BE85006), ref: 00746258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0074644F,00000001,00000001,8BE85006,?,?,?), ref: 007462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007463D8
__freea.LIBCMT ref: 007463E5

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

__freea.LIBCMT ref: 007463EE
__freea.LIBCMT ref: 00746413

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 365f97954fd25fcf71ab2548235e651a749657fb7dbb8b6e2ccd769453307e5c
Instruction ID: d003556acf7cc89bcb35faa0134dfadf6f7f799ecc34295b25a0b934bb3ccb50
Opcode Fuzzy Hash: 365f97954fd25fcf71ab2548235e651a749657fb7dbb8b6e2ccd769453307e5c
Instruction Fuzzy Hash: 1951E172A00256ABEB258F64CC85EBF7BAAEF46750F144669FC05D6180EB7CDC40C6A1

Function 0079BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 0079C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079C9F1
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA68
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0079BD25
RegCloseKey.ADVAPI32(00000000), ref: 0079BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0079BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0079BDF3
RegCloseKey.ADVAPI32(?), ref: 0079BDFF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 8bb399836e31c10ebf6d1f0b82dd50b74484895506f7ec495f46c4ee40d2f8a4
Instruction ID: e42279537fe5cf3be91be60ad1afef9cf88d2b0e0539ac95392fab1511ba2836
Opcode Fuzzy Hash: 8bb399836e31c10ebf6d1f0b82dd50b74484895506f7ec495f46c4ee40d2f8a4
Instruction Fuzzy Hash: 7B81CD30208241EFCB14DF24D995E6ABBE5FF85308F14885CF5594B2A2DB39ED45CB92

Function 0076F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0076F7B9
SysAllocString.OLEAUT32(00000001), ref: 0076F860
VariantCopy.OLEAUT32(0076FA64,00000000), ref: 0076F889
VariantClear.OLEAUT32(0076FA64), ref: 0076F8AD
VariantCopy.OLEAUT32(0076FA64,00000000), ref: 0076F8B1
VariantClear.OLEAUT32(?), ref: 0076F8BB

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 39be56acca62131d513032b652e6bcec09de1c867e5df132f6e8a0a09f99ac7a
Instruction ID: 37b7ac6a2232b38e2e3b0c3cdc87627fd611a7bfc4dc6c07b787581a1d3ede74
Opcode Fuzzy Hash: 39be56acca62131d513032b652e6bcec09de1c867e5df132f6e8a0a09f99ac7a
Instruction Fuzzy Hash: 0951B631601310FACF24AB65E899B69B3E9EF45310B249467ED07DF291DB789C40CB96

Function 0078910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007894E5
_wcslen.LIBCMT ref: 00789506
_wcslen.LIBCMT ref: 0078952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00789585

Strings

X, xrefs: 00789412

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c33aaddf2efe29bf738c726e84722c992d318f1ecd7657e443923929d21eaee9
Instruction ID: 32a75576053e7a41b55c92101b8a47a3cd18d51b7b4abc4e7a46a7615d474caa
Opcode Fuzzy Hash: c33aaddf2efe29bf738c726e84722c992d318f1ecd7657e443923929d21eaee9
Instruction Fuzzy Hash: F6E1B431504340DFD724EF28C885AAAB7E0BF85314F08856DF9999B2A2DB39ED45CB91

Function 0072920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

BeginPaint.USER32(?,?,?), ref: 00729241
GetWindowRect.USER32(?,?), ref: 007292A5
ScreenToClient.USER32(?,?), ref: 007292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007292D3
EndPaint.USER32(?,?,?,?,?), ref: 00729321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007671EA

Part of subcall function 00729339: BeginPath.GDI32(00000000), ref: 00729357

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 8d77930e50d72ed3c1834ea5057273e897f5fdecc51344a90917529feb8c9b5c
Instruction ID: d9877d1b4fdb6510af0a0610396975b7c1777886fa3b864099af432ffed39cb9
Opcode Fuzzy Hash: 8d77930e50d72ed3c1834ea5057273e897f5fdecc51344a90917529feb8c9b5c
Instruction Fuzzy Hash: A841D270105250EFD711DF24DC85FBA7BF8EB8A364F184229FA558B2A2C738A845DB61

Function 007807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0078080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00780847
EnterCriticalSection.KERNEL32(?), ref: 00780863
LeaveCriticalSection.KERNEL32(?), ref: 007808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00780921

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 03fe32ca514ff4c093c81e2ede86453087b414ba0f3fe8422f6f6face66baecd
Instruction ID: d4124d6d6eaa41f4709f2958efed107cfa10137ba232306d6a230d0ad6589633
Opcode Fuzzy Hash: 03fe32ca514ff4c093c81e2ede86453087b414ba0f3fe8422f6f6face66baecd
Instruction Fuzzy Hash: A3418D71A00205EFDF15AF54DC85AAA7778FF44310F1480B9ED00AA297DB38EE65DBA4

Function 007A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0076F3AB,00000000,?,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 007A824C
EnableWindow.USER32(?,00000000), ref: 007A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007A82D1
ShowWindow.USER32(?,00000004), ref: 007A82E5
EnableWindow.USER32(?,00000001), ref: 007A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 007A832F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 449ac696c46614cd7a3a9dcd69792935650a4b90bae45384b675f0f2a6200cdf
Instruction ID: 1a61f3781e4aa8a6525ebfa625d660b535f0d0f268c456ecb0d35135aff55593
Opcode Fuzzy Hash: 449ac696c46614cd7a3a9dcd69792935650a4b90bae45384b675f0f2a6200cdf
Instruction Fuzzy Hash: 8041A630601684EFDF55CF14D899BA47BE0FB8B714F1842A5E6484F2A2CB396841CF56

Function 00774C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00774C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00774CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00774CEA
_wcslen.LIBCMT ref: 00774D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00774D10
_wcsstr.LIBVCRUNTIME ref: 00774D1A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 9cc5cba996f14841dbb1dbf300bbe1d73a84265607b314c9e3dc516168c583a0
Instruction ID: 5f0027283bbee1c28cb1fcf7fcf94576a4574ff501fa988369f73cb72357ea09
Opcode Fuzzy Hash: 9cc5cba996f14841dbb1dbf300bbe1d73a84265607b314c9e3dc516168c583a0
Instruction Fuzzy Hash: 3321FC31704210BBEF269B39AC49E7B7BACDF46790F10C079F909CA152EF69DC0196A0

Function 0078581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

_wcslen.LIBCMT ref: 0078587B
CoInitialize.OLE32(00000000), ref: 00785995
CoCreateInstance.OLE32(007AFCF8,00000000,00000001,007AFB68,?), ref: 007859AE
CoUninitialize.OLE32 ref: 007859CC

Strings

.lnk, xrefs: 00785876, 007858C1, 00785985

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: aa7d380027c503b89f904981543c7976af8bb58978d2ca0e5f986a070595334b
Instruction ID: f8a96ac652b3e176f9f853fad41bec5c444adacae372b3beb4e22e432c6b2ebb
Opcode Fuzzy Hash: aa7d380027c503b89f904981543c7976af8bb58978d2ca0e5f986a070595334b
Instruction Fuzzy Hash: CAD164B1604600DFC714EF28C48496ABBF2FF89710F148859F8899B361DB39EC45CB92

Function 0077175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00770FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00770FCA
Part of subcall function 00770FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00770FD6
Part of subcall function 00770FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00770FE5
Part of subcall function 00770FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00770FEC
Part of subcall function 00770FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00771002

GetLengthSid.ADVAPI32(?,00000000,00771335), ref: 007717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007717BA
HeapAlloc.KERNEL32(00000000), ref: 007717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007717DA
GetProcessHeap.KERNEL32(00000000,00000000,00771335), ref: 007717EE
HeapFree.KERNEL32(00000000), ref: 007717F5

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d3b02d56c4187fc380885b36928dc8575edbbb08a98201ff1ee6d5f004ec8cf1
Instruction ID: 8ed5e9991a0465e5a934a10b3af634b5a47f608cb001feade70c71aea4b97aae
Opcode Fuzzy Hash: d3b02d56c4187fc380885b36928dc8575edbbb08a98201ff1ee6d5f004ec8cf1
Instruction Fuzzy Hash: 55117C71600209FFDF199FA8CC49BAF7BA9EB86395F50C018F44597210D739A944CFA0

Function 007714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00771506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00771515
CloseHandle.KERNEL32(00000004), ref: 00771520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0077154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00771563

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6748936c245cea50d734746a489ac87a9c3e8a1344bd80e221dd226d660851b8
Instruction ID: 5b381dcc736f60cc94a0fd1a315759107b45225552f6b37422945c5c586b3ad5
Opcode Fuzzy Hash: 6748936c245cea50d734746a489ac87a9c3e8a1344bd80e221dd226d660851b8
Instruction Fuzzy Hash: AF113A7250024DBBDF128F98DD49FDE7BA9EF89744F048055FA09A2160C379CE64DB61

Function 00733382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00733379,00732FE5), ref: 00733390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0073339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007333B7
SetLastError.KERNEL32(00000000,?,00733379,00732FE5), ref: 00733409

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 06a5d07238b3e98a52c5dbdb5c47f83aff48b18134a257c23df1a4b67de7bf31
Instruction ID: a511d4771ce9f10f6cfae09293ef845fac0fef325e1fe403ed703c08272bfe34
Opcode Fuzzy Hash: 06a5d07238b3e98a52c5dbdb5c47f83aff48b18134a257c23df1a4b67de7bf31
Instruction Fuzzy Hash: D001F73360E312FEBA3627757C8A6676BA4EB05379F20C22AF410852F3EF1D4D019548

Function 00742D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00745686,00753CD6,?,00000000,?,00745B6A,?,?,?,?,?,0073E6D1,?,007D8A48), ref: 00742D78
_free.LIBCMT ref: 00742DAB
_free.LIBCMT ref: 00742DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0073E6D1,?,007D8A48,00000010,00714F4A,?,?,00000000,00753CD6), ref: 00742DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0073E6D1,?,007D8A48,00000010,00714F4A,?,?,00000000,00753CD6), ref: 00742DEC
_abort.LIBCMT ref: 00742DF2

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: da134ac0ea65c57ae2be20e26bd6331a309c1563fdd3b39fee092ef1f3474f35
Instruction ID: 96582149e7a18aa565d2bd9d77c745bc56a14802e904a7250713dd578122b68a
Opcode Fuzzy Hash: da134ac0ea65c57ae2be20e26bd6331a309c1563fdd3b39fee092ef1f3474f35
Instruction Fuzzy Hash: 79F0A431A05A01B7C6176735AC0EB1A2669AFC27A1B644419F824921A3EF6C98235961

Function 007A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00729639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00729693
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296A2
Part of subcall function 00729639: BeginPath.GDI32(?), ref: 007296B9
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 007A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 007A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 007A8A70
LineTo.GDI32(?,00000000,00000003), ref: 007A8A80
EndPath.GDI32(?), ref: 007A8A90
StrokePath.GDI32(?), ref: 007A8AA0

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: f189f7e5377d671cdcd34bcb2df62b6c4fbd0e0e5763f17844bded78397a432d
Instruction ID: 4f4340b4b2601cdd0fea9a7bc33a75edba9c1d00a44da350c2eb9aff0ba56d33
Opcode Fuzzy Hash: f189f7e5377d671cdcd34bcb2df62b6c4fbd0e0e5763f17844bded78397a432d
Instruction Fuzzy Hash: CB11057600014CFFEB129F90DC88EAA7FACEB09350F04C022BA199A1A1C775AD55DBA4

Function 007751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00775218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00775229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00775230
ReleaseDC.USER32(00000000,00000000), ref: 00775238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0077524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00775261

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b3e319468c20a5904b1dcba83accac3ccb0fe2764d29e547bcc09d44900790ff
Instruction ID: 9d16cef0de00a27920edc8651dfc34e6fd2cbf97a01d1a1cc0abf62477e07d94
Opcode Fuzzy Hash: b3e319468c20a5904b1dcba83accac3ccb0fe2764d29e547bcc09d44900790ff
Instruction Fuzzy Hash: A9018FB5A00708BBEF119BA59C49A4EBFB8FB89351F048065FA04A7281D6749C00CBA4

Function 00711BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00711BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00711BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00711C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00711C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00711C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00711C22

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fc642aee033f1221e76e13a64784fe0779d9a835314785496a78a6f3dfd8d76a
Instruction ID: a20a0c87b58452d5c1ddddab5f1d37eb41ec8c55d5821e473e5ae642fe3e6d68
Opcode Fuzzy Hash: fc642aee033f1221e76e13a64784fe0779d9a835314785496a78a6f3dfd8d76a
Instruction Fuzzy Hash: 9B0167B0902B5ABDE3008F6A8C85B52FFE8FF59354F04415BA15C4BA42C7F5A864CBE5

Function 0077EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0077EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0077EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0077EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0077EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0077EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0077EB75

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0d377c04bfc5174237b0e949df107f1c5106daff4dce21238caee43cc5929a47
Instruction ID: 0f139b76699644a87a5f3d4eddf8348181555bf9412fe73629aba430720de79f
Opcode Fuzzy Hash: 0d377c04bfc5174237b0e949df107f1c5106daff4dce21238caee43cc5929a47
Instruction Fuzzy Hash: 99F054B2240158BBE7225B52DC0EEEF3E7CEFCBB11F008159F601D1091DBA85A01C6B9

