Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545300
MD5:	388a4d9e5a5ec3446324f1dcfee1f8db
SHA1:	4dbf48c4bb5b82da95778263d0fa897cf77909aa
SHA256:	10582062c33d5d8478731c97de4f2882f25332a603d048f4ada7aab4af0730e4
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 388A4D9E5A5EC3446324F1DCFEE1F8DB)

taskkill.exe (PID: 7416 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7508 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7568 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7632 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7688 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7744 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7788 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7804 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8044 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb6f847-cb9e-4fb5-afb6-641a629cd22d} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b04870510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7736 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2920 -parentBuildID 20230927232528 -prefsHandle 3560 -prefMapHandle 3100 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19bf62ce-243b-4030-87bf-9d8b0acb858c} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b16cb5410 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2828 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5308 -prefMapHandle 1556 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cdc9275-8888-45cf-a7dd-d000686ae1a0} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b15a97310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7400	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0076EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0076EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0076ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0076ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0076EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0075AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00789576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00789576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1673263267.00000000007B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f4a28cdd-a
Source: file.exe, 00000000.00000000.1673263267.00000000007B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_da9fe3c1-2
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_92313cc5-1
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_19054107-6

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000025346622377 NtQuerySystemInformation,		16_2_0000025346622377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000025346646672 NtQuerySystemInformation,		16_2_0000025346646672

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0075D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00751201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00751201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0075E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FBF40	0_2_006FBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F8060	0_2_006F8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00762046	0_2_00762046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00758298	0_2_00758298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072E4FF	0_2_0072E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072676B	0_2_0072676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00784873	0_2_00784873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FCAF0	0_2_006FCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071CAA0	0_2_0071CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070CC39	0_2_0070CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00726DD9	0_2_00726DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070B119	0_2_0070B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F91C0	0_2_006F91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711394	0_2_00711394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711706	0_2_00711706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071781B	0_2_0071781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070997D	0_2_0070997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F7920	0_2_006F7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007119B0	0_2_007119B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00717A4A	0_2_00717A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711C77	0_2_00711C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00717CA7	0_2_00717CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0077BE44	0_2_0077BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00729EEE	0_2_00729EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00711F32	0_2_00711F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000025346622377	16_2_0000025346622377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000025346646672	16_2_0000025346646672
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000025346646D9C	16_2_0000025346646D9C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000253466466B2	16_2_00000253466466B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00710A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0070F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/39@69/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007637B5 GetLastError,FormatMessageW,

0_2_007637B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007510BF AdjustTokenPrivileges,CloseHandle,		0_2_007510BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007516C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007651CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0075D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0076648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0076648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006F42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1916089419.0000016B1E5D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1916089419.0000016B1E5D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845534109.0000016B1E5B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb6f847-cb9e-4fb5-afb6-641a629cd22d} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b04870510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2920 -parentBuildID 20230927232528 -prefsHandle 3560 -prefMapHandle 3100 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19bf62ce-243b-4030-87bf-9d8b0acb858c} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b16cb5410 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5308 -prefMapHandle 1556 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cdc9275-8888-45cf-a7dd-d000686ae1a0} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b15a97310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb6f847-cb9e-4fb5-afb6-641a629cd22d} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b04870510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2920 -parentBuildID 20230927232528 -prefsHandle 3560 -prefMapHandle 3100 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19bf62ce-243b-4030-87bf-9d8b0acb858c} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b16cb5410 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5308 -prefMapHandle 1556 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cdc9275-8888-45cf-a7dd-d000686ae1a0} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b15a97310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1874152843.0000016B11ECC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdbUGP source: firefox.exe, 0000000D.00000003.1875560433.0000016B11ECB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1874152843.0000016B11ECC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1871651855.0000016B11EC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: npmproxy.pdb source: firefox.exe, 0000000D.00000003.1875560433.0000016B11ECB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1871651855.0000016B11EC6000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00710A76 push ecx; ret

0_2_00710A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0070F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0070F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00781C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00781C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95314

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000025346622377 rdtsc

16_2_0000025346622377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0075DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007668EE FindFirstFileW,FindClose,	0_2_007668EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0076698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0075D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0075D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00769642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00769642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0076979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0076979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00769B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00769B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00765C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00765C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Source: firefox.exe, 00000011.00000002.3542534281.00000121A6100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#7
Source: firefox.exe, 00000010.00000002.3542621502.0000025346674000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: jHgFS
Source: firefox.exe, 0000000F.00000002.3541401591.000001C300300000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3542864946.0000025346AE0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3538356407.00000253462FA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3538615888.00000121A5CEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3542590283.000001C37FF2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0!0
Source: firefox.exe, 0000000F.00000002.3540811938.000001C300214000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3541401591.000001C300300000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3542864946.0000025346AE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000025346622377 rdtsc

16_2_0000025346622377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0076EAA2 BlockInput,

0_2_0076EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00722622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00722622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00714CE8 mov eax, dword ptr fs:[00000030h]

0_2_00714CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00750B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00750B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00722622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00722622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0071083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007109D5 SetUnhandledExceptionFilter,	0_2_007109D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00710C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00710C21

Source: C:\Users\user\Desktop\file.exe

0_2_00751201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00732BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00732BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075B226 SendInput,keybd_event,

0_2_0075B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007722DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00750B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00751663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00751663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00710698 cpuid

0_2_00710698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00768195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00768195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0074D27A GetUserNameW,