Function 00767439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00767452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00767469
GetWindowDC.USER32(?), ref: 00767475
GetPixel.GDI32(00000000,?,?), ref: 00767484
ReleaseDC.USER32(?,00000000), ref: 00767496
GetSysColor.USER32(00000005), ref: 007674B0

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 955d9d2d1692ecae10325e30531b312c775556a2193b78c03b514b7309e399df
Instruction ID: 3d61583e9d91f65e67d43268180fb97b0f65bd871d68cb52166a922b7edf9fa1
Opcode Fuzzy Hash: 955d9d2d1692ecae10325e30531b312c775556a2193b78c03b514b7309e399df
Instruction Fuzzy Hash: 26018B31400215FFDB129FA4DD08BAA7FB5FB45311F648060FD16A61A0CF391E51EB54

Function 00771874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0077187F
UnloadUserProfile.USERENV(?,?), ref: 0077188B
CloseHandle.KERNEL32(?), ref: 00771894
CloseHandle.KERNEL32(?), ref: 0077189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007718A5
HeapFree.KERNEL32(00000000), ref: 007718AC

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ff7577a8d729257f1c7764fb8715b9552954c501a4919a72a8ba55212f0f0376
Instruction ID: b726b52f8103410e8cfcbcff62722f60089ad6ea9eb3f69ca9adda4f899ceca5
Opcode Fuzzy Hash: ff7577a8d729257f1c7764fb8715b9552954c501a4919a72a8ba55212f0f0376
Instruction Fuzzy Hash: C7E0E576204105BBDB025FA1ED0C90ABF79FF8AB22B10C220F22581070CB369821DF5A

Function 0071BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0071BEB3

Strings

D%~, xrefs: 0071BDED, 0071BD91, 0071BD1B
D%~D%~, xrefs: 0071BCA5
D%~, xrefs: 0071BCA2
D%~, xrefs: 0071BE9A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%~$D%~$D%~$D%~D%~
API String ID: 1385522511-534703835
Opcode ID: 1343a3f6fbcd1d376515c2c935e1da7bb02243d77fcaf1ce119dfffed9facd63
Instruction ID: 0bde99fd833bef1f27ec1452ea331335c1f37e5bb5b901c50471117c5d4c6e54
Opcode Fuzzy Hash: 1343a3f6fbcd1d376515c2c935e1da7bb02243d77fcaf1ce119dfffed9facd63
Instruction Fuzzy Hash: 55911775A0020ADFCB18CF5DC0916EAB7F1FF58310F248169D985AB391E779A981CBE0

Function 00797B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00730242: EnterCriticalSection.KERNEL32(007E070C,007E1884,?,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073024D
Part of subcall function 00730242: LeaveCriticalSection.KERNEL32(007E070C,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073028A

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 007300A3: __onexit.LIBCMT ref: 007300A9

__Init_thread_footer.LIBCMT ref: 00797BFB

Part of subcall function 007301F8: EnterCriticalSection.KERNEL32(007E070C,?,?,00728747,007E2514), ref: 00730202
Part of subcall function 007301F8: LeaveCriticalSection.KERNEL32(007E070C,?,00728747,007E2514), ref: 00730235

Strings

5, xrefs: 00797C78
G, xrefs: 00797C7F
+Tv, xrefs: 00797E2E
Variable must be of type 'Object'., xrefs: 00797C3A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tv$5$G$Variable must be of type 'Object'.
API String ID: 535116098-960950384
Opcode ID: a0c45cc312bf64088cc3ac35f15fb9687bd2515282c935e6ab009822468b80e1
Instruction ID: 138e8bf49927cae45a7c690dcc88912c4f30414e035a2e5d46fe7741fc3150a3
Opcode Fuzzy Hash: a0c45cc312bf64088cc3ac35f15fb9687bd2515282c935e6ab009822468b80e1
Instruction Fuzzy Hash: 34919D70A14209EFCF08EF58E8959BDB7B5FF49300F148059F8069B292DB79AE41CB60

Function 0077C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0077C6EE
_wcslen.LIBCMT ref: 0077C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0077C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0077C7CA

Strings

0, xrefs: 0077C6AF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f970fd1de3dd54ea0031bd3512ae9aec53c557d9c5712d20094c92775ce9ada8
Instruction ID: e4276643fcd350c21c370fcc79d4352cc44f1fde62878ac59636615cd89e3e9b
Opcode Fuzzy Hash: f970fd1de3dd54ea0031bd3512ae9aec53c557d9c5712d20094c92775ce9ada8
Instruction Fuzzy Hash: D751E2716043409BDB1A9F28C889B6B77E8AF8D390F04892DF999D31D1DB7CDD448B92

Function 0079AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0079AEA3

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

GetProcessId.KERNEL32(00000000), ref: 0079AF38
CloseHandle.KERNEL32(00000000), ref: 0079AF67

Strings

@, xrefs: 0079AE72
<, xrefs: 0079AE6B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: accab7fbb385e931e109327de289877f707e74671e738732eb31f8ceb542bd9c
Instruction ID: 9ccfbbed16f0a5db175c83c0e687b380da033b827b1b3618d9582f0dcd96bb2b
Opcode Fuzzy Hash: accab7fbb385e931e109327de289877f707e74671e738732eb31f8ceb542bd9c
Instruction Fuzzy Hash: 8C715971A00615EFCF15DF58D489A9EBBF1BF08310F048499E816AB292CB79ED81CB91

Function 0077719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00777206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0077723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0077724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007772CF

Strings

DllGetClassObject, xrefs: 00777242

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: dc975ce3799741bead7a939358c7a5cf81f4823c8aca7537842266290d497c5a
Instruction ID: 68e2d1c8bd5cb6918dfde83badba3b5eedee120004a21fe97aa7bb55086fa275
Opcode Fuzzy Hash: dc975ce3799741bead7a939358c7a5cf81f4823c8aca7537842266290d497c5a
Instruction Fuzzy Hash: 94418FB1604204EFDF19CF54C884A9A7BB9FF89350F14C0A9BD099F20AD7B8D940DBA0

Function 007A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A3E35
IsMenu.USER32(?), ref: 007A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007A3E92
DrawMenuBar.USER32 ref: 007A3EA5

Strings

0, xrefs: 007A3D89

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 9015fac6bc19d14dcec7cafc51b0da4d04f9dd4bbe15be1d4ea14440b64593fb
Instruction ID: 13c184cca3bff44fc20c342e04d6f3f735ecc8592d8d89997c9b6857713b69ad
Opcode Fuzzy Hash: 9015fac6bc19d14dcec7cafc51b0da4d04f9dd4bbe15be1d4ea14440b64593fb
Instruction Fuzzy Hash: 17416A75A05209EFDB10DF50D884AEABBB5FF8A351F04822AF9159B250D738AE50CF50

Function 00771DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00771E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00771E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00771EA9

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

Strings

ListBox, xrefs: 00771E25
ComboBox, xrefs: 00771DF0

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: e798dd4fe0443e60d6fe00a2a4439d41296e65c65355695307739fea5699fdae
Instruction ID: 2ad5bc00637083651999a66044ec8ff11983e6a111c2d6b24e28407ea12c6740
Opcode Fuzzy Hash: e798dd4fe0443e60d6fe00a2a4439d41296e65c65355695307739fea5699fdae
Instruction Fuzzy Hash: 102137B1A00104FADF159B68DC5ACFFB7B8DF42390B548119F869A31E0DB7C4E468720

Function 0079C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0079C9F1
_wcslen.LIBCMT ref: 0079CA68
_wcslen.LIBCMT ref: 0079CA9E
_wcslen.LIBCMT ref: 0079CAF9
_wcslen.LIBCMT ref: 0079CB2F
_wcslen.LIBCMT ref: 0079CB7F

Strings

HKLM, xrefs: 0079CA98, 0079CA9D
HKEY_LOCAL_MACHINE, xrefs: 0079CA62, 0079CA67

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 336cad8d7c8c94f1580ba03e46f7e864234a6a0412acea35ece92dbf6d8dea65
Instruction ID: fe0f29cf401faa06d457446a14a43bcbae57677e153bf1b543fe4b2f78bb1834
Opcode Fuzzy Hash: 336cad8d7c8c94f1580ba03e46f7e864234a6a0412acea35ece92dbf6d8dea65
Instruction Fuzzy Hash: 6531F873A001698BCF26DF2CA9911BE37A1DBA1750F55C02AE845AB385F67DDD80D3A0

Function 007A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007A2F8D
LoadLibraryW.KERNEL32(?), ref: 007A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007A2FA9
DestroyWindow.USER32(?), ref: 007A2FB1

Strings

SysAnimate32, xrefs: 007A2F68

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a606cb0fc9f22cb9ef4772d077992dbe7d9d1ce3783bef8f7214c8a80ca442d3
Instruction ID: f1e19102666e9e5b69d669826fb8565fd56d8cfd3d80efd865fab22f27d7219a
Opcode Fuzzy Hash: a606cb0fc9f22cb9ef4772d077992dbe7d9d1ce3783bef8f7214c8a80ca442d3
Instruction Fuzzy Hash: 9421FD71200209AFEB118F68DC84FBB37BDEB9A364F104718FA10D61A1D739DC829760

Function 00734D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00734D1E,007428E9,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002), ref: 00734D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00734DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00734D1E,007428E9,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002,00000000), ref: 00734DC3

Strings

mscoree.dll, xrefs: 00734D86
CorExitProcess, xrefs: 00734D98

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2c08451982a47ae69370906c79a6187338dfae6dd7db653a4dd90a49e9105535
Instruction ID: 410814cb9ab3bce3f687c58d6921a141659b18509778921c9d3cc090cd145da4
Opcode Fuzzy Hash: 2c08451982a47ae69370906c79a6187338dfae6dd7db653a4dd90a49e9105535
Instruction Fuzzy Hash: 2EF0AF70A00208BBEB169F90DC09BEEBFF5EF44711F0040A4F906A2261CF38AD40CAD4

Function 0076D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0076D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0076D3BF
FreeLibrary.KERNEL32(00000000), ref: 0076D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0076D3B9
X64, xrefs: 0076D2A8

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: edc6575d6ff3e1db41f52acbc7fe7cac23d8edf1378b8316a22e1e817358884a
Instruction ID: 3f2dcebd46b362c5cb135a191aec6b4663c8788ddf74b382f0d6329337a4021d
Opcode Fuzzy Hash: edc6575d6ff3e1db41f52acbc7fe7cac23d8edf1378b8316a22e1e817358884a
Instruction Fuzzy Hash: 58F055F0F26620EFD7322712CC289293220BF42701B688165FC03E5210EB7CCC408A97

Function 00714E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00714EAE
FreeLibrary.KERNEL32(00000000,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714EC0

Strings

kernel32.dll, xrefs: 00714E94
Wow64DisableWow64FsRedirection, xrefs: 00714EA8

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 506b291061bb901010142dc8cf4a0aa2a89482770ee3292f8f75991103ca582b
Instruction ID: 9aa1a6f459f2c48c6ea7790d064aaf66b3c68a590e72d875e08959f4af8f7bb3
Opcode Fuzzy Hash: 506b291061bb901010142dc8cf4a0aa2a89482770ee3292f8f75991103ca582b
Instruction Fuzzy Hash: EBE0CD75B015227BD3331729FC18B9F6554AFC3F627054215FC05D2240DB6CCD4544B5

Function 00714E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00714E74
FreeLibrary.KERNEL32(00000000,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E87

Strings

kernel32.dll, xrefs: 00714E5B
Wow64RevertWow64FsRedirection, xrefs: 00714E6E

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 30ab4ae6ec78a45eac47b155025840616053b3011a891292e85c91f327e4b905
Instruction ID: 78e65608dd35b7b3e62933c9fc941a8e462dfecf3b900d250eb1922a456da8b8
Opcode Fuzzy Hash: 30ab4ae6ec78a45eac47b155025840616053b3011a891292e85c91f327e4b905
Instruction Fuzzy Hash: 5DD0C2756026227747231B28BC09DCB2A18AFC2B113054211F801A2150CF2DCD4281E4

Function 00782947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00782C05
DeleteFileW.KERNEL32(?), ref: 00782C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00782C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00782CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00782CC0

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 83043883c453c35c400adc908f856b6aacafdeac44e717e6c83db555b8187319
Instruction ID: 254bfb0f410f271fcb47f30e0e50e50b879f0c9a7082e3327118a3b2c01e4d0b
Opcode Fuzzy Hash: 83043883c453c35c400adc908f856b6aacafdeac44e717e6c83db555b8187319
Instruction Fuzzy Hash: B8B16071D01119EBDF25EBA4CC89EDEBB7DEF48310F1040A6F509E6142EB399A458F61

Function 0079A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0079A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0079A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0079A468
CloseHandle.KERNEL32(?), ref: 0079A63D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 6990ee62195b85cc5f4c2edbb1425fabe71b36ccf9cf6f20191e479f19559e23
Instruction ID: f0654350a0f4ab12c15a14ad1be2623ee47ef16e567ca7009ffcbe1bab95f825
Opcode Fuzzy Hash: 6990ee62195b85cc5f4c2edbb1425fabe71b36ccf9cf6f20191e479f19559e23
Instruction Fuzzy Hash: D4A16371604301AFDB20DF28D88AF2AB7E5AF84714F14885DF9599B2D2DB74EC41CB92

Function 0077E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0077CF22,?), ref: 0077DDFD