0_2_0074D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0072BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006F42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7400, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00771204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00771204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00771806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00771806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.252.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.65	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.65.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.185.206	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.206	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.65.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.3540397650.00000121A60C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1844620034.0000016B1F7F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1924287841.0000016B1F7F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3538324878.000001C3001CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3539617043.00000253465E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3542708789.00000121A6203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1887285047.0000016B1C64C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3539617043.0000025346586000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3540397650.00000121A608F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1849176647.0000016B1C50D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1919718683.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1900831098.0000016B1CA5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846190296.0000016B1CA5E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1924287841.0000016B1F73E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844620034.0000016B1F729000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1846190296.0000016B1CA5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738852537.0000016B14577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738393965.0000016B14300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738735856.0000016B1455A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738511869.0000016B1451F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1779885088.0000016B150B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779885088.0000016B150AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779885088.0000016B15031000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1921588113.0000016B200C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914839483.0000016B200C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899960014.0000016B200C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1849007118.0000016B1C554000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1734585929.0000016B10906000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848712982.0000016B1C592000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1734585929.0000016B1091F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1900506659.0000016B1EBB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738735856.0000016B1455A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738511869.0000016B1451F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1850325786.0000016B17B5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926450228.0000016B17B5E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1738626206.0000016B1453C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738852537.0000016B14577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738393965.0000016B14300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738735856.0000016B1455A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738511869.0000016B1451F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1900506659.0000016B1EB4B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3538324878.000001C3001CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3539617043.00000253465E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3542708789.00000121A6203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1914839483.0000016B2001D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing	firefox.exe, 0000000D.00000003.1734585929.0000016B10906000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1734585929.0000016B1091F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1848144675.0000016B1C775000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1900098684.0000016B1FD8A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1848712982.0000016B1C592000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3538324878.000001C3001CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3539617043.00000253465E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3542708789.00000121A6203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1848144675.0000016B1C775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3539617043.000002534650A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3540397650.00000121A600C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1810682100.0000016B1FAF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807593104.0000016B15618000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1900831098.0000016B1CA9B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1849176647.0000016B1C50D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1914839483.0000016B2001D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.3540397650.00000121A60C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1926041638.0000016B17BD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850325786.0000016B17BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1790471901.0000016B16751000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1845841764.0000016B1E56E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1922939052.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853519138.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779885088.0000016B150B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919718683.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1734585929.0000016B1091F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899261474.0000016B207A0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1919718683.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3539617043.0000025346512000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3540397650.00000121A6013000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1849176647.0000016B1C50D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1849007118.0000016B1C554000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1900831098.0000016B1CAA9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1775015617.0000016B1C74C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892993602.0000016B155C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878871396.0000016B1C6D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849007118.0000016B1C554000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1770450033.0000016B1C6D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884301012.0000016B159A8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844620034.0000016B1F723000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1916918632.0000016B17A5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1859345521.0000016B148EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1748206806.0000016B148F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1739460564.0000016B14550000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925185877.0000016B1C74C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887285047.0000016B1C62E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1852315250.0000016B16F92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851885419.0000016B17A5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1746544530.0000016B148FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887797091.0000016B1C640000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917592756.0000016B16F92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853300754.0000016B16CC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740880904.0000016B14546000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1746602608.0000016B148F5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1850325786.0000016B17B5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926450228.0000016B17B5E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000D.00000003.1900831098.0000016B1CA85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846190296.0000016B1CA85000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1850325786.0000016B17B5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926450228.0000016B17B5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851626017.0000016B17A9D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1849176647.0000016B1C50D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1850325786.0000016B17B2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845534109.0000016B1E5E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1850325786.0000016B17B2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845534109.0000016B1E5E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1900831098.0000016B1CAA9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1887285047.0000016B1C64C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1848712982.0000016B1C592000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1734585929.0000016B10906000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848712982.0000016B1C592000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1734585929.0000016B1091F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1849176647.0000016B1C50D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1741804390.0000016B14120000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1742163404.0000016B14132000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1856099719.0000016B14139000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741175504.0000016B14133000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1926450228.0000016B17B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850325786.0000016B17B77000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1810024921.0000016B15619000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807593104.0000016B15618000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1741804390.0000016B14120000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1742163404.0000016B14132000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1856099719.0000016B14139000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741175504.0000016B14133000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1914839483.0000016B2001D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3538324878.000001C3001CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3539617043.00000253465E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3542708789.00000121A6203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1848144675.0000016B1C775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1849176647.0000016B1C50D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1915120044.0000016B1FF69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845534109.0000016B1E58F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1738511869.0000016B1451F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1922939052.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853519138.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779792416.0000016B15441000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738626206.0000016B1453C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869108111.0000016B15C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738852537.0000016B14577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738393965.0000016B14300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919718683.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738735856.0000016B1455A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738511869.0000016B1451F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1849007118.0000016B1C554000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3543132972.000001C37FF90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3539053811.0000025346390000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3539527436.00000121A5D90000.00000002.10000000.00040000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.206	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545300
Start date and time:	2024-10-30 11:52:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/39@69/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 38 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.11.191.138, 54.185.230.140, 35.160.212.113, 142.250.184.238, 2.22.61.56, 2.22.61.72, 142.250.185.238, 216.58.206.74, 142.250.185.234
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
example.org	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
dyna.wikimedia.org	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	app64.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	LJSS65p4Kz.elf	Get hash	malicious	Unknown	Browse	48.186.202.220
FASTLYUS	app64.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	http://xn--gba7iaacaabba0ab51nca04ecacdad9203oearjjb191bfa.mkto-sj030022.com	Get hash	malicious	Unknown	Browse	151.101.129.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	http://etf-remittance-payout.s3.us-east-1.amazonaws.com/DMwNjk0MTU2LWI2MTItNDg5My04YmZhLWNhMzBjZTMzO/jZTMzODU5NwBGAAAAAAA/doc.html	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://onedrive.live.com/view.aspx?resid=8656653D19C3C7C0!s553e3fe901654d86bcc4ed44c7c05dd3&migratedtospo=true&redeem=aHR0cHM6Ly8xZHJ2Lm1zL28vYy84NjU2NjUzZDE5YzNjN2MwL0V1a19QbFZsQVlaTnZNVHRSTWZBWGRNQmtvbDQ2b1NlN1o5MGFiazNzS3lGSlE_ZT1UMnQ4S3Y&wd=target%28Sezione%20senza%20titolo.one%7C8d7e5173-6006-4648-a69d-e39e66e7041a%2FAblehnung%20Rechnung%20R15946098273-KU30_WE02%20Vom%2028%5C%2F%7Cd77916b9-b471-429a-a13e-74764563e56b%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	151.101.2.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	LJSS65p4Kz.elf	Get hash	malicious	Unknown	Browse	48.186.202.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_31431ecc-1a1d-49a2-823b-6acc110d75d9.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177330467828677
Encrypted:	false
SSDEEP:	192:MjMi4a1cbhbVbTbfbRbObtbyEl7nYr5JA6WnSrDtTUd/SkDrm+:MYAcNhnzFSJ4rUBnSrDhUd/w+
MD5:	5124EDDBB33C2105F9DE2280074F1363
SHA1:	13073F655DB760D942C0744248077CBDC04A0E0C
SHA-256:	62DACBD4FB681C1541415883D3B844BFD7A949991002B1224BDA70530FA4FC63
SHA-512:	5656566080D1B36E85996505D38C2CF02A5DF474F03A73DB469B5CFEC3BA1CAB19C4C3FECA2C8F7640D358CD12B33A3C6838CE8A12812BD86DF9B253CC6E97B0
Malicious:	false
Preview:	{"type":"uninstall","id":"31431ecc-1a1d-49a2-823b-6acc110d75d9","creationDate":"2024-10-30T12:21:46.765Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_31431ecc-1a1d-49a2-823b-6acc110d75d9.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177330467828677
Encrypted:	false
SSDEEP:	192:MjMi4a1cbhbVbTbfbRbObtbyEl7nYr5JA6WnSrDtTUd/SkDrm+:MYAcNhnzFSJ4rUBnSrDhUd/w+
MD5:	5124EDDBB33C2105F9DE2280074F1363
SHA1:	13073F655DB760D942C0744248077CBDC04A0E0C
SHA-256:	62DACBD4FB681C1541415883D3B844BFD7A949991002B1224BDA70530FA4FC63
SHA-512:	5656566080D1B36E85996505D38C2CF02A5DF474F03A73DB469B5CFEC3BA1CAB19C4C3FECA2C8F7640D358CD12B33A3C6838CE8A12812BD86DF9B253CC6E97B0
Malicious:	false
Preview:	{"type":"uninstall","id":"31431ecc-1a1d-49a2-823b-6acc110d75d9","creationDate":"2024-10-30T12:21:46.765Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3132960405182934
Encrypted:	false
SSDEEP:	48:BdnpCbtkgUgdwKzXdnpCbtkk6Bdw2FdnpCbtkEadwk1:N2uSO2
MD5:	8F39324297C206CB2CD96939E53BF48C
SHA1:	5C686C6F9CB69063BD6596286A2E63CDAF9704DC
SHA-256:	56501FACBE820E466CD3B0EE079C92D40ECC7E84522AB0A95A5F65EBC3EA8003
SHA-512:	F915B95B29E7C8CC3E630367A93CDC5BA307CD57078BD06FD9C71D8B05C7422A34A8FFC5DD3B81B9205988B9EC7A924C57B528891D94CFEA579858E57F2F43DA
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......^...*..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I^Y.V....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W^Y.V............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W^Y.V..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............Xa......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3132960405182934
Encrypted:	false
SSDEEP:	48:BdnpCbtkgUgdwKzXdnpCbtkk6Bdw2FdnpCbtkEadwk1:N2uSO2
MD5:	8F39324297C206CB2CD96939E53BF48C
SHA1:	5C686C6F9CB69063BD6596286A2E63CDAF9704DC
SHA-256:	56501FACBE820E466CD3B0EE079C92D40ECC7E84522AB0A95A5F65EBC3EA8003
SHA-512:	F915B95B29E7C8CC3E630367A93CDC5BA307CD57078BD06FD9C71D8B05C7422A34A8FFC5DD3B81B9205988B9EC7A924C57B528891D94CFEA579858E57F2F43DA
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......^...*..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I^Y.V....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W^Y.V............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W^Y.V..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............Xa......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8N40XT4FMLGQVNLGUYSU.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3132960405182934
Encrypted:	false
SSDEEP:	48:BdnpCbtkgUgdwKzXdnpCbtkk6Bdw2FdnpCbtkEadwk1:N2uSO2
MD5:	8F39324297C206CB2CD96939E53BF48C
SHA1:	5C686C6F9CB69063BD6596286A2E63CDAF9704DC
SHA-256:	56501FACBE820E466CD3B0EE079C92D40ECC7E84522AB0A95A5F65EBC3EA8003
SHA-512:	F915B95B29E7C8CC3E630367A93CDC5BA307CD57078BD06FD9C71D8B05C7422A34A8FFC5DD3B81B9205988B9EC7A924C57B528891D94CFEA579858E57F2F43DA
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......^...*..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I^Y.V....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W^Y.V............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W^Y.V..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............Xa......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TPI3F41MDA88A4TN5N33.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3132960405182934
Encrypted:	false
SSDEEP:	48:BdnpCbtkgUgdwKzXdnpCbtkk6Bdw2FdnpCbtkEadwk1:N2uSO2
MD5:	8F39324297C206CB2CD96939E53BF48C
SHA1:	5C686C6F9CB69063BD6596286A2E63CDAF9704DC
SHA-256:	56501FACBE820E466CD3B0EE079C92D40ECC7E84522AB0A95A5F65EBC3EA8003
SHA-512:	F915B95B29E7C8CC3E630367A93CDC5BA307CD57078BD06FD9C71D8B05C7422A34A8FFC5DD3B81B9205988B9EC7A924C57B528891D94CFEA579858E57F2F43DA
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......^...*..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I^Y.V....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W^Y.V............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W^Y.V..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............Xa......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.931213628972082
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLHom8P:8S+OBIUjOdwiOdYVjjwLHom8P
MD5:	4D9B81183376989ABEB895CE7B995A44
SHA1:	1567FE42AF5FC7C570F6F0041FBE01619036ECF1
SHA-256:	4AF16F999D7E0276895F61C089C35FDCADBDB7F1E3584B491D2B267F4F362381
SHA-512:	D93438D64391198D3264876E47EC13C5349A791A43EF46004EF10A5EF8FF7D15944DB48B88464DDFC942B6EF30847F6A7EFE15F7852F99D7DEB1EB5673C3790E
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.931213628972082
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLHom8P:8S+OBIUjOdwiOdYVjjwLHom8P
MD5:	4D9B81183376989ABEB895CE7B995A44
SHA1:	1567FE42AF5FC7C570F6F0041FBE01619036ECF1
SHA-256:	4AF16F999D7E0276895F61C089C35FDCADBDB7F1E3584B491D2B267F4F362381
SHA-512:	D93438D64391198D3264876E47EC13C5349A791A43EF46004EF10A5EF8FF7D15944DB48B88464DDFC942B6EF30847F6A7EFE15F7852F99D7DEB1EB5673C3790E
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07330050930611003
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkir:DLhesh7Owd4+jir
MD5:	EC5272E19E5B56E8AD25B221BB31E396
SHA1:	752CA3315E34B96A000D81778E0BC38F048AF0D7
SHA-256:	961E460DCB51623BD4FEB26FFA445989AF75517E83F5C07CB42625EC0A65AF88
SHA-512:	72C48C00A7D480E64133F577AA67AE15343E80D4A6261BAF438F6C3397F7452EF236F6FF7169189AAEFDAC6EC60FAB9645F612C2EB409343266B180140DF9689
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039751381258926154
Encrypted:	false
SSDEEP:	3:GHlhV9hLWNXjcElkQlPlhV9hLWNXjcElkf/il8a9//Ylll4llqlyllel4lt:G7V3LKrkwDV3LKrkfOL9XIwlio
MD5:	ADA6E5519984747C4A5374E528B03855
SHA1:	8AA3C1855875D7042E00EB4EA9B080BF41A11B0F
SHA-256:	2C436A119F204FA8FB018F527875CC6F62172CC74A2F0E12926B9BF18F0BB4B8
SHA-512:	DB920AF9990259E1124EF5DB36F09F7FECA1184FC9EE9955E628331D7ED733F70B562A424C59B5BBA96838D5C5AF2FFF31A1FDF0E674AEC5057EF28E3D609E4D
Malicious:	false
Preview:	..-......................O.z....2..F~....)y..,..-......................O.z....2..F~....)y..,........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11787765094274665
Encrypted:	false
SSDEEP:	24:K7Rfkj0LxsZ+njxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxrwlqVZ2i7+:CRMjgQUJtUnWdU+RVxc2Zk
MD5:	BCABF2617C7A3B63D7D4DCD901FF938F
SHA1:	701038D4895175C6E780201EFC707DB470FCBD55
SHA-256:	1D1D56A4E68C838F0A64F09A96FDE37008A6BFC6FC5C6D0296C8990757C095AD
SHA-512:	AB91B213B8AD9FAB6B39B4024ABE1EA5BDB2722C2835FEFA4B0D4F83CB0E06F84D470B847DCE89A095292D3A240DAAC1B0208266924A850E5BCF5C4BAAD699ED
Malicious:	false
Preview:	7....-...........2..F~...r5.Q...........2..F~...V.?kc['................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4959732339966365
Encrypted:	false
SSDEEP:	192:0naRtLYbBp6Thj4qyaaXu6K5rYyNHIJ5RfGNBw8d+Sl:Jexq2JeHccw10
MD5:	3B8493A5A7AB416CD398762A7122D8C6
SHA1:	8235590D4C8E1FCC2D471417E8077A3F13FC4986
SHA-256:	E3CAB9E86FEBF83A20399823350C3E377D7899C5E998611FE5419A4D85739784
SHA-512:	971E1824BE03D8F608E299576C0B854920F4B6B164313F87705E44E599AF16C30E88A7762262265560FA0D08BA61E248150AE6417F04A934C61B237C6FAA0489
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730290876);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730290876);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730290876);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173029