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0077CF22,?), ref: 0077DE16

Part of subcall function 0077E199: GetFileAttributesW.KERNEL32(?,0077CF95), ref: 0077E19A

lstrcmpiW.KERNEL32(?,?), ref: 0077E473
MoveFileW.KERNEL32(?,?), ref: 0077E4AC
_wcslen.LIBCMT ref: 0077E5EB
_wcslen.LIBCMT ref: 0077E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0077E650

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f5aeaf731fe57bf2617a55d56d7f5bf15f1b74de603dc0984662fd4b815ccfd7
Instruction ID: 7de46a64412b19a985d649f4bd1f46299dd7428d67a1b5e1c57d249a61f8507e
Opcode Fuzzy Hash: f5aeaf731fe57bf2617a55d56d7f5bf15f1b74de603dc0984662fd4b815ccfd7
Instruction Fuzzy Hash: 7351B8B25083859BDB34DB94CC859DF73DCAF89340F00491EF689D3191EF79A6888766

Function 0079B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 0079C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079C9F1
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA68
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0079BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0079BB63
RegCloseKey.ADVAPI32(?,?), ref: 0079BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0079BBB3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: fb9e5553388f579ca33c0175778f3c77a4c50319f21dbf7961bad228a5b5d18a
Instruction ID: f12b0e1ef2ac51e472d8c5aceb3025810dc2680a41d8c304e53d2bdff3e6ae3b
Opcode Fuzzy Hash: fb9e5553388f579ca33c0175778f3c77a4c50319f21dbf7961bad228a5b5d18a
Instruction Fuzzy Hash: B461E371208241EFC714DF24D994E6ABBE5FF84308F14855CF4998B2A2DB39ED45CB92

Function 00778BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00778BCD
VariantClear.OLEAUT32 ref: 00778C3E
VariantClear.OLEAUT32 ref: 00778C9D
VariantClear.OLEAUT32(?), ref: 00778D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00778D3B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ae19fbed29144ec61f156ac0ef7788505ace1e69d5f7302c0b2264a8758e73e9
Instruction ID: 92bb5fa71d503dab30741ee3f898015536c8387d4b4e8cf3e505d85c9ef84007
Opcode Fuzzy Hash: ae19fbed29144ec61f156ac0ef7788505ace1e69d5f7302c0b2264a8758e73e9
Instruction Fuzzy Hash: 29516DB5A00219EFCB10CF68C894AAABBF4FF8D350B158559E919DB350E734E911CFA4

Function 00788AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00788BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00788BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00788C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00788C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00788C5F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 33b5a3e1204ee04e762d4491dca3d939f429535e894f99033cadcad619e6bc4d
Instruction ID: bff4806f86c215d9bcee4551e6ff29b6d857176a3fef565e5111fb3c63802d5c
Opcode Fuzzy Hash: 33b5a3e1204ee04e762d4491dca3d939f429535e894f99033cadcad619e6bc4d
Instruction Fuzzy Hash: DC514F35A00215DFCB05DF64C885AADBBF5FF49314F088498E849AB3A2DB39ED51CB91

Function 00798EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00798F40
GetProcAddress.KERNEL32(00000000,?), ref: 00798FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00798FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00799032
FreeLibrary.KERNEL32(00000000), ref: 00799052

Part of subcall function 0072F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00781043,?,753CE610), ref: 0072F6E6
Part of subcall function 0072F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0076FA64,00000000,00000000,?,?,00781043,?,753CE610,?,0076FA64), ref: 0072F70D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: b9faf10cb567af433e52fa7075164347c1f9d944238f51e69bba29c1953d8d7c
Instruction ID: 339826e85688129c538e467c16645cff0f6d0e30de08766ad04096fb614b8c0a
Opcode Fuzzy Hash: b9faf10cb567af433e52fa7075164347c1f9d944238f51e69bba29c1953d8d7c
Instruction Fuzzy Hash: 96514E34600205DFCB15DF58D4948ADBBF1FF49314F048098E9169B362DB39ED86CB91

Function 007A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 007A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 007A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 007A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0078AB79,00000000,00000000), ref: 007A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 007A6CC7

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4c862896f41cc54575a4fa83c556583b2dd16c6dc232d309c07840ad5ec9d601
Instruction ID: c0be182e6a40188d8e4e1ed69b16c75ad4722fea236826e68eba213fe2c273ef
Opcode Fuzzy Hash: 4c862896f41cc54575a4fa83c556583b2dd16c6dc232d309c07840ad5ec9d601
Instruction Fuzzy Hash: CB41D075A04104BFD724DF28CC48BA97BA5EB8B360F194368F895A72E0C779FD40CA60

Function 00742051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007420C3
_free.LIBCMT ref: 007420E3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 86cf9ff042edd9f604c5850ddd51545892b163ed8fb6afd9b470b5ad46c0d257
Instruction ID: 3b48ed716823fd4e606d038a901500b35ad9d5e1343c2768ac84ff8c96579d86
Opcode Fuzzy Hash: 86cf9ff042edd9f604c5850ddd51545892b163ed8fb6afd9b470b5ad46c0d257
Instruction Fuzzy Hash: 1F41D032A002049FDB24DF78C884A5EB7F5EF88310F5545A9F515EB366EB35AD12CB90

Function 0072912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00729141
ScreenToClient.USER32(00000000,?), ref: 0072915E
GetAsyncKeyState.USER32(00000001), ref: 00729183
GetAsyncKeyState.USER32(00000002), ref: 0072919D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 3edae845eba0d86161f8a8d5346c829583dcf285b05d98644f4fe9b78ab5f293
Instruction ID: 4fd9bdfbef24dca1c04dd6c64decf63aa1d9b56ee86c598a2c5c0af66cadec31
Opcode Fuzzy Hash: 3edae845eba0d86161f8a8d5346c829583dcf285b05d98644f4fe9b78ab5f293
Instruction Fuzzy Hash: 3C41903190821AFBDF099F68D848BEEB774FB46364F248216E925A32D0C7385D50CBA1

Function 00783874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00783922
TranslateMessage.USER32(?), ref: 0078394B
DispatchMessageW.USER32(?), ref: 00783955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00783966

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 1492f31529dd2e0a7a185aa7bc2c38d7ab5255fed3bf59a395305264b986ecf1
Instruction ID: 556d7e165740bce44474434c1befb76762fd4cd6deb36cde88f95bcb1bd9135a
Opcode Fuzzy Hash: 1492f31529dd2e0a7a185aa7bc2c38d7ab5255fed3bf59a395305264b986ecf1
Instruction Fuzzy Hash: B4311A709853819EEB35EB3CD849FB637A8EB05708F44456DE466C60A0E3FCB685CB21

Function 0078CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0078C21E,00000000), ref: 0078CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0078CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0078C21E,00000000), ref: 0078CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0078C21E,00000000), ref: 0078CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0078C21E,00000000), ref: 0078CFF2

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 57006212e017f52319e07f3b0e73aa33bfb905f6aca187294c5f3146887d2d97
Instruction ID: 02da19631f17b63c90bd373601da9104c8f9727fdff3ca8cba969361f966149d
Opcode Fuzzy Hash: 57006212e017f52319e07f3b0e73aa33bfb905f6aca187294c5f3146887d2d97
Instruction Fuzzy Hash: C5315472544205FFEB21EFA5D88496B77F9EB55354B10842EF606D2140DB38AD41DB60

Function 00771901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00771915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007719E2

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6da31fa6fad30290b62d42899acc5cc9f96620f3ee2101bd0e80ddef42215b60
Instruction ID: d69031b206f0d91c3cfd301de69af99910b1bda47eed75242d0c15a50dd6f1bd
Opcode Fuzzy Hash: 6da31fa6fad30290b62d42899acc5cc9f96620f3ee2101bd0e80ddef42215b60
Instruction Fuzzy Hash: 6831CD71A00259EFCF00CFACC999AEE3BB5EB45314F008229FA25A72D0C374A945CF90

Function 007A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 007A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 007A579D
_wcslen.LIBCMT ref: 007A57AF
_wcslen.LIBCMT ref: 007A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 007A5816

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9a21b0322d220719e090b0822fe9ae3608c522dd8765abdd148ad085a2f5f7ed
Instruction ID: 4f7bfbce01983ce7c2ed400ca59cd53d69f10829eca10364f2430cc91933e510
Opcode Fuzzy Hash: 9a21b0322d220719e090b0822fe9ae3608c522dd8765abdd148ad085a2f5f7ed
Instruction Fuzzy Hash: F721A271904618EADB208FA0CC85EEE77B8FF86320F108356F929EA181D7789985CF50

Function 00790930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00790951
GetForegroundWindow.USER32 ref: 00790968
GetDC.USER32(00000000), ref: 007909A4
GetPixel.GDI32(00000000,?,00000003), ref: 007909B0
ReleaseDC.USER32(00000000,00000003), ref: 007909E8

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c4c3b1ddd2a95e287abccbe46cb13899b3a724d823d79cc7bf28d7106dc22720
Instruction ID: 131e460efd0d28d2715b1df3b19fc8066e71a0825e77e9c532e8d06317d211f9
Opcode Fuzzy Hash: c4c3b1ddd2a95e287abccbe46cb13899b3a724d823d79cc7bf28d7106dc22720
Instruction Fuzzy Hash: FA219675600204EFD704EF69D948AAEB7F9EF49710F048468F84AD7352DB38AC44CB90

Function 0074CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0074CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0074CDE9

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0074CE0F
_free.LIBCMT ref: 0074CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0074CE31

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: cb267e277d34f1bf080a79e21e6cf5ac0f8b93590842f258660448138e145642
Instruction ID: e10bb750703c34dfcff45397270a766a4ba95066399be75725b5e040f3b825f5
Opcode Fuzzy Hash: cb267e277d34f1bf080a79e21e6cf5ac0f8b93590842f258660448138e145642
Instruction Fuzzy Hash: 7101D4726032257F276316B66C8CC7B696DDEC7BA1315412DF905C7201EF798D0291B4

Function 00729639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00729693
SelectObject.GDI32(?,00000000), ref: 007296A2
BeginPath.GDI32(?), ref: 007296B9
SelectObject.GDI32(?,00000000), ref: 007296E2

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7d7a1ac49c91bde26a6adce58121af3b5eb4251f053cdd4932342651be3958d9
Instruction ID: 0016f455f1bde8896828d5d2e82a7c2917cf1b63f0ea1c13ab0cb60bd240d9ed
Opcode Fuzzy Hash: 7d7a1ac49c91bde26a6adce58121af3b5eb4251f053cdd4932342651be3958d9
Instruction Fuzzy Hash: 6521C5708033D5EFDB118F24EC49BA93BB4BB45355F548215F510AA1B1D37C6881CF98

Function 00775711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00775726
_memcmp.LIBVCRUNTIME ref: 00775744
_memcmp.LIBVCRUNTIME ref: 00775757
_memcmp.LIBVCRUNTIME ref: 0077576F
_memcmp.LIBVCRUNTIME ref: 00775787

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8edd2fa962bebb852ec6cc38a95820d4f66c201fe34b2c4dd394376aa1720395
Instruction ID: 920d362e614cb3e5c73ac44085ac043bb25794722ae00f593bc49645bb721e0c
Opcode Fuzzy Hash: 8edd2fa962bebb852ec6cc38a95820d4f66c201fe34b2c4dd394376aa1720395
Instruction Fuzzy Hash: F60175E1641A09FBEA0C57219D86FBB735D9B613E5F408121FD0C9A642F7ADED1082F1

Function 00742DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0073F2DE,00743863,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6), ref: 00742DFD
_free.LIBCMT ref: 00742E32
_free.LIBCMT ref: 00742E59
SetLastError.KERNEL32(00000000,00711129), ref: 00742E66
SetLastError.KERNEL32(00000000,00711129), ref: 00742E6F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6979e1cc878f825fb24173b743d2c0a1fc934692c3c6e9df9972e8d813ad7e78
Instruction ID: ed432084d1bab747334970ff3bc0e11594b2926819d681a801268feadd53f509
Opcode Fuzzy Hash: 6979e1cc878f825fb24173b743d2c0a1fc934692c3c6e9df9972e8d813ad7e78
Instruction Fuzzy Hash: D301F972245621B7C61367356C4ED2B2669ABD27A17E44025F415E2193EF7CCC238524

Function 0077000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?,?,0077035E), ref: 0077002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?), ref: 00770064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770070

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: dd31c680bb045cad86d64b370ac17d5d07ac5078c5ebf59bf3010a2992dabfcf
Instruction ID: b3318dddae2431434e652a5ab01647363c06d195fc24c13972a82f311b94fc67
Opcode Fuzzy Hash: dd31c680bb045cad86d64b370ac17d5d07ac5078c5ebf59bf3010a2992dabfcf
Instruction Fuzzy Hash: 78014B76600214FFDF124F69DC48BAA7AEDEB847A2F148124F909D6210EB7DDD40DBA0

Function 0077E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0077E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0077E9A5
Sleep.KERNEL32(00000000), ref: 0077E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0077E9B7
Sleep.KERNEL32 ref: 0077E9F3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f37bc50a9af1c14a8d96d98e4729224c201ec0c4984f05155e304159a0187bdd
Instruction ID: 7f645410aa6b746828b36e69e76cb40bc58745661e6931fa2dad3d19cff1b082
Opcode Fuzzy Hash: f37bc50a9af1c14a8d96d98e4729224c201ec0c4984f05155e304159a0187bdd
Instruction Fuzzy Hash: CE015B72D0152DEBCF009BE4D849ADDBB78BF4E301F008596E606B2241DB38A555CB66

Function 007710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00771114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 0077112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0077114D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 8f09c2b92b1e50f50cb31fd749957f6f01e7b7d453fd34dc5a7cf4e4720810cb
Instruction ID: c960b6721a75f1b66d723341ca3091e1be999c208ab9a436159d755fc26809b7
Opcode Fuzzy Hash: 8f09c2b92b1e50f50cb31fd749957f6f01e7b7d453fd34dc5a7cf4e4720810cb
Instruction Fuzzy Hash: 17011975200209BFDB124FA9DC59A6A3B6EEFCA3A0B608419FA45D7360DA35DD009F64

Function 00770FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00770FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00770FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00770FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00770FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00771002

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c84b9f9112ddd362d23c68a5d5b12e06629704078015a9a5ada51348eddd64fe
Instruction ID: b055de372fca47096504a2e6dbc4f591dc2f7294cf93cd6cc5555b26eeecb0b7
Opcode Fuzzy Hash: c84b9f9112ddd362d23c68a5d5b12e06629704078015a9a5ada51348eddd64fe
Instruction Fuzzy Hash: E9F04975200305BBDB224FA8DC4AF573BADEFCA7A2F508414FA49C6251DE78DC50CA60

Function 00771014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0077102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00771036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0077104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771062

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3fbfc60b5aa9ab7833dea4a31f4f01cd5fafe612dd1ba8d0895886fcc9bf9ef3
Instruction ID: 9ffa0270f2a9dc9731848d2d9b7903a26368646768462ebe5e871ad0ca6e6538
Opcode Fuzzy Hash: 3fbfc60b5aa9ab7833dea4a31f4f01cd5fafe612dd1ba8d0895886fcc9bf9ef3
Instruction Fuzzy Hash: 1CF03775200305BBDB225FA8EC49A563BADEF8A6A1F508414FA4986250DA78D8508A60

Function 0078030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780324
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780331
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 0078033E
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 0078034B
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780358
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780365

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a1dd6b7a2562ecc66a26464acf587d65669c6cba39b52378367a88d64a27ab17
Instruction ID: 4278d09b166396528bf5fb1deac67c3ff72df9a38201d529b9aa2a1336a10f3e
Opcode Fuzzy Hash: a1dd6b7a2562ecc66a26464acf587d65669c6cba39b52378367a88d64a27ab17
Instruction Fuzzy Hash: B501AA72801B15DFCB30AF66D880812FBF9BF603153158A3FD1A692931C7B5A998DF80

Function 0074D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0074D752

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 0074D764
_free.LIBCMT ref: 0074D776
_free.LIBCMT ref: 0074D788
_free.LIBCMT ref: 0074D79A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1ed2ef87f7952582b06e7fa24c89eeb3af820dde89be3e4b5f78d11d7c739a0f
Instruction ID: ec6f8f4b9bf33524adf3adef0e2584a4453a8aec0bb6ef1bc94fcb935d3dd295
Opcode Fuzzy Hash: 1ed2ef87f7952582b06e7fa24c89eeb3af820dde89be3e4b5f78d11d7c739a0f
Instruction Fuzzy Hash: 93F01232545205AB9633EB65F9C5C167BEDBB447107D54C06F088E7512C73CFC908A64

Function 00775C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00775C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00775C6F
MessageBeep.USER32(00000000), ref: 00775C87
KillTimer.USER32(?,0000040A), ref: 00775CA3
EndDialog.USER32(?,00000001), ref: 00775CBD

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e4ee66bec887d26b28aa99b459cd0f80aa01c7ad18a78a3275d30c147e812468
Instruction ID: da582877b8aed7f676cd6d77dd1810d49af0fe77c94136bebdd9266743ec1f19
Opcode Fuzzy Hash: e4ee66bec887d26b28aa99b459cd0f80aa01c7ad18a78a3275d30c147e812468
Instruction Fuzzy Hash: 0F018130500B05ABEF229B10DD4EFA677B8BB41B45F049569A587A10E1DBF8A9848AA4

Function 007422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007422BE

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 007422D0
_free.LIBCMT ref: 007422E3
_free.LIBCMT ref: 007422F4
_free.LIBCMT ref: 00742305

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 21ce87950c1e94388ac6635b4797d6af451f7902e97af4886dc00645677d6ccd
Instruction ID: aa4126a23027dc76d42fda70bb528be4c09cd17f221a1029c461069e8902e76a
Opcode Fuzzy Hash: 21ce87950c1e94388ac6635b4797d6af451f7902e97af4886dc00645677d6ccd
Instruction Fuzzy Hash: CDF03A709021A19B9A13AF55BC8680C3B68F71C760781850BF410EA2B2C77D2873EFEC

Function 007295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007295D4
StrokeAndFillPath.GDI32(?,?,007671F7,00000000,?,?,?), ref: 007295F0
SelectObject.GDI32(?,00000000), ref: 00729603
DeleteObject.GDI32 ref: 00729616
StrokePath.GDI32(?), ref: 00729631

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: cfaa1e1d0ad170192dfcbee496248f0e4741dbfea55e267cf21a96eecae9597f
Instruction ID: e8fc2614c2ad8cbdbdc29e75b13cc9162f029d6e8b366f1a9607001f41247d9f
Opcode Fuzzy Hash: cfaa1e1d0ad170192dfcbee496248f0e4741dbfea55e267cf21a96eecae9597f
Instruction Fuzzy Hash: D6F03C30006288EBDB135F65ED5D7A53BA1AB46322F48C214F525590F2DB3C99A1DF28

Function 00740F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007410F9
__freea.LIBCMT ref: 00741117

Part of subcall function 00741537: _free.LIBCMT ref: 0074154F

Strings

a/p, xrefs: 007411DE
am/pm, xrefs: 0074117A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e43ad88c79126362eedff591aaeced324cca744c88659b5191a0f09e99e2e7bf
Instruction ID: a3e4aaac37e706634ee21717f47f2cc24499652aa2c23d7ae5809e699cced3c7
Opcode Fuzzy Hash: e43ad88c79126362eedff591aaeced324cca744c88659b5191a0f09e99e2e7bf
Instruction Fuzzy Hash: E3D12631A1020ACADB24BF68C895BFEBBB0FF06700FA44159E915AB651D37D9DC0CB91

Function 007961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00730242: EnterCriticalSection.KERNEL32(007E070C,007E1884,?,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073024D
Part of subcall function 00730242: LeaveCriticalSection.KERNEL32(007E070C,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073028A

Part of subcall function 007300A3: __onexit.LIBCMT ref: 007300A9

__Init_thread_footer.LIBCMT ref: 00796238

Part of subcall function 007301F8: EnterCriticalSection.KERNEL32(007E070C,?,?,00728747,007E2514), ref: 00730202
Part of subcall function 007301F8: LeaveCriticalSection.KERNEL32(007E070C,?,00728747,007E2514), ref: 00730235

Part of subcall function 0078359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007835E4
Part of subcall function 0078359C: LoadStringW.USER32(007E2390,?,00000FFF,?), ref: 0078360A

Strings

x#~, xrefs: 0079636F
x#~, xrefs: 00796353
x#~, xrefs: 0079633A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#~$x#~$x#~
API String ID: 1072379062-2863289283
Opcode ID: afb35b4c9551c1cf289781fa0be7ae8209c8023d2272b01ed682c4832ac016ef
Instruction ID: eafce2cd303131ee20826498f8160389b73c3ed681582683a724d9f939c552ad
Opcode Fuzzy Hash: afb35b4c9551c1cf289781fa0be7ae8209c8023d2272b01ed682c4832ac016ef
Instruction Fuzzy Hash: 59C17B71A00105EBCF14DF98D895EAEB7B9FF48300F118169E9059B291DB78EE55CBA0

Function 00745AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOq, xrefs: 00745BA8, 00745C6C

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: JOq
API String ID: 0-3534734180
Opcode ID: e4678fa9163d5b08d7a1d883f3fc0505f1960f44e12959e7dd3353cac585b17d
Instruction ID: 063e01e8f0fdc428b25bb58e86d10e27447b6ccd27855c5071f4eafcac0cba55
Opcode Fuzzy Hash: e4678fa9163d5b08d7a1d883f3fc0505f1960f44e12959e7dd3353cac585b17d
Instruction Fuzzy Hash: 9451A0B1E0060AEFDB119FA4C889FAEBBB8EF45310F14015AF405A7293D77D9901CB61

Function 00748A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00748B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00748B7A
__dosmaperr.LIBCMT ref: 00748B81

Strings

.s, xrefs: 00748A63

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .s
API String ID: 2434981716-1621786184
Opcode ID: d5ef8f52ef2e641989797162c82c2e270fd3fb75832694c9bfaa1fde14e96f2a
Instruction ID: eb9c0f856505561f43bf5fe67708360ff636d3c5059cde2aa50ca550a901da69
Opcode Fuzzy Hash: d5ef8f52ef2e641989797162c82c2e270fd3fb75832694c9bfaa1fde14e96f2a
Instruction Fuzzy Hash: B8418CF060404DAFDB659F24C884A7D7FA5EB86314F2881AAF8948B242DF798C42D795

Function 00772716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0077B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007721D0,?,?,00000034,00000800,?,00000034), ref: 0077B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00772760

Part of subcall function 0077B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0077B3F8

Part of subcall function 0077B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0077B355
Part of subcall function 0077B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00772194,00000034,?,?,00001004,00000000,00000000), ref: 0077B365
Part of subcall function 0077B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00772194,00000034,?,?,00001004,00000000,00000000), ref: 0077B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0077281A

Strings

@, xrefs: 00772832

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 23bb8b71d85cd8879e65ab9d210f2e8b9a6e5facb30b5e42597ee6e36c200bfa
Instruction ID: c78681f9650acc9ec7070a88361db9ef1fbc1b9e2d3ab878026e1fae3879c0d9
Opcode Fuzzy Hash: 23bb8b71d85cd8879e65ab9d210f2e8b9a6e5facb30b5e42597ee6e36c200bfa
Instruction Fuzzy Hash: FB412A72900218AFDF10DBA4CD45BEEBBB8EF09740F008095FA59B7181DB756E85CBA1

Function 0074172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00741769
_free.LIBCMT ref: 00741834
_free.LIBCMT ref: 0074183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00741760, 00741767, 00741796, 007417CE

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 9903ab0c4833eb62d778178da8a0d9092c6e3bd82f8b62330502d2e225b1aedc
Instruction ID: 42ecaecbe6d13cd91172d1e9b3cf9887c452aa4d6882d5d7741e57c9efae8f25
Opcode Fuzzy Hash: 9903ab0c4833eb62d778178da8a0d9092c6e3bd82f8b62330502d2e225b1aedc
Instruction Fuzzy Hash: 77318271A40258EFDB22EB99DC85D9EBBFCEB89310B944166F504DB211D7784E80CB90

Function 0077C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0077C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0077C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007E1990,01115618), ref: 0077C395

Strings

0, xrefs: 0077C2DF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 7fe1bfeb7e3147d4b26451bb72c416c2a53689bcb75bd5ea6992520e9943b5fe
Instruction ID: 4737767276df15b6840c2ad0672327837c2f12177ae254941f3ee5680d9bd4e8
Opcode Fuzzy Hash: 7fe1bfeb7e3147d4b26451bb72c416c2a53689bcb75bd5ea6992520e9943b5fe
Instruction Fuzzy Hash: C9418071204301DFDB21DF25D885B5ABBE4AF89360F14C61DF9A9972D1D738A904CB62

Function 007A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007ACC08,00000000,?,?,?,?), ref: 007A44AA
GetWindowLongW.USER32 ref: 007A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A44D7

Strings

SysTreeView32, xrefs: 007A447C

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 35fc212d16b9ba6e3fb0883bdc34107300583c0069bcf6936e15d10f309bb1f4
Instruction ID: 41c858362b6291223d97be3651dbd60a672dfadb6e35541803954c5e21f352b7
Opcode Fuzzy Hash: 35fc212d16b9ba6e3fb0883bdc34107300583c0069bcf6936e15d10f309bb1f4
Instruction Fuzzy Hash: 9831AD71200245AFDB218F78DC45BEA77A9EB8A334F204725F975921D0D7B9EC509B50

Function 00776E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00776EED
VariantCopyInd.OLEAUT32(?,?), ref: 00776F08
VariantClear.OLEAUT32(?), ref: 00776F12

Strings

*jw, xrefs: 00776E8B, 00776E90, 00776EF8

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jw
API String ID: 2173805711-2615704982
Opcode ID: bc73a657917de3d09f5e5bea73c97e0a082f87b43bf965aad1fd5ae8a6fc7e6b
Instruction ID: 9353b39d648c6cb00b96d8038f9c756c1c6b70e4a807ee4f907edc55e2f72912
Opcode Fuzzy Hash: bc73a657917de3d09f5e5bea73c97e0a082f87b43bf965aad1fd5ae8a6fc7e6b
Instruction Fuzzy Hash: 52310231604646DFCF05AFA8E8548BD37B6FF85740B1084A8F8065B2A1C73C9D52CBD4

Function 0079304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0079335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00793077,?,?), ref: 00793378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0079307A
_wcslen.LIBCMT ref: 0079309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00793106