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4959732339966365
Encrypted:	false
SSDEEP:	192:0naRtLYbBp6Thj4qyaaXu6K5rYyNHIJ5RfGNBw8d+Sl:Jexq2JeHccw10
MD5:	3B8493A5A7AB416CD398762A7122D8C6
SHA1:	8235590D4C8E1FCC2D471417E8077A3F13FC4986
SHA-256:	E3CAB9E86FEBF83A20399823350C3E377D7899C5E998611FE5419A4D85739784
SHA-512:	971E1824BE03D8F608E299576C0B854920F4B6B164313F87705E44E599AF16C30E88A7762262265560FA0D08BA61E248150AE6417F04A934C61B237C6FAA0489
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730290876);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730290876);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730290876);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173029

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.334410165614219
Encrypted:	false
SSDEEP:	24:v+USUGlcAxStjhGDLXnIgVF/pnxQwRlszT5sKtL3eHVQj6TnNamhujJlOsIomNV8:GUpOxkh49PnR6p3eHTnN4JlIquR4
MD5:	38EFE34D3119ADE6DD545D8CDEDD2C9B
SHA1:	E640389B22047734478CDD84945BBC43BE1EC2F5
SHA-256:	829DDB9D6C6D9750C8FADDB47FE2BFC99D8CBECD2FB97D96F823B6BD7A76CC20
SHA-512:	C8F4B8919F6EAAEB4A00361ADFD8C181403DEECA4C8C6828689A41A56A4A7E74A601FBBED30979FDC11C5992E5968022E66D380B565AD0ED834E68FBF9C24027
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{2872110f-4aa4-4bcc-a892-b4693b2a9ed2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730290880031,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..!45...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...52428,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.334410165614219
Encrypted:	false
SSDEEP:	24:v+USUGlcAxStjhGDLXnIgVF/pnxQwRlszT5sKtL3eHVQj6TnNamhujJlOsIomNV8:GUpOxkh49PnR6p3eHTnN4JlIquR4
MD5:	38EFE34D3119ADE6DD545D8CDEDD2C9B
SHA1:	E640389B22047734478CDD84945BBC43BE1EC2F5
SHA-256:	829DDB9D6C6D9750C8FADDB47FE2BFC99D8CBECD2FB97D96F823B6BD7A76CC20
SHA-512:	C8F4B8919F6EAAEB4A00361ADFD8C181403DEECA4C8C6828689A41A56A4A7E74A601FBBED30979FDC11C5992E5968022E66D380B565AD0ED834E68FBF9C24027
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{2872110f-4aa4-4bcc-a892-b4693b2a9ed2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730290880031,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..!45...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...52428,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.334410165614219
Encrypted:	false
SSDEEP:	24:v+USUGlcAxStjhGDLXnIgVF/pnxQwRlszT5sKtL3eHVQj6TnNamhujJlOsIomNV8:GUpOxkh49PnR6p3eHTnN4JlIquR4
MD5:	38EFE34D3119ADE6DD545D8CDEDD2C9B
SHA1:	E640389B22047734478CDD84945BBC43BE1EC2F5
SHA-256:	829DDB9D6C6D9750C8FADDB47FE2BFC99D8CBECD2FB97D96F823B6BD7A76CC20
SHA-512:	C8F4B8919F6EAAEB4A00361ADFD8C181403DEECA4C8C6828689A41A56A4A7E74A601FBBED30979FDC11C5992E5968022E66D380B565AD0ED834E68FBF9C24027
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{2872110f-4aa4-4bcc-a892-b4693b2a9ed2}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730290880031,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..!45...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...52428,"originA...."fi

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032535918879499
Encrypted:	false
SSDEEP:	48:YrSAYnj6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycjyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	83D0CEA0FF700EE07A909C40F182DDF2
SHA1:	D620CB59DA0A88F6A722E5023EDC1160CBD3A015
SHA-256:	AD4E2D5565BC8128845D0EB5D86DDD783C1D602D97419C8EFD238637FB62515A
SHA-512:	261F18B2E7B9D076DB61201B98CDDCB14C69CFF2AAA9AE2B3FBC0BB4C9440DDDC15CF682AD0510C2C481CD5AF0E5BCFA9564C76662EBD97FB8D44CF92743E7A3
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T12:21:03.504Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032535918879499
Encrypted:	false
SSDEEP:	48:YrSAYnj6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycjyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	83D0CEA0FF700EE07A909C40F182DDF2
SHA1:	D620CB59DA0A88F6A722E5023EDC1160CBD3A015
SHA-256:	AD4E2D5565BC8128845D0EB5D86DDD783C1D602D97419C8EFD238637FB62515A
SHA-512:	261F18B2E7B9D076DB61201B98CDDCB14C69CFF2AAA9AE2B3FBC0BB4C9440DDDC15CF682AD0510C2C481CD5AF0E5BCFA9564C76662EBD97FB8D44CF92743E7A3
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-30T12:21:03.504Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.58467072504627
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	388a4d9e5a5ec3446324f1dcfee1f8db
SHA1:	4dbf48c4bb5b82da95778263d0fa897cf77909aa
SHA256:	10582062c33d5d8478731c97de4f2882f25332a603d048f4ada7aab4af0730e4
SHA512:	8954e1ca993ffaf83bdd018534eeac2e815b5956d39c9ffe29d9728521db06bec306e67c05e8c54404282d8d1aaa9acfe2418db7478d0f04500e28fed4143efb
SSDEEP:	12288:rqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TJ:rqDEvCTbMWu7rQYlBQcBiT6rprG8abJ
TLSH:	46159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67220D83 [Wed Oct 30 10:42:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F3EB4DE93A3h
jmp 00007F3EB4DE8CAFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3EB4DE8E8Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3EB4DE8E5Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F3EB4DEBA4Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3EB4DEBA98h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3EB4DEBA81h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	38d360682c9272f2bed4d745ad1fc1b0	False	0.3156398338607595	data	5.374045843869354	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 11:53:07.007230043 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:07.007332087 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 11:53:07.008050919 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:07.012577057 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:07.012609005 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 11:53:07.631663084 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 11:53:07.633536100 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:07.642334938 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:07.642380953 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 11:53:07.642446041 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:07.642642021 CET	443	49736	35.190.72.216	192.168.2.4
Oct 30, 2024 11:53:07.642700911 CET	49736	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:07.828906059 CET	49737	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:07.828938007 CET	443	49737	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:07.829385996 CET	49737	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:07.830810070 CET	49737	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:07.830831051 CET	443	49737	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:08.048544884 CET	49738	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:08.048588037 CET	443	49738	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:08.050549984 CET	49738	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:08.052234888 CET	49738	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:08.052251101 CET	443	49738	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:08.059015036 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:08.064327955 CET	80	49739	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:08.065464973 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:08.065730095 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:08.071249962 CET	80	49739	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:08.387691021 CET	49740	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:08.387736082 CET	443	49740	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:08.397399902 CET	49740	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:08.398825884 CET	49740	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:08.398838997 CET	443	49740	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:08.652784109 CET	80	49739	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:08.693161011 CET	443	49737	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:08.693382025 CET	49737	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:08.693937063 CET	443	49737	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:08.694160938 CET	49737	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:08.696404934 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:08.900346041 CET	443	49738	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:08.901309013 CET	443	49738	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:08.903776884 CET	49738	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:08.903796911 CET	443	49738	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:08.958520889 CET	49738	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:09.023984909 CET	443	49740	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.024012089 CET	443	49740	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.024066925 CET	49740	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.222975016 CET	49737	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:09.223067999 CET	443	49737	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:09.223231077 CET	49738	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:09.223258018 CET	443	49738	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:09.223377943 CET	443	49737	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:09.223469019 CET	443	49738	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:09.223521948 CET	49737	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:09.223551989 CET	49738	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:09.223653078 CET	49738	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:09.223666906 CET	443	49738	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:09.223727942 CET	49737	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:09.223769903 CET	443	49737	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:09.224236965 CET	49742	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:09.224282026 CET	443	49742	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:09.224411964 CET	49742	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:09.225805044 CET	49742	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:09.225816011 CET	443	49742	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:09.226486921 CET	49740	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.226497889 CET	443	49740	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.226551056 CET	49740	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.227052927 CET	443	49740	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.227117062 CET	49740	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.279007912 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.279098034 CET	443	49743	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.279177904 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.280379057 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.280414104 CET	443	49743	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.293701887 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.293721914 CET	443	49744	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.293857098 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.295178890 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.295192957 CET	443	49744	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.333451033 CET	49745	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:09.333478928 CET	443	49745	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:09.336513042 CET	49745	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:09.336807013 CET	49745	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:09.336827040 CET	443	49745	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:09.346071959 CET	49746	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:09.351381063 CET	80	49746	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:09.352047920 CET	49746	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:09.352159023 CET	49746	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:09.357462883 CET	80	49746	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:09.667644978 CET	49747	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:09.667741060 CET	443	49747	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:09.668056011 CET	49747	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:09.668181896 CET	49747	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:09.668203115 CET	443	49747	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:09.910372972 CET	443	49744	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.911528111 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.916250944 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.916294098 CET	443	49744	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.916349888 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.916486979 CET	443	49744	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.916717052 CET	49748	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.916754007 CET	443	49748	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.916753054 CET	49744	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.916866064 CET	49748	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.918142080 CET	49748	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.918152094 CET	443	49748	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.918711901 CET	443	49743	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.919111967 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.923389912 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.923398972 CET	443	49743	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.923504114 CET	443	49743	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.923535109 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.923540115 CET	443	49743	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:09.923549891 CET	49743	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:09.948462963 CET	80	49746	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:09.960630894 CET	443	49745	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:09.960732937 CET	49745	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:09.964039087 CET	49745	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:09.964057922 CET	443	49745	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:09.964348078 CET	443	49745	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:09.967005968 CET	49745	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:09.967082977 CET	49745	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:09.967139959 CET	443	49745	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:09.967221022 CET	49745	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:09.986572981 CET	49746	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:09.986572981 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:09.992846966 CET	80	49746	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:09.992887020 CET	80	49739	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:09.993488073 CET	49746	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:09.993488073 CET	49739	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:10.026170969 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:10.031629086 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:10.031697989 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:10.031833887 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:10.037269115 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:10.085905075 CET	443	49742	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:10.085990906 CET	49742	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:10.086636066 CET	443	49742	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:10.086954117 CET	49742	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:10.090928078 CET	49742	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:10.090944052 CET	443	49742	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:10.091039896 CET	49742	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:10.091125965 CET	443	49742	142.250.185.206	192.168.2.4
Oct 30, 2024 11:53:10.091218948 CET	49742	443	192.168.2.4	142.250.185.206
Oct 30, 2024 11:53:10.275427103 CET	443	49747	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:10.275502920 CET	49747	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.278697968 CET	49747	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.278733015 CET	443	49747	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:10.278975010 CET	443	49747	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:10.281611919 CET	49747	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.281725883 CET	49747	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.281788111 CET	443	49747	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:10.281928062 CET	49747	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.282116890 CET	49750	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.282157898 CET	443	49750	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:10.282265902 CET	49750	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.282370090 CET	49750	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.282378912 CET	443	49750	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:10.538240910 CET	443	49748	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:10.538877010 CET	49748	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:10.542785883 CET	49748	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:10.542795897 CET	443	49748	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:10.542881966 CET	49748	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:10.543014050 CET	443	49748	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:10.543101072 CET	49748	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:10.627476931 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:10.669265985 CET	49752	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:10.669361115 CET	443	49752	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:10.680598974 CET	49752	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:10.680687904 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:10.682024002 CET	49752	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:10.682063103 CET	443	49752	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:10.683857918 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:10.689196110 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:10.694189072 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:10.694333076 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:10.699620962 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:10.896404982 CET	443	49750	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:10.896492004 CET	49750	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.899862051 CET	49750	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.899872065 CET	443	49750	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:10.900124073 CET	443	49750	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:10.902321100 CET	49750	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.902396917 CET	49750	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.902487040 CET	443	49750	34.160.144.191	192.168.2.4