Strings

255.255.255.255, xrefs: 00793095, 0079309A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b3dd11f961a9e1d15629d93a7b5df6ff9b45a00f7f9a8c32c697a1402ac1ed33
Instruction ID: bb791d58aa421d601845515162aba5e74372324a1167ca8b0d5217aefe2b7860
Opcode Fuzzy Hash: b3dd11f961a9e1d15629d93a7b5df6ff9b45a00f7f9a8c32c697a1402ac1ed33
Instruction Fuzzy Hash: E031C139200205DFDF20CF6CD485EAA77E1EF55318F248059E9158B3A2DB3AEE45C760

Function 007A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007A3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007A3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 007A3F78

Strings

SysMonthCal32, xrefs: 007A3F0B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f4e720da9f2b7aec91af3ba1e9f502930db8091fd07eb32f38dda8c950393ee7
Instruction ID: 62feefb80d5893154d65427079f50ea26452c9866fb5ba3dcbbb01e89cd71b12
Opcode Fuzzy Hash: f4e720da9f2b7aec91af3ba1e9f502930db8091fd07eb32f38dda8c950393ee7
Instruction Fuzzy Hash: 8221BF32610219BFDF25CF54CC46FEA3B75EB89714F110215FA156B1D0D6B9AD50CB90

Function 007A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007A471A

Strings

msctls_updown32, xrefs: 007A4684

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3c76bd6ae7b1db2a11920360a4ac4df382e46a194a8cf3224dc7926a51261daa
Instruction ID: b7d2906d0d5e513b5d04e727497ccc2fb3d12f422bc42597d08dd2cc706a5bdf
Opcode Fuzzy Hash: 3c76bd6ae7b1db2a11920360a4ac4df382e46a194a8cf3224dc7926a51261daa
Instruction Fuzzy Hash: 7C218EB5601248AFDB11DF68DCC5DBB37ADEB8B394B040159FA009B2A1DB79EC11CA60

Function 007795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0077961D

Strings

#OnAutoItStartRegister, xrefs: 007795F3
#notrayicon, xrefs: 007795B7
#requireadmin, xrefs: 007795D9

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: b9cb2688758f1122bb752e987e15400009a3ffe6e7e5bebbbb5b1f5a41da0c8f
Instruction ID: 6966fdb1e75230f2e2e7bd959d43cbe6a4b173bdeafac0ca29037489b0d1b008
Opcode Fuzzy Hash: b9cb2688758f1122bb752e987e15400009a3ffe6e7e5bebbbb5b1f5a41da0c8f
Instruction Fuzzy Hash: 44218E72205221A6DB31BB289C06FB773E89F91340F00C125FA4DD70C1EB6CAD51C2A2

Function 007A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007A3876

Strings

Listbox, xrefs: 007A380F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9b52db193cd7c6c540c6c49aeafc5c2d12814f6a9a48e01899099dccab0a5a4f
Instruction ID: c7b738c0517dcde02b8fb7d1c93edcd13d1bd1b6b90fb76676e43006c476e999
Opcode Fuzzy Hash: 9b52db193cd7c6c540c6c49aeafc5c2d12814f6a9a48e01899099dccab0a5a4f
Instruction Fuzzy Hash: 7A219272610118BBEF119F54CC85FBB376EEFCA760F108225F9049B190CA79DC518BA0

Function 007849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00784A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00784A5C
SetErrorMode.KERNEL32(00000000,?,?,007ACC08), ref: 00784AD0

Strings

%lu, xrefs: 00784A6F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7580c8df02931548c1ebcb008e54089aa4b2074ed06a6489026ce76f5fb22e48
Instruction ID: 2cf1e1071e9ceaee18450825b7ce8f0c4384a46a3d3c442106315d4aca06d1c5
Opcode Fuzzy Hash: 7580c8df02931548c1ebcb008e54089aa4b2074ed06a6489026ce76f5fb22e48
Instruction Fuzzy Hash: 84318071A00109EFDB10DF64C885EAA7BF8EF49304F1480A5E909DB352D779EE45CBA1

Function 007A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007A4271

Strings

msctls_trackbar32, xrefs: 007A4226

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0af5ebfb6504c6ffae02595068ac5c49ee1c2e5a969de4cd20c041814b00dab6
Instruction ID: cda1c2b61fd809b9c7486efab032f7316ad37d09b26149167efd2173357fb50b
Opcode Fuzzy Hash: 0af5ebfb6504c6ffae02595068ac5c49ee1c2e5a969de4cd20c041814b00dab6
Instruction Fuzzy Hash: 3711E331240248BEEF209F28CC46FAB3BACEFC6B64F010224FA55E60D0D6B6DC519B50

Function 00772F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

Part of subcall function 00772DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00772DC5
Part of subcall function 00772DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00772DD6
Part of subcall function 00772DA7: GetCurrentThreadId.KERNEL32 ref: 00772DDD
Part of subcall function 00772DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00772DE4

GetFocus.USER32 ref: 00772F78

Part of subcall function 00772DEE: GetParent.USER32(00000000), ref: 00772DF9

GetClassNameW.USER32(?,?,00000100), ref: 00772FC3
EnumChildWindows.USER32(?,0077303B), ref: 00772FEB

Strings

%s%d, xrefs: 00772FFF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 9ebd0e65082ad258e10f4ce4130aa19a9e80299a1fe7324aa658ac97e89b7ec5
Instruction ID: f02ec294058f1f38194d3b084fe81b8a1fa81705e747e12ca59d31a238df716b
Opcode Fuzzy Hash: 9ebd0e65082ad258e10f4ce4130aa19a9e80299a1fe7324aa658ac97e89b7ec5
Instruction Fuzzy Hash: EE11C0B1700205ABCF55AF748C89EED376AAF84344F048075B90D9B292DE389946DB60

Function 007A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007A58EE
DrawMenuBar.USER32(?), ref: 007A58FD

Strings

0, xrefs: 007A588F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2ac10f7e0c3d80739e45b8d5d41bdbacca8d3a73ca3a7ca68f7f8f62bbea5262
Instruction ID: b43f26ae942a84c06d9ed399d1c68996218107ec926403f1a6ebce1848a24ec7
Opcode Fuzzy Hash: 2ac10f7e0c3d80739e45b8d5d41bdbacca8d3a73ca3a7ca68f7f8f62bbea5262
Instruction Fuzzy Hash: 99014431900218EFDB129F11EC44BAFBBB4FF86361F1481A9F849DA151DB389A94DF21

Function 0077007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9131d43242ec15843ad5f45515ecbd81dfb01368c007d4829049b87c53bfd0a2
Instruction ID: 680d0f7f0b95b71db0649cdabc67f279abb0c8bc59101be49d706543f4e9c7e9
Opcode Fuzzy Hash: 9131d43242ec15843ad5f45515ecbd81dfb01368c007d4829049b87c53bfd0a2
Instruction Fuzzy Hash: 8DC16C75A0020AEFDB14CFA4C898EAEB7B5FF48354F208598E509EB251D735ED41DB90

Function 0079342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00793459
CoUninitialize.OLE32 ref: 00793463
VariantInit.OLEAUT32(?), ref: 0079346E
VariantClear.OLEAUT32(?), ref: 0079371B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: fa29cbd7a4b7e59fcaf4ae133ec46e1059f41bfb37d60f4718a35a19f84cd2fa
Instruction ID: ef903cef02cfdb4cbe792d853964af5b248a9e606601f98a7a83fce1119c4696
Opcode Fuzzy Hash: fa29cbd7a4b7e59fcaf4ae133ec46e1059f41bfb37d60f4718a35a19f84cd2fa
Instruction Fuzzy Hash: 16A14B75204200DFCB14DF68D489A6AB7E5FF8C714F058859F98A9B3A2DB38ED41CB91

Function 00770436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007AFC08,?), ref: 007705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007AFC08,?), ref: 00770608
CLSIDFromProgID.OLE32(?,?,00000000,007ACC40,000000FF,?,00000000,00000800,00000000,?,007AFC08,?), ref: 0077062D
_memcmp.LIBVCRUNTIME ref: 0077064E

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 84d7b9e48b41edeed5e9dfd2f6475782de075d0b4e78cffd45da8be6d46df471
Instruction ID: a650563f9ec91edc1a4ca41e0cd362376e373c8add486a579514354c8e86298b
Opcode Fuzzy Hash: 84d7b9e48b41edeed5e9dfd2f6475782de075d0b4e78cffd45da8be6d46df471
Instruction Fuzzy Hash: 2C81F971A00109EFCF04DF94C988DEEB7B9FF89355B208558E506AB250DB75AE46CBA0

Function 0079A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0079A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0079A6BA

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Process32NextW.KERNEL32(00000000,?), ref: 0079A79C
CloseHandle.KERNEL32(00000000), ref: 0079A7AB

Part of subcall function 0072CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00753303,?), ref: 0072CE8A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 0a012ded850948e92e6cab2eceb89599a1b1ea259fb2b5220b23f97a5a6168f6
Instruction ID: 6577b24413231ee6815e4e94667bde4ead71ac23d8920695cd086d0c33202d25
Opcode Fuzzy Hash: 0a012ded850948e92e6cab2eceb89599a1b1ea259fb2b5220b23f97a5a6168f6
Instruction Fuzzy Hash: 85512C71508310EFD710EF28D88AA5BBBE8FF89754F00891DF58597291EB34E945CB92

Function 00751391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007514C0

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 11f4cb0e34aef113f07c777efa9966ab573af1de8a390dc7f1cc16eb232361a6
Instruction ID: 4601103d830c9f6ffe4c2a264c590a4605d009bf7ebc0a9833f63e991a09344d
Opcode Fuzzy Hash: 11f4cb0e34aef113f07c777efa9966ab573af1de8a390dc7f1cc16eb232361a6
Instruction Fuzzy Hash: 62411932A00140EBEB216BBD9C49BEF3AA4EF41373F544225FC19D6192E7BC4C455661

Function 007A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007A62E2
ScreenToClient.USER32(?,?), ref: 007A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 007A6382

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1990292e2e5484b8a5cd53365201baba46e0165392aa680a69fd7fdd44bb544f
Instruction ID: 4efc3d8766e671c9d28c09bd4894cc893af8fa824a035af67feaa425aa908cc0
Opcode Fuzzy Hash: 1990292e2e5484b8a5cd53365201baba46e0165392aa680a69fd7fdd44bb544f
Instruction Fuzzy Hash: BA515E75A00249EFCF10DF68D881AAE7BB5FF86360F148269F9159B290D738ED81CB50

Function 00791AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00791AFD
WSAGetLastError.WSOCK32 ref: 00791B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00791B8A
WSAGetLastError.WSOCK32 ref: 00791B94

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 78b70921772a9e7e2707af4e3a7ca833293cc3b18a167f68ceda00b7d794ea14
Instruction ID: 1b7e1cf504daa74eb1ed0183a66106693f091b1087c9bbef8ef46b45fc3a64fb
Opcode Fuzzy Hash: 78b70921772a9e7e2707af4e3a7ca833293cc3b18a167f68ceda00b7d794ea14
Instruction Fuzzy Hash: 9041E574640200AFDB20AF24D88AF6577E5AB45718F54C448F5159F3D3D77AED82CB90

Function 0074B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61cac57aa9287b8374a46b73fc1356cae6cb878f8e4470574e93781097825df
Instruction ID: 1d3e6dad07d3bd57f1bf9b48819d2b219963d40529dedb8215219bb202d63f3d
Opcode Fuzzy Hash: c61cac57aa9287b8374a46b73fc1356cae6cb878f8e4470574e93781097825df
Instruction Fuzzy Hash: 11412872A00344FFD7259F3CCC49BAABBA9EB88710F10452AF555DB282D779ED118780

Function 007856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00785783
GetLastError.KERNEL32(?,00000000), ref: 007857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007857FA

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5cd7e7d8f1ccf8de81665dcd7f44703fa1d4493f1b672674e2b1789c73a33587
Instruction ID: aedc73a5447bb7f83f07bf479572ed346029bf79406350a10ed640fbdfa898ce
Opcode Fuzzy Hash: 5cd7e7d8f1ccf8de81665dcd7f44703fa1d4493f1b672674e2b1789c73a33587
Instruction Fuzzy Hash: 7E411E35600610DFCB15EF59C549A5DBBF2EF89720B19C488E84A5B3A2CB38FD41CB91

Function 0074D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00736D71,00000000,00000000,007382D9,?,007382D9,?,00000001,00736D71,?,00000001,007382D9,007382D9), ref: 0074D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0074D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0074D9AB
__freea.LIBCMT ref: 0074D9B4

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 56c7eb64f4952d8d1a7dc259f83e30ae78b1513fe4994ddbf1153ebcfce38c6e
Instruction ID: 4b1d5987b2e5c612e5c0f20e73591c6447116879a260695939e46a2cd126b87e
Opcode Fuzzy Hash: 56c7eb64f4952d8d1a7dc259f83e30ae78b1513fe4994ddbf1153ebcfce38c6e
Instruction Fuzzy Hash: 7631BC72A0020AEBDF259F64DC45EBE7BA5EB41710F054168FC44D7291EB39ED50CBA0

Function 007A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 007A5352
GetWindowLongW.USER32(?,000000F0), ref: 007A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007A53A8