Oct 30, 2024 11:53:10.902522087 CET	49750	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:10.902931929 CET	49750	443	192.168.2.4	34.160.144.191
Oct 30, 2024 11:53:11.282494068 CET	443	49752	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:11.282516003 CET	443	49752	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:11.282943010 CET	49752	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:11.291080952 CET	49752	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:11.291130066 CET	443	49752	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:11.291179895 CET	49752	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:11.291347980 CET	443	49752	34.117.188.166	192.168.2.4
Oct 30, 2024 11:53:11.291544914 CET	49752	443	192.168.2.4	34.117.188.166
Oct 30, 2024 11:53:11.300075054 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:11.332068920 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:11.337527990 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:11.351284981 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:11.456880093 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:11.478415012 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:11.483954906 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:11.487175941 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:11.487222910 CET	443	49755	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:11.498517036 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:11.500137091 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:11.500153065 CET	443	49755	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:11.514086962 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:11.605485916 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:11.652131081 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:12.126190901 CET	443	49755	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:12.126210928 CET	443	49755	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:12.126276016 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:12.130686045 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:12.130707026 CET	443	49755	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:12.130763054 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:12.131002903 CET	443	49755	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:12.131048918 CET	49755	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:12.318758965 CET	49757	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:12.318810940 CET	443	49757	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:12.318967104 CET	49757	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:12.319082975 CET	49757	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:12.319102049 CET	443	49757	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:12.322182894 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:12.328144073 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:12.335408926 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:12.335439920 CET	443	49758	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:12.336940050 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:12.338572025 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:12.338587046 CET	443	49758	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:12.339612007 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:12.339664936 CET	443	49759	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:12.346415997 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:12.348107100 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:12.348129034 CET	443	49759	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:12.447587967 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:12.490232944 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:12.937863111 CET	443	49757	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:12.938214064 CET	49757	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:12.940876007 CET	49757	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:12.940881968 CET	443	49757	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:12.941149950 CET	443	49757	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:12.942970037 CET	49757	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:12.943053961 CET	49757	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:12.943161011 CET	443	49757	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:12.943192959 CET	49757	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:12.943491936 CET	49757	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:12.953402996 CET	443	49759	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:12.953425884 CET	443	49759	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:12.953933954 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:12.958444118 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:12.958460093 CET	443	49759	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:12.958512068 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:12.958626986 CET	443	49759	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:12.958715916 CET	49759	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:12.961337090 CET	443	49758	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:12.961420059 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:12.965594053 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:12.965605021 CET	443	49758	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:12.965663910 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:12.965846062 CET	443	49758	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:12.965919971 CET	49758	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:15.434855938 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:15.440256119 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:15.448817015 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:15.454154968 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:15.523324013 CET	49761	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:15.523385048 CET	443	49761	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:15.523555040 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:15.523601055 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:15.527175903 CET	49761	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:15.527240038 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:15.527462959 CET	49761	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:15.527478933 CET	443	49761	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:15.527623892 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:15.527641058 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:15.532078981 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:15.532090902 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:15.539180994 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:15.540700912 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:15.540710926 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:15.561836004 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:15.573870897 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:15.614758968 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:15.614777088 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:16.139558077 CET	443	49761	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:16.139710903 CET	49761	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.144139051 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:16.144313097 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.145533085 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:16.145545959 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:16.145593882 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.583861113 CET	49761	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.583885908 CET	443	49761	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:16.584849119 CET	443	49761	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:16.586204052 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.586232901 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:16.587240934 CET	443	49762	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:16.593985081 CET	49761	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.594145060 CET	49761	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.594242096 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.594306946 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.594357967 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.594367981 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:16.594413042 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.594474077 CET	443	49761	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:16.594542980 CET	49762	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.594619036 CET	443	49763	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:16.594822884 CET	49761	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:16.594839096 CET	49763	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:20.835985899 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:20.841454029 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:20.963049889 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:21.012151957 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:21.804615021 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:21.806078911 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:21.806133986 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:21.806337118 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:21.807702065 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:21.807720900 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:21.809921026 CET	49770	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:21.809938908 CET	443	49770	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:21.810035944 CET	49770	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:21.810195923 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:21.811464071 CET	49770	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:21.811477900 CET	443	49770	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:21.930068016 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:21.983858109 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:22.305538893 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:22.311166048 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:22.415381908 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:22.416317940 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:22.420768023 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:22.420784950 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:22.420845032 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:22.421019077 CET	443	49769	34.120.208.123	192.168.2.4
Oct 30, 2024 11:53:22.422967911 CET	443	49770	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:22.423614025 CET	49769	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:53:22.423640013 CET	49770	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:22.449773073 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:22.500941992 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:23.217407942 CET	49770	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:23.217487097 CET	443	49770	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:23.217519045 CET	49770	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:23.218045950 CET	443	49770	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:23.218115091 CET	49770	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:23.542741060 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:23.548216105 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:23.667928934 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:23.720172882 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:23.871031046 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:23.876769066 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:23.998028994 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:24.041059017 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:33.518786907 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:33.518861055 CET	443	49771	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:33.519025087 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:33.520342112 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:33.520375013 CET	443	49771	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:33.682158947 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:33.687660933 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:33.998656034 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:34.004764080 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:34.120135069 CET	443	49771	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:34.120227098 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:34.124808073 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:34.124825954 CET	443	49771	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:34.124942064 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:34.125019073 CET	443	49771	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:34.125188112 CET	49771	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:34.127593040 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:34.134442091 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:34.254266024 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:34.257584095 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:34.263067007 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:34.299577951 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:34.384504080 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:34.431099892 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:35.287784100 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.287852049 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.287923098 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.288485050 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.288563967 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.323959112 CET	49773	443	192.168.2.4	151.101.65.91
Oct 30, 2024 11:53:35.323987007 CET	443	49773	151.101.65.91	192.168.2.4
Oct 30, 2024 11:53:35.324381113 CET	49773	443	192.168.2.4	151.101.65.91
Oct 30, 2024 11:53:35.324493885 CET	49773	443	192.168.2.4	151.101.65.91
Oct 30, 2024 11:53:35.324507952 CET	443	49773	151.101.65.91	192.168.2.4
Oct 30, 2024 11:53:35.329546928 CET	49774	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:35.329632044 CET	443	49774	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:35.329879045 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:35.329900980 CET	443	49775	35.190.72.216	192.168.2.4
Oct 30, 2024 11:53:35.332386971 CET	49774	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:35.332452059 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:35.333782911 CET	49774	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:35.333822012 CET	443	49774	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:35.335329056 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:35.335354090 CET	443	49775	35.190.72.216	192.168.2.4
Oct 30, 2024 11:53:35.358294010 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 11:53:35.358334064 CET	443	49776	35.201.103.21	192.168.2.4
Oct 30, 2024 11:53:35.371710062 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 11:53:35.373219013 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 11:53:35.373235941 CET	443	49776	35.201.103.21	192.168.2.4
Oct 30, 2024 11:53:35.896399021 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.896511078 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.899837971 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.899863005 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.900089025 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.902307034 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.902307034 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.902468920 CET	443	49772	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.904318094 CET	49772	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.906037092 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:35.911473989 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:35.934825897 CET	443	49773	151.101.65.91	192.168.2.4
Oct 30, 2024 11:53:35.934948921 CET	49773	443	192.168.2.4	151.101.65.91
Oct 30, 2024 11:53:35.938004971 CET	49773	443	192.168.2.4	151.101.65.91
Oct 30, 2024 11:53:35.938030005 CET	443	49773	151.101.65.91	192.168.2.4
Oct 30, 2024 11:53:35.938270092 CET	443	49773	151.101.65.91	192.168.2.4
Oct 30, 2024 11:53:35.940632105 CET	49773	443	192.168.2.4	151.101.65.91
Oct 30, 2024 11:53:35.940711975 CET	49773	443	192.168.2.4	151.101.65.91
Oct 30, 2024 11:53:35.940779924 CET	443	49773	151.101.65.91	192.168.2.4
Oct 30, 2024 11:53:35.945173979 CET	443	49775	35.190.72.216	192.168.2.4
Oct 30, 2024 11:53:35.946913958 CET	49773	443	192.168.2.4	151.101.65.91
Oct 30, 2024 11:53:35.946938992 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:35.949599028 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.949645042 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.950553894 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.950690985 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.950704098 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.951932907 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:35.951944113 CET	443	49775	35.190.72.216	192.168.2.4
Oct 30, 2024 11:53:35.952017069 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:35.952097893 CET	443	49775	35.190.72.216	192.168.2.4
Oct 30, 2024 11:53:35.952505112 CET	443	49774	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:35.953255892 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.953289986 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.953762054 CET	49775	443	192.168.2.4	35.190.72.216
Oct 30, 2024 11:53:35.953775883 CET	49774	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:35.953810930 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.956916094 CET	49774	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:35.956921101 CET	443	49774	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:35.957447052 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.957467079 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.957496881 CET	443	49774	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:35.957742929 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.957776070 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.957842112 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.958523989 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:35.958539009 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:35.960098028 CET	49774	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:35.960175037 CET	49774	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:35.960261106 CET	443	49774	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:35.961136103 CET	49774	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:35.992258072 CET	443	49776	35.201.103.21	192.168.2.4
Oct 30, 2024 11:53:35.992269993 CET	443	49776	35.201.103.21	192.168.2.4
Oct 30, 2024 11:53:35.992336988 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 11:53:35.996678114 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 11:53:35.996686935 CET	443	49776	35.201.103.21	192.168.2.4
Oct 30, 2024 11:53:35.996737957 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 11:53:35.996877909 CET	443	49776	35.201.103.21	192.168.2.4
Oct 30, 2024 11:53:35.997081995 CET	49776	443	192.168.2.4	35.201.103.21
Oct 30, 2024 11:53:36.007546902 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:36.007572889 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:36.008512974 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:36.008591890 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:36.008604050 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:36.031063080 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:36.033086061 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:36.038530111 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:36.073566914 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:36.160176039 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:36.205075979 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:36.564240932 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.564316988 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.567217112 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.567229986 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.567385912 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.567466974 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.567579985 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.567609072 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.567655087 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.569711924 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.569736004 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.569984913 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.571582079 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.571603060 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.571861982 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.574616909 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.574702024 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.574748039 CET	443	49778	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.574965000 CET	49778	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.576107025 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.576152086 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.576253891 CET	443	49777	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.576416969 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.576462984 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.576565981 CET	443	49779	35.244.181.201	192.168.2.4
Oct 30, 2024 11:53:36.577605009 CET	49777	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.577605009 CET	49779	443	192.168.2.4	35.244.181.201
Oct 30, 2024 11:53:36.578493118 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:36.584002018 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:36.625227928 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:36.625298023 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:36.628071070 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:36.628083944 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:36.628401041 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:36.630738020 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:36.630800962 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:36.630903006 CET	443	49780	34.149.100.209	192.168.2.4
Oct 30, 2024 11:53:36.631422043 CET	49780	443	192.168.2.4	34.149.100.209
Oct 30, 2024 11:53:36.703768015 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:36.705897093 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:36.711415052 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:36.747889042 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:36.833172083 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:36.875799894 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:46.704379082 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:46.709877968 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:46.835944891 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:46.841475964 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:54.272799969 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:54.272844076 CET	443	49782	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:54.275517941 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:54.277116060 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:54.277136087 CET	443	49782	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:54.886604071 CET	443	49782	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:54.886856079 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:54.892047882 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:54.892060995 CET	443	49782	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:54.892151117 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:54.892239094 CET	443	49782	34.107.243.93	192.168.2.4
Oct 30, 2024 11:53:54.892373085 CET	49782	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:53:54.894665956 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:54.900032043 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:55.019821882 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:55.023029089 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:55.028552055 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:55.059485912 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:53:55.149940968 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:53:55.191104889 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:03.878926992 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:03.884382963 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:04.003695965 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:04.006629944 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:04.012093067 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:04.054179907 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:04.133517981 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:04.185754061 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:05.672538042 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:05.672589064 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:05.672665119 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:05.672686100 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:05.672785997 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:05.672801971 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:05.673366070 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:05.673382044 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:05.673404932 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:05.673588991 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:05.673610926 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:05.673794985 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:05.673810005 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:05.673916101 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:05.673942089 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.273190022 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.273477077 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.276902914 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.276907921 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.277158976 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.278713942 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.279372931 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.279474974 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.279515982 CET	443	49837	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.279664993 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.279684067 CET	49837	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.279738903 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.279784918 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.279958010 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.282586098 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.282605886 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.283426046 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.287866116 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.287889957 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.288099051 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.288269997 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:06.291737080 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.292119026 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.292340040 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.292359114 CET	443	49838	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.292582989 CET	49838	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.292582989 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.292660952 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.292737961 CET	443	49836	34.120.208.123	192.168.2.4
Oct 30, 2024 11:54:06.293193102 CET	49836	443	192.168.2.4	34.120.208.123
Oct 30, 2024 11:54:06.293746948 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:06.413487911 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:06.446134090 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:06.451613903 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:06.461169004 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:06.572959900 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:06.623974085 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:16.420049906 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:16.425750971 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:16.589458942 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:16.596071959 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:26.433782101 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:26.578289032 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:26.596559048 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:26.602066040 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:35.065365076 CET	49999	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:54:35.065447092 CET	443	49999	34.107.243.93	192.168.2.4
Oct 30, 2024 11:54:35.065562010 CET	49999	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:54:35.067038059 CET	49999	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:54:35.067075968 CET	443	49999	34.107.243.93	192.168.2.4
Oct 30, 2024 11:54:35.850992918 CET	443	49999	34.107.243.93	192.168.2.4
Oct 30, 2024 11:54:35.851197958 CET	49999	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:54:35.856370926 CET	49999	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:54:35.856431961 CET	443	49999	34.107.243.93	192.168.2.4
Oct 30, 2024 11:54:35.856460094 CET	49999	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:54:35.856561899 CET	443	49999	34.107.243.93	192.168.2.4
Oct 30, 2024 11:54:35.856616974 CET	49999	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:54:35.859087944 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:35.864494085 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:35.983856916 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:35.987497091 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:35.992805004 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:36.024177074 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:36.114831924 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:36.162250996 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:45.989850044 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:45.995337009 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:46.121392965 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:46.126861095 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:56.002279043 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:56.009093046 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:54:56.133848906 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:54:56.139892101 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:06.031091928 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:06.038815022 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:06.147000074 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:06.152414083 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:16.059318066 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:16.064877033 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:16.159591913 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:16.165081978 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:26.065671921 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:26.071223021 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:26.166002035 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:26.171618938 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:36.079016924 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:36.084549904 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:36.179301023 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:36.184899092 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:46.089715004 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:46.095854044 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:46.190140009 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:46.195723057 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:55.927896976 CET	50055	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:55:55.927953005 CET	443	50055	34.107.243.93	192.168.2.4
Oct 30, 2024 11:55:55.928461075 CET	50055	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:55:55.930052042 CET	50055	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:55:55.930085897 CET	443	50055	34.107.243.93	192.168.2.4
Oct 30, 2024 11:55:56.103584051 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:56.109918118 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:56.203675985 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:56.209635973 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:56.538136959 CET	443	50055	34.107.243.93	192.168.2.4
Oct 30, 2024 11:55:56.538258076 CET	50055	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:55:56.543436050 CET	50055	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:55:56.543482065 CET	443	50055	34.107.243.93	192.168.2.4
Oct 30, 2024 11:55:56.543539047 CET	50055	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:55:56.543904066 CET	443	50055	34.107.243.93	192.168.2.4
Oct 30, 2024 11:55:56.543981075 CET	50055	443	192.168.2.4	34.107.243.93
Oct 30, 2024 11:55:56.545892954 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:56.551209927 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:56.671222925 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:56.674429893 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:56.680090904 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:56.720751047 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:55:56.801548958 CET	80	49753	34.107.221.82	192.168.2.4
Oct 30, 2024 11:55:56.852274895 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:56:06.674134016 CET	49749	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:56:06.681077957 CET	80	49749	34.107.221.82	192.168.2.4
Oct 30, 2024 11:56:06.805685997 CET	49753	80	192.168.2.4	34.107.221.82
Oct 30, 2024 11:56:06.811038017 CET	80	49753	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 11:53:07.007791996 CET	63836	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:07.015906096 CET	53	63836	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:07.035782099 CET	61091	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:07.043255091 CET	53	61091	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:07.820787907 CET	62040	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:07.828114986 CET	53	62040	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:07.829324961 CET	56808	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:07.836801052 CET	53	56808	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:07.837351084 CET	63382	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:07.844638109 CET	53	63382	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:08.014187098 CET	53898	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:08.028036118 CET	62136	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:08.036304951 CET	53	62136	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:08.041865110 CET	57936	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:08.049088001 CET	53	57936	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:08.379157066 CET	52134	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:08.386986017 CET	53	52134	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:08.388298988 CET	62293	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:08.396492958 CET	53	62293	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:08.400477886 CET	58470	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:08.408193111 CET	53	58470	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:09.285080910 CET	50354	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:09.287426949 CET	61645	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:09.292716980 CET	53	50354	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:09.294922113 CET	53	61645	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:09.295774937 CET	59395	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:09.296885967 CET	59565	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:09.303271055 CET	53	59395	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:09.304548025 CET	53	59565	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:09.308334112 CET	54619	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:09.317073107 CET	53	54619	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:09.327394962 CET	54748	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:09.346232891 CET	53284	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:09.354527950 CET	53	53284	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:09.361927032 CET	56955	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:09.369153023 CET	53	56955	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:09.657759905 CET	52441	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:09.665843010 CET	53	52441	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:09.667915106 CET	51186	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:09.675003052 CET	53	51186	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:09.675616980 CET	52117	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:09.683319092 CET	53	52117	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:11.311916113 CET	54940	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:11.347152948 CET	53	50508	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:11.439162970 CET	64562	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:11.446536064 CET	53	64562	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:11.453133106 CET	49156	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:11.460994959 CET	53	49156	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:11.472254992 CET	58586	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:11.480454922 CET	53	58586	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:12.328290939 CET	56117	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:12.334690094 CET	56663	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:12.336704016 CET	53	56117	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:12.340104103 CET	63900	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:12.342331886 CET	53	56663	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:12.348627090 CET	53	63900	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:12.363370895 CET	57537	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:12.366483927 CET	51547	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:12.371035099 CET	53	57537	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:12.374360085 CET	53	51547	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:15.417479992 CET	63185	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:15.424784899 CET	53	63185	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:15.425618887 CET	51929	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:15.433737993 CET	53	51929	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:15.464802027 CET	63928	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:15.472225904 CET	53	63928	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:21.807064056 CET	50669	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:21.809973001 CET	51568	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:21.814527035 CET	53	50669	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:21.817773104 CET	53	51568	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.602533102 CET	54363	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.602533102 CET	61235	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.602861881 CET	63910	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.610012054 CET	53	54363	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.610306025 CET	53	61235	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.610819101 CET	58059	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.610953093 CET	53	63910	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.611066103 CET	64793	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.611617088 CET	62399	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.618518114 CET	53	58059	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.618786097 CET	53	64793	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.618822098 CET	53	62399	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.620806932 CET	57012	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.620974064 CET	64274	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.621186972 CET	52155	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.628348112 CET	53	57012	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.628743887 CET	53	52155	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.628772974 CET	53	64274	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.628988028 CET	57418	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.629514933 CET	54492	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.636750937 CET	53	57418	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.636904001 CET	53	54492	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.637403965 CET	61460	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.637439966 CET	55279	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.644603968 CET	53	61460	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.645052910 CET	65465	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.645107985 CET	53	55279	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.645669937 CET	50730	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:26.652391911 CET	53	65465	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:26.654449940 CET	53	50730	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:33.518949986 CET	58323	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:33.527426958 CET	53	58323	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:35.279824972 CET	59953	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:35.287178993 CET	53	59953	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:35.314896107 CET	64552	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:35.323173046 CET	53	64552	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:35.324340105 CET	57519	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:35.331948042 CET	53	57519	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:35.332