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 8ec24d115c66e371fc198c9fe6d45fa2443054b903ce79c399e312ea844aafc4
Instruction ID: f8253f47388bd5e7af9bedd8ed2b26ba5eb8b11a6f090372afef422abf016b0e
Opcode Fuzzy Hash: 8ec24d115c66e371fc198c9fe6d45fa2443054b903ce79c399e312ea844aafc4
Instruction Fuzzy Hash: DE31C234A56A08FFEF349B14CC56BE83765ABC7398F584201FA11961E1C7BCA980DB42

Function 0077AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0077ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0077AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0077AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0077ACC6

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e9b3e3760d67f92022cc93b5a6742146307bf115d1693830a7ae855dcf5e47f5
Instruction ID: 9279e59dae8a3851c3392c43991e36b0035998a5286bb64a6f0de19995fde76e
Opcode Fuzzy Hash: e9b3e3760d67f92022cc93b5a6742146307bf115d1693830a7ae855dcf5e47f5
Instruction Fuzzy Hash: CB31F830A00718BFFF26CB658809BFE7BA5ABC5350F04D61AE489521D1D37D89858776

Function 007A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007A769A
GetWindowRect.USER32(?,?), ref: 007A7710
PtInRect.USER32(?,?,007A8B89), ref: 007A7720
MessageBeep.USER32(00000000), ref: 007A778C

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 8222429e87603aa520d2ab989237abd93db59250bd1d72e5fee2c958dc36e2aa
Instruction ID: 5a95ffa9941d253f9e6d829f03537fd33fb6085fb1a26ae83c4b75ec4bcbd60c
Opcode Fuzzy Hash: 8222429e87603aa520d2ab989237abd93db59250bd1d72e5fee2c958dc36e2aa
Instruction Fuzzy Hash: 5041AD34A05254EFCB09CF58CC94EA9B7F4FB8A310F5982A8E4149F261C738A941CF90

Function 007A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007A16EB

Part of subcall function 00773A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00773A57
Part of subcall function 00773A3D: GetCurrentThreadId.KERNEL32 ref: 00773A5E
Part of subcall function 00773A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007725B3), ref: 00773A65

GetCaretPos.USER32(?), ref: 007A16FF
ClientToScreen.USER32(00000000,?), ref: 007A174C
GetForegroundWindow.USER32 ref: 007A1752

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 75756b039283b4b37f47a5a0488ce62a4494c86dcf847f1687b7e66d50cce1e6
Instruction ID: 199fa5c7aea7d3107031c96be1125a6b4487e95fb12657b37f0ee0272d4b50b1
Opcode Fuzzy Hash: 75756b039283b4b37f47a5a0488ce62a4494c86dcf847f1687b7e66d50cce1e6
Instruction Fuzzy Hash: 84316075D00149AFD704DFA9C8858EEB7FDEF89304B548069E415E7251D7349E41CBA0

Function 007A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

GetCursorPos.USER32(?), ref: 007A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00767711,?,?,?,?,?), ref: 007A9016
GetCursorPos.USER32(?), ref: 007A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00767711,?,?,?), ref: 007A9094

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f462a42da49546f0e7588f1cb11eafcf2b4268199ca48b83dfce954557877f9c
Instruction ID: f0bf60ac05fe00f60078d10a4bc04517eef14b801149dcb7f53d9079e9769751
Opcode Fuzzy Hash: f462a42da49546f0e7588f1cb11eafcf2b4268199ca48b83dfce954557877f9c
Instruction Fuzzy Hash: 80219135601018FFCB268F94D859EEB7BB9EB8A391F148155F6054B161C339A960DB60

Function 0077D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007ACB68), ref: 0077D2FB
GetLastError.KERNEL32 ref: 0077D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0077D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007ACB68), ref: 0077D376

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 3c5a1d118e3be5530d325b5eb120ff8505881f6a09e4a7b43c80b1d1d5a4b344
Instruction ID: e2033a7b7a6cda05b1a3a4209e3f74976e69c63e647c12815b711f823dee028e
Opcode Fuzzy Hash: 3c5a1d118e3be5530d325b5eb120ff8505881f6a09e4a7b43c80b1d1d5a4b344
Instruction Fuzzy Hash: 96214170505201DF8B20DF28C8858AAB7F4AE967A4F508A1DF499C72E1DB39DD46CB93

Function 00771571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00771014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0077102A
Part of subcall function 00771014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00771036
Part of subcall function 00771014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771045
Part of subcall function 00771014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0077104C
Part of subcall function 00771014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007715BE
_memcmp.LIBVCRUNTIME ref: 007715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00771617
HeapFree.KERNEL32(00000000), ref: 0077161E

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 059e97b7ceb2d038111571109460a32ecb971550b7184d99215dfe4fdb327fc6
Instruction ID: c18340a758ca5b856a792fe0ba322e5ea7d9ea66a17b519caf46b8a5fb471d9c
Opcode Fuzzy Hash: 059e97b7ceb2d038111571109460a32ecb971550b7184d99215dfe4fdb327fc6
Instruction Fuzzy Hash: BB218E71E00108EFDF14DFA8C945BEEB7B8EF85384F598859E445AB241EB38AA05DB50

Function 007A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007A2840

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 8d26289408348c32e6a700610196ba97a44d6407e7b1cfcea6d074812e142260
Instruction ID: 5a6a8ac9f1b92b1ae98adb612e56604d66089adbb835a953e45b3f2b3c1ba1c5
Opcode Fuzzy Hash: 8d26289408348c32e6a700610196ba97a44d6407e7b1cfcea6d074812e142260
Instruction Fuzzy Hash: E321C131605511BFD7159B28C844FAA7B95AFC6324F248258F4268B6E3CB79FD82CB90

Function 007778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00778D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0077790A,?,000000FF,?,00778754,00000000,?,0000001C,?,?), ref: 00778D8C
Part of subcall function 00778D7D: lstrcpyW.KERNEL32(00000000,?,?,0077790A,?,000000FF,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00778DB2
Part of subcall function 00778D7D: lstrcmpiW.KERNEL32(00000000,?,0077790A,?,000000FF,?,00778754,00000000,?,0000001C,?,?), ref: 00778DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00777923
lstrcpyW.KERNEL32(00000000,?,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00777949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00777984

Strings

cdecl, xrefs: 0077797B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 36ee9d64803037bf0cb900d9eedd9bc7d558f6163078929b70106a8c0f8192c2
Instruction ID: a0f678016aa2c16988d50ae74539a815239621dc709e867288bdd05e83e357df
Opcode Fuzzy Hash: 36ee9d64803037bf0cb900d9eedd9bc7d558f6163078929b70106a8c0f8192c2
Instruction Fuzzy Hash: 5B11D63A201201ABCF155F34D849D7A77A9FF95390B50C02AF94AC7264EB39A811CB91

Function 007A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 007A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 007A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0078B7AD,00000000), ref: 007A7D6B

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: e46b6f90d4002abf92f19974296a6456a8e9dcb148a2e50f866de69765b5bfa9
Instruction ID: e9eea10e247e65331f8f03ba4858b2e7329cae41eeacd5d2fe8fdc35855118a2
Opcode Fuzzy Hash: e46b6f90d4002abf92f19974296a6456a8e9dcb148a2e50f866de69765b5bfa9
Instruction Fuzzy Hash: 0811A231605665AFCB159F28CC04A6A3BA5AF86370B558724F835DB2F0E7389950DB50

Function 007A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007A56BB
_wcslen.LIBCMT ref: 007A56CD
_wcslen.LIBCMT ref: 007A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 007A5816

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 8ec7f131bdd8c6fcded7d30868c053a06f18e2270ed908f4812853992bfc62cc
Instruction ID: d398df136e75f7f940bd601cbf6cdde229c95948103f70c32fe1119d11eed71b
Opcode Fuzzy Hash: 8ec7f131bdd8c6fcded7d30868c053a06f18e2270ed908f4812853992bfc62cc
Instruction Fuzzy Hash: EC110671600604E6DB20DF61CC85EEE377CEF86760F104266F905D6081EB7CD980CB60

Function 00741D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e004ee968eb08768ecb60f81879af46382dec73ea5a1d631e52d9b598e03d2
Instruction ID: 388260fa4d6765fa5285f35096e97a3c227c310dd972e6284ccb39ba9039f47f
Opcode Fuzzy Hash: f1e004ee968eb08768ecb60f81879af46382dec73ea5a1d631e52d9b598e03d2
Instruction Fuzzy Hash: 7901F2F2B0560A7EF62126786CC0F27261CDF813B8B740325F530611D2DB789C804A70

Function 00771A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00771A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00771A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00771A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00771A8A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9c3985466b9ad6068fdbf702da99ac7b7c99865a1a63c9bfe81305c9fd6051c6
Instruction ID: 3ad0ef151caf91cbc38a1ac9d145fcd78fc8ef8934586be23d2283e49fbab8e5
Opcode Fuzzy Hash: 9c3985466b9ad6068fdbf702da99ac7b7c99865a1a63c9bfe81305c9fd6051c6
Instruction Fuzzy Hash: 0711393AD01219FFEF11DBA8CD85FADBB78EB08750F218091EA04B7290D6716E50DB94

Function 0077E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0077E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0077E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0077E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0077E24D

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 91e317719598e648f81716a15c4115b157ae3b6152272062314fdba0f65d95de
Instruction ID: 8911cbf97687a9996d4ff1e21bc5ccf88ba562772973d7303d0f1619d3d6cd8a
Opcode Fuzzy Hash: 91e317719598e648f81716a15c4115b157ae3b6152272062314fdba0f65d95de
Instruction Fuzzy Hash: 80112F71A04258BBDB019FACDC45A9F7FACAB89354F00C255F814D7291D678CD008765

Function 0073D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0073CFF9,00000000,00000004,00000000), ref: 0073D218
GetLastError.KERNEL32 ref: 0073D224
__dosmaperr.LIBCMT ref: 0073D22B
ResumeThread.KERNEL32(00000000), ref: 0073D249

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b43233843b4a70fc5600e370aab970dc28102fd01eab50107b4e3fc98def2bdd
Instruction ID: 9f26d44dce493e0d6c1e303b9c5e96af101de495cbe113c63683824108f2e0a9
Opcode Fuzzy Hash: b43233843b4a70fc5600e370aab970dc28102fd01eab50107b4e3fc98def2bdd
Instruction Fuzzy Hash: F5012632805108BBEB315BA5EC09BAF3A6CEF82330F104219F924921D2CF79CC01C6A1

Function 007A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

GetClientRect.USER32(?,?), ref: 007A9F31
GetCursorPos.USER32(?), ref: 007A9F3B
ScreenToClient.USER32(?,?), ref: 007A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 007A9F7A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f1b9c56f2dcdef26b7bbdd5e6a63d7855115294c32942e67d56c2ee5e0f32f02
Instruction ID: be780dd61c74435c095c49c7088e26a2eede95cd4f2762b39b533488b45b7535
Opcode Fuzzy Hash: f1b9c56f2dcdef26b7bbdd5e6a63d7855115294c32942e67d56c2ee5e0f32f02
Instruction Fuzzy Hash: 6311363290015AFFDF15DF68D88A9EE77B8EB86311F504551FA01E7140D338BAA1CBA5

Function 0071600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0071604C
GetStockObject.GDI32(00000011), ref: 00716060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0071606A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f96b536cc5d7791d9bf739a5debaef31921c81f28bb63e41ad3845cabd22f155
Instruction ID: b16116216a3d24536e27ba48669843f9bfe5fb09d4870dfdcfc96ed6d6235638
Opcode Fuzzy Hash: f96b536cc5d7791d9bf739a5debaef31921c81f28bb63e41ad3845cabd22f155
Instruction Fuzzy Hash: 5F116D72501548BFEF128FA8DC45EEABBA9EF4D3A4F044215FA1452150D73A9CA0DBA0

Function 00733B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00733B56

Part of subcall function 00733AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00733AD2
Part of subcall function 00733AA3: ___AdjustPointer.LIBCMT ref: 00733AED

_UnwindNestedFrames.LIBCMT ref: 00733B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00733B7C
CallCatchBlock.LIBVCRUNTIME ref: 00733BA4

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: fb773ee0a676afe724b71170e27e3788d94d1134f51c031a22b100f50fe37024
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 19012972100148BBEF225E95CC46EEB7B6AEF48754F044014FE4866122C73AE961DBA0

Function 00743073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007113C6,00000000,00000000,?,0074301A,007113C6,00000000,00000000,00000000,?,0074328B,00000006,FlsSetValue), ref: 007430A5
GetLastError.KERNEL32(?,0074301A,007113C6,00000000,00000000,00000000,?,0074328B,00000006,FlsSetValue,007B2290,FlsSetValue,00000000,00000364,?,00742E46), ref: 007430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0074301A,007113C6,00000000,00000000,00000000,?,0074328B,00000006,FlsSetValue,007B2290,FlsSetValue,00000000), ref: 007430BF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4a1a8d35da4acb023a0540a27b39e6112f871098e2351a9d12ac1efb0845a0ea
Instruction ID: d6d4cceb2e85661b7d54412e8a28d640fc32cab3a9c5e2751c1d397920ba2bd9
Opcode Fuzzy Hash: 4a1a8d35da4acb023a0540a27b39e6112f871098e2351a9d12ac1efb0845a0ea
Instruction Fuzzy Hash: 73012B32301226BBCB314B789C45A577B9AAF46B61B204720F91DE71A0C72DD901C6E4

Function 00777464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0077747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00777497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007774CA

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c4632a4660b45bcab75c92cd97b203b4ccbf3b44c270c3e32b36aa399529da00
Instruction ID: 7d697ee27c0fa2f50edce55a09ce4ac8bcff387172736c0978a160c5a9542ed3
Opcode Fuzzy Hash: c4632a4660b45bcab75c92cd97b203b4ccbf3b44c270c3e32b36aa399529da00
Instruction Fuzzy Hash: 1511C0B1209354AFEB248F24DC08FA27FFCEB44B50F10C569A61AD6191D7B8E904DB60

Function 0077B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B126

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 2baaa5a86f6eda4dce2fb6cb5688d83d2b8764af3ae19b7f42fc0220f531a6f9
Instruction ID: 9cfc8a4ed73d6a8acaf18e2a0a2f850d2751789e73b9098eef03c3e9077e4492
Opcode Fuzzy Hash: 2baaa5a86f6eda4dce2fb6cb5688d83d2b8764af3ae19b7f42fc0220f531a6f9
Instruction Fuzzy Hash: 0211AD70E0152CE7CF00AFE4E9697EEBB78FF4A351F408086D945B2181CB388A51CB55

Function 007A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007A7E33
ScreenToClient.USER32(?,?), ref: 007A7E4B
ScreenToClient.USER32(?,?), ref: 007A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007A7E8A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ff8309f60824f2e43d8df46afaedb48a069c191cc08796a155ebd923504c5a3f
Instruction ID: a0a5e5fe3e85cf18910e03b2b46a34f6176e56a9eb8c5866c28d2ef09ea8f78d
Opcode Fuzzy Hash: ff8309f60824f2e43d8df46afaedb48a069c191cc08796a155ebd923504c5a3f
Instruction Fuzzy Hash: 8B1153B9D0420AAFDB41CF98C884AEEBBF9FF49310F509166E915E3210D735AA54CF94

Function 00772DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00772DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00772DD6
GetCurrentThreadId.KERNEL32 ref: 00772DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00772DE4

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ed97e9ec6dea7840fa5eca24d4b015007cfee81c602030e02bdb32be63740f17
Instruction ID: 5e52246df146b520392c58fd946df717b42ec19500565b711ebf8269865dbe1b
Opcode Fuzzy Hash: ed97e9ec6dea7840fa5eca24d4b015007cfee81c602030e02bdb32be63740f17
Instruction Fuzzy Hash: F5E092716012247BDB315B729C0EFEB3E6CEF83BA1F008015F109D10819AA8C841C6B1

Function 007A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00729639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00729693
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296A2
Part of subcall function 00729639: BeginPath.GDI32(?), ref: 007296B9
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 007A8887
LineTo.GDI32(?,?,?), ref: 007A8894
EndPath.GDI32(?), ref: 007A88A4
StrokePath.GDI32(?), ref: 007A88B2

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 264c68e86d32b17346fef68ce5a33bf84361f113f9ab0cdd0157090ff7da2845
Instruction ID: 5af2d0b8fdc43b2f7eadc4709215949313a1e45cc11b3ced30b144e275de48c3
Opcode Fuzzy Hash: 264c68e86d32b17346fef68ce5a33bf84361f113f9ab0cdd0157090ff7da2845
Instruction Fuzzy Hash: 9EF03A36046298FADB135F94AC0EFCE3A59AF4A310F44C100FA11651E2CB7D5511CBA9

Function 007298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007298CC
SetTextColor.GDI32(?,?), ref: 007298D6
SetBkMode.GDI32(?,00000001), ref: 007298E9
GetStockObject.GDI32(00000005), ref: 007298F1

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a1f37ed5990670bc7e213084769338620fa5c839cbf1cc8b4e6f515d5ea8f3b9
Instruction ID: 9c9aa6bc14fb10cbaf16ab1fda7488236249375bdec1974ae689e1d93bc762b6
Opcode Fuzzy Hash: a1f37ed5990670bc7e213084769338620fa5c839cbf1cc8b4e6f515d5ea8f3b9
Instruction Fuzzy Hash: A0E06531244284BADB225B74FC09BD83F50EB93375F14C219F6F6540E1C7794650DB10

Function 0077162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00771634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007711D9), ref: 0077163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007711D9), ref: 00771648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007711D9), ref: 0077164F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 7d6b5c69862bd7aaf3afd2b3a4d9a65eafb134faa5211911b7156684f2c590aa
Instruction ID: e8a0564065f0b8902758be5b0c911e8e7871284facb81b3d28a4355e838859f2
Opcode Fuzzy Hash: 7d6b5c69862bd7aaf3afd2b3a4d9a65eafb134faa5211911b7156684f2c590aa
Instruction Fuzzy Hash: 41E08631601211FBDB201FA49E0DB473B7CAF867D1F14C808F245C9080DA3C4540C759

Function 0076D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0076D858
GetDC.USER32(00000000), ref: 0076D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0076D882
ReleaseDC.USER32(?), ref: 0076D8A3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e3ea4095172ef440f9ba5e7a5ab663e791111ede09ade675f21337be0df286af
Instruction ID: 741e37b7bd531bf5342827510a8d55408346f31af3fa7cfcb7366c5d9b335626
Opcode Fuzzy Hash: e3ea4095172ef440f9ba5e7a5ab663e791111ede09ade675f21337be0df286af
Instruction Fuzzy Hash: 30E01AB1800205EFCB529FA0D80C66EBBB5FB49310F14D009E806E7350CB3C8941AF44

Function 0076D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0076D86C
GetDC.USER32(00000000), ref: 0076D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0076D882
ReleaseDC.USER32(?), ref: 0076D8A3

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 50b0304b434d9e8c3ae73be0564f2a114ce7b55a78ca19472196491a8800b464
Instruction ID: 5df945cd1ef420ed72db4d1bbb160294ddd3e697e89e8e27357517169cb7e31b
Opcode Fuzzy Hash: 50b0304b434d9e8c3ae73be0564f2a114ce7b55a78ca19472196491a8800b464
Instruction Fuzzy Hash: F3E092B5800204EFCB56AFA4D80C66EBBB5BB89311B149449E94AE7360DB3C9942AF54

Function 00784D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00784ED4

Strings

*, xrefs: 00784E10
LPT, xrefs: 00784DFB

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: f1967f2008ec65a96dc526de94f3552334ef0e32454da9c7a0dc4ae6eb040fb7
Instruction ID: fae27524edb2e5a0e25ad67425236742fddd8e1c5f37204f6e101f43773634c2
Opcode Fuzzy Hash: f1967f2008ec65a96dc526de94f3552334ef0e32454da9c7a0dc4ae6eb040fb7
Instruction Fuzzy Hash: F5914E75A00205DFCB15EF58C484EAABBF1AF44304F19809DE50A9F3A2D779ED85CB91

Function 0073E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0073E30D

Strings

pow, xrefs: 0073E2E5, 0073E302

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7d97af43f3670dfdf40d75167aff79011ab0b6dd7ea388af68549a0dff0c55a1
Instruction ID: 62425bd3df622c85d76ea09a0da40b3339cc8f140b09778aa95f41f1cb9b65bb
Opcode Fuzzy Hash: 7d97af43f3670dfdf40d75167aff79011ab0b6dd7ea388af68549a0dff0c55a1
Instruction Fuzzy Hash: F4516E61E1D102D6EB197724CD457BA3B94EF40740F748E58F0D5422EBEB3D8C92DA46

Function 00797771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0076569E,00000000,?,007ACC08,?,00000000,00000000), ref: 007978DD

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

CharUpperBuffW.USER32(0076569E,00000000,?,007ACC08,00000000,?,00000000,00000000), ref: 0079783B

Strings

<s}, xrefs: 007977C8

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s}
API String ID: 3544283678-4170637906
Opcode ID: 60c63244a91ec48af152bc6584a9deb84c8057ef4d2fcba4c4599c74957c6293
Instruction ID: 9178acf46b7abae1090fa73a1748172c2e1e973f7c00b95846b9bc74d9a879f7
Opcode Fuzzy Hash: 60c63244a91ec48af152bc6584a9deb84c8057ef4d2fcba4c4599c74957c6293
Instruction Fuzzy Hash: 67616E72924118EACF09EBE8DC95DFDB378FF14300B444126F542A7195EF38AA85CBA0

Function 0072E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0072E1B1

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 962d936dc2b8cf724b9ee62e1791ff551acf644a86194d637ff248ef58ad95f1
Instruction ID: a48991b9de0feb51e804284b8db169ffbbcd1d7a5cb97d46efbc32101d8750ec
Opcode Fuzzy Hash: 962d936dc2b8cf724b9ee62e1791ff551acf644a86194d637ff248ef58ad95f1
Instruction Fuzzy Hash: 91510339500256DFDB15DF68D485AFA7BA8EF56310F248059FC929B2D0D63C9D82CBA0

Function 0072F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0072F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0072F2BB

Strings

@, xrefs: 0072F2AF

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f5b02ca3b21e908836a503f0bfc741537a5c1b0a865304d532cdef6ba9fcc623
Instruction ID: e05e476af38151a7b1e083595fed35b6570ee2461905869f12b55a26f86f3841
Opcode Fuzzy Hash: f5b02ca3b21e908836a503f0bfc741537a5c1b0a865304d532cdef6ba9fcc623
Instruction Fuzzy Hash: 4D513572408744DBD320AF54D88ABABBBF8FB85700F81885DF199411A5EB3485A9CB66

Function 00795745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007957E0
_wcslen.LIBCMT ref: 007957EC

Strings

CALLARGARRAY, xrefs: 007957E6, 007957EB

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: af296776850fe5d3ce9a615b9e128a939e4effb9078966d55eec0fee16cd33eb
Instruction ID: eef349a70a4dc84639301aff7ceda9b1026a23149804fc9eb42a5413bf0f9a1e
Opcode Fuzzy Hash: af296776850fe5d3ce9a615b9e128a939e4effb9078966d55eec0fee16cd33eb
Instruction Fuzzy Hash: E2419F71A00219DFCF05DFA8D889DAEBBB5EF59360F108069E505A7391E7389D81CBA0

Function 0078D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0078D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0078D13A

Strings

|, xrefs: 0078D10B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 18d211c4a799619355fb361b34fada199b64f041c88f38b4a39364f50aa80844
Instruction ID: 5202152c998dc024829b626151db7a83d615b13db065ba85182a6efc76b21238
Opcode Fuzzy Hash: 18d211c4a799619355fb361b34fada199b64f041c88f38b4a39364f50aa80844
Instruction Fuzzy Hash: 17313E71D00219EBCF15EFA4CC89AEE7FB9FF04310F000119F915A61A6EB39A956CB50

Function 007A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007A365C

Strings

static, xrefs: 007A35BC

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: cb4e5bf460b2c51f1e7f5f69e6af1b373f67b903a1da69d6026a554be803376e
Instruction ID: 2e5b27c41cf8227dffd29bf12271bb8c4234f82a939d0459e84d9ff44fc01ab7
Opcode Fuzzy Hash: cb4e5bf460b2c51f1e7f5f69e6af1b373f67b903a1da69d6026a554be803376e
Instruction Fuzzy Hash: 85319E71500204AEDB14DF78DC85EFB73A9FF89720F009619F8A597280DA39ED91DB60

Function 007A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007A4634

Strings

', xrefs: 007A458E

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 534d68ac91c4d9046ea9c4e89b8317e686e2d8f5b2890ef6f209b0b469e7e371
Instruction ID: 6afff3624d9148166911c712d7070b223802c96edfe7cdcf1318e16d21980cce
Opcode Fuzzy Hash: 534d68ac91c4d9046ea9c4e89b8317e686e2d8f5b2890ef6f209b0b469e7e371
Instruction Fuzzy Hash: 49313875E01209AFDF14CFA9C981BDA7BB5FF8A300F10416AE904AB381D7B5A951CF90

Function 007A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A3287

Strings

Combobox, xrefs: 007A3249

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 438d93188bc79f62307dbe72b64fe797c0435ef4c4f51d509394f0e18d68ed1c
Instruction ID: ea65e3c8a5a57973b5c92c90f2dcaaa6aad6bc4ddaa8b02f8f3af3ee47ed7686
Opcode Fuzzy Hash: 438d93188bc79f62307dbe72b64fe797c0435ef4c4f51d509394f0e18d68ed1c
Instruction Fuzzy Hash: 67119371200208BFEF159F54DC85FAB376AEB9A364F104225F914972D0D6399D518760

Function 007A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0071600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0071604C
Part of subcall function 0071600E: GetStockObject.GDI32(00000011), ref: 00716060
Part of subcall function 0071600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0071606A

GetWindowRect.USER32(00000000,?), ref: 007A377A
GetSysColor.USER32(00000012), ref: 007A3794

Strings

static, xrefs: 007A3757

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7318cadf632499e8189b08618e2d78f57a29e576389fd2a7e9ffd89cf568127a
Instruction ID: fa11b5cf22c88d02201a068dbd63007e2309bbde98d56ed2c8edd5a8bb1413da
Opcode Fuzzy Hash: 7318cadf632499e8189b08618e2d78f57a29e576389fd2a7e9ffd89cf568127a
Instruction Fuzzy Hash: 711129B2610209AFDB01DFA8CC86EFA7BB8EB49354F004614F955E2250E739E8519B60

Function 0078CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0078CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0078CDA6

Strings

<local>, xrefs: 0078CD66

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 23eb1ed9570b4faf8ac2c9f75059824465fe3ec9d6ae3f43da1040af5018cedf
Instruction ID: 463f4eb878316899dff3e79c4896166dad6c4f5176253fcb105cad196e519cde
Opcode Fuzzy Hash: 23eb1ed9570b4faf8ac2c9f75059824465fe3ec9d6ae3f43da1040af5018cedf
Instruction Fuzzy Hash: 1611C6713856317AD7367B668C45EE7BEACEF527A4F004226B10983180D7789841D7F0

Function 007A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007A34BA

Strings

edit, xrefs: 007A348F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e71a227a7ef31687f4dd8a09dae123b879fb3b4b8470097b344812b7c8541f31
Instruction ID: 90f656930551082b4b119faeb003ef4396a43ba512ccabcb60a0e474a0b5e277
Opcode Fuzzy Hash: e71a227a7ef31687f4dd8a09dae123b879fb3b4b8470097b344812b7c8541f31
Instruction Fuzzy Hash: F7118F71500248AFEB128E64DC44AFB376AEB8A374F504324F961971D0C779DC919B55

Function 00776C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

CharUpperBuffW.USER32(?,?,?), ref: 00776CB6
_wcslen.LIBCMT ref: 00776CC2

Strings

STOP, xrefs: 00776CBC, 00776CC1

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 7e9010b53f0b763e389b877d99cd87f70bb3efd0fb68157a28861d2dad7ee6da
Instruction ID: 24ed70f7f630d64623b533327e4a6c6a7677b8696e8339268bb5f2c678f05bcb
Opcode Fuzzy Hash: 7e9010b53f0b763e389b877d99cd87f70bb3efd0fb68157a28861d2dad7ee6da
Instruction Fuzzy Hash: F00104326109268BCF21AFBDCC959BF73B4EB61790B104924E95696198EB39E940C660

Function 00771CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00771D4C

Strings

ListBox, xrefs: 00771D16
ComboBox, xrefs: 00771CEB

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3c16558d8ba28d34517fe1b3b986d1edde4f8437e27969ccba4ae58f188af670
Instruction ID: 69c92790b0bcb1104e06ef9ac6d4481c8ffb5b46439baf49c7dd1f8b68c2fa46
Opcode Fuzzy Hash: 3c16558d8ba28d34517fe1b3b986d1edde4f8437e27969ccba4ae58f188af670
Instruction Fuzzy Hash: 4F01B571701214ABCF14EBA8CC56DFE7368EB463D0B44491AB976673C1EA3859099B60

Function 00771BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00771C46

Strings

ListBox, xrefs: 00771C10
ComboBox, xrefs: 00771BE5

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 571f9f239305f58f31bc8670bb75903922e65eb97a6aa78df7d4ed35217eb655
Instruction ID: 129d64a83cb6244f6c32aab7bddae2157c9f5daaea8f72d32fc551fe87b6367a
Opcode Fuzzy Hash: 571f9f239305f58f31bc8670bb75903922e65eb97a6aa78df7d4ed35217eb655
Instruction Fuzzy Hash: 7701FCB1740104A7CF05EBE8C966DFF73A89B113C0F604016B91A772C1EA2C9F0897B1

Function 00771C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00771CC8

Strings

ListBox, xrefs: 00771C94
ComboBox, xrefs: 00771C69

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2de6088e3c752d2a7b3cc1ca382326b98eb427115d88c83fc413395b1eb12246
Instruction ID: da9a49bf8b4d7ed003c0939d17457ca0d2e050432408e79c4e1d7c123339ac3a
Opcode Fuzzy Hash: 2de6088e3c752d2a7b3cc1ca382326b98eb427115d88c83fc413395b1eb12246
Instruction Fuzzy Hash: 4C01DBB1640114A7CF05EBE8CA16EFE73A89B113C0F544016B946732C1EA2C9F19D7B1

Function 0072A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0072A529

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Strings

3yv, xrefs: 0072A545, 0072A54D, 0072A552
,%~, xrefs: 0072A509

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%~$3yv
API String ID: 2551934079-3390321579
Opcode ID: e70cc34fd02a47cd1edbdc33fdc44e2035e256fff57f803c50af3c0e47c68643
Instruction ID: f405149cb9050602bf3e4342352e4b433efcf8b53462caaf1f6788e99cc0f2ae
Opcode Fuzzy Hash: e70cc34fd02a47cd1edbdc33fdc44e2035e256fff57f803c50af3c0e47c68643
Instruction Fuzzy Hash: CE012B32701664EBD604F77DE86FA9E7368DB09710F400068FA025B1C3EE5C9D528AD7

Function 00771D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00771DD3

Strings

ListBox, xrefs: 00771DA0
ComboBox, xrefs: 00771D75

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f6392e094bd9918cffaef111d3e0248fa533150abde4bbb1dbc27190cce5acee
Instruction ID: c34d5a896fa642456b8fd4cae93da0570fb5490ccf379cceb70a5102b0b8e3d4
Opcode Fuzzy Hash: f6392e094bd9918cffaef111d3e0248fa533150abde4bbb1dbc27190cce5acee
Instruction Fuzzy Hash: A3F0A4B1B41214A7DF14EBA8CC66FFE7778AB02390F440916B966632C1DA685A0987B0

Function 007A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007E3018,007E305C), ref: 007A81BF
CloseHandle.KERNEL32 ref: 007A81D1

Strings

\0~, xrefs: 007A818A

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0~
API String ID: 3712363035-4061946894
Opcode ID: 5729a2ea275749d0f49f96b11ad2740093a3c3997819acb68cfbc56149204c7d
Instruction ID: 4e35c462da9ddf2d1b9476e6a7bf69fe21d82da324afbb4fcc5ebea9d1432271
Opcode Fuzzy Hash: 5729a2ea275749d0f49f96b11ad2740093a3c3997819acb68cfbc56149204c7d
Instruction Fuzzy Hash: 01F054B1641354BAF6206761AC4DFB73A5DDB09750F008461BB08DA1A2D67D8A0082BD

Function 0079747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00797493
_wcslen.LIBCMT ref: 007974B9

Strings

3, 3, 16, 1, xrefs: 00797483

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: bb540ef7a9207bf98e9b4d026d40d979086a4606e85ce9f5ea8cbfe8531bdfae
Instruction ID: 332c9b4072a4b9f4be3bbb043835d7c53d6003edd04b41341b1729bc571e8672
Opcode Fuzzy Hash: bb540ef7a9207bf98e9b4d026d40d979086a4606e85ce9f5ea8cbfe8531bdfae
Instruction Fuzzy Hash: 5BE02B422242A060A73D1279BCC5B7F5789CFC9760B14182BF985C2277EA9CAD91D3A0

Function 00770B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00770B23

Strings

AutoIt, xrefs: 00770B17
Error allocating memory., xrefs: 00770B1C

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 31cc8e9500bf77f26d5910c96a76947d3335e7e01f5d4ea35c0a2bc249a98da4
Instruction ID: 3831991b6418f235d5b1f65dc34bfb0320a7b429187b51b34f2e199cffee67f0
Opcode Fuzzy Hash: 31cc8e9500bf77f26d5910c96a76947d3335e7e01f5d4ea35c0a2bc249a98da4
Instruction Fuzzy Hash: 96E0D871384318B6D21537547C0BF897A948F06B60F104477F748555C38EE9789046E9

Function 00730D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0072F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00730D71,?,?,?,0071100A), ref: 0072F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0071100A), ref: 00730D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0071100A), ref: 00730D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00730D7F

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 92915eb79251d266fd433f26656644407375c4b3f8d713728bb1add795f49f67
Instruction ID: 15e84ceb889e70ac65a57bc85efc55f0a0d91d75a1c319ef4d23671f6945dee6
Opcode Fuzzy Hash: 92915eb79251d266fd433f26656644407375c4b3f8d713728bb1add795f49f67
Instruction Fuzzy Hash: 5EE06D702003518BE3209FBCE8183467BE0BB05740F008A3DE482C6692DBBCE4848BD1

Function 0072E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0072E3D5

Strings

0%~, xrefs: 0072E3B5
8%~, xrefs: 0072E3CA

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%~$8%~
API String ID: 1385522511-2129309850
Opcode ID: 5c7d60a4a052f815c9db1d0352c9ebcd1a8e1711903adc8b26cbf13de5b59c84
Instruction ID: 35b48ed76a4d41f1d959aec5dc0e07f949a05d8caa7cf9f28ab6f7bfde5dc701
Opcode Fuzzy Hash: 5c7d60a4a052f815c9db1d0352c9ebcd1a8e1711903adc8b26cbf13de5b59c84
Instruction Fuzzy Hash: 92E0863141AAB4CBD604D718BAA9A8C3359AB0D321B5051F9E1128B1D7DBBC28538699

Function 00783017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0078302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00783044

Strings

aut, xrefs: 00783038

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: eb847fd4353cb9bd0810b029664d860a393e1454bbc85891bcc0aa76e21d8fd7
Instruction ID: cbf477f88187c79d9d3513cbaf59f1be68f4653570ae434bcd81ae533c06db59
Opcode Fuzzy Hash: eb847fd4353cb9bd0810b029664d860a393e1454bbc85891bcc0aa76e21d8fd7
Instruction Fuzzy Hash: D9D05B7150031477DA2097949D0DFC73B6CD745750F0041527655D60D1DAB49544CAD4

Function 0076D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0076D220

Strings

X64, xrefs: 0076D2A8
%.3d, xrefs: 0076D22B

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a552ed99f5cb52c4b628b71519f9491e361a476781d01d07ff585ed2f985b3aa
Instruction ID: bea029d3b8c51399cbb27f3f30ca628d851bd635dcfd33f0c7dddd04998681f1
Opcode Fuzzy Hash: a552ed99f5cb52c4b628b71519f9491e361a476781d01d07ff585ed2f985b3aa
Instruction Fuzzy Hash: F4D017A1D18158EECBB096E0DC599BAB3BCBB08301F608462FD07A2040E73CCD08AB61

Function 007A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007A236C
PostMessageW.USER32(00000000), ref: 007A2373

Part of subcall function 0077E97B: Sleep.KERNEL32 ref: 0077E9F3

Strings

Shell_TrayWnd, xrefs: 007A2365

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: cc2eb4b37515c78ead3de7c3a44e6c04d111af179e59818920acb7cd5ba2dfe1
Instruction ID: 622d9ce911a18c805707ce4a5be124e237ed1f35294dc1eabb9c8d22f34bf8d0
Opcode Fuzzy Hash: cc2eb4b37515c78ead3de7c3a44e6c04d111af179e59818920acb7cd5ba2dfe1
Instruction Fuzzy Hash: 35D012727C1310BBE665B770DC0FFC676149B56B10F1089567755EA1D0C9F8B801CA58

Function 007A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007A233F

Part of subcall function 0077E97B: Sleep.KERNEL32 ref: 0077E9F3

Strings

Shell_TrayWnd, xrefs: 007A2325

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3f2ea37b47192f890c700f16b84d0a1c43774ec8507bda8869f77ee514fa8438
Instruction ID: d162387247c83c955cb3b0aa8cd0b9108e651f9b138c9ec3e724971fee013fc8
Opcode Fuzzy Hash: 3f2ea37b47192f890c700f16b84d0a1c43774ec8507bda8869f77ee514fa8438
Instruction Fuzzy Hash: 9FD01276794310F7E664B770DC0FFC67A149B55B10F1089567759AA1D0C9F8B801CA58

Function 0074BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0074BE93
GetLastError.KERNEL32 ref: 0074BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0074BEFC

Memory Dump Source

Source File: 00000000.00000002.1754568708.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.1754511227.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754689506.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754764944.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1754795963.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 84aa41ba18a17a595a67c3ebf16b76717e4fcc60e647f0b6793d68da846410f9
Instruction ID: 1896a62232b49fe8b548903758c668d8768fdb462959849f7a6e0f313ae9482c
Opcode Fuzzy Hash: 84aa41ba18a17a595a67c3ebf16b76717e4fcc60e647f0b6793d68da846410f9
Instruction Fuzzy Hash: A6412835600216FFDF218FA5CC84ABA7BA4EF82310F154169F95D971A2DB38CD05DB51

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1872810007.000001F0FFD56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909261667.000001F0FFD7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891911008.000001F0FFD65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1826646707.000001F0974A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1826646707.000001F0974B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873863283.000001F0974A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1916889798.000001F09723C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1828850091.000001F09335D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829402225.000001F093161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895015072.000001F09337D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1828850091.000001F09335D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830079270.000001F09306B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829402225.000001F093161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1826646707.000001F0974A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1826646707.000001F0974B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873863283.000001F0974A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1916889798.000001F09723C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1828850091.000001F09335D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829402225.000001F093161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895015072.000001F09337D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1828850091.000001F09335D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830079270.000001F09306B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829402225.000001F093161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2943189494.000002428F30A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2943509349.00000217AAC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2943189494.000002428F30A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2943509349.00000217AAC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2943189494.000002428F30A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2943509349.00000217AAC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2943189494.000002428F30A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2943189494.000002428F30A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2943189494.000002428F30A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.2943509349.00000217AAC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.2943509349.00000217AAC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.2943509349.00000217AAC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1826646707.000001F0974A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1826646707.000001F0974B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827780280.000001F093898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1916889798.000001F09723C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1827780280.000001F093898000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894255661.000001F093898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1832521357.000001F08D8C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49830 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_13f5ad97-b408-46c0-b2ed-b10a37f5ed97.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_13f5ad97-b408-46c0-b2ed-b10a37f5ed97.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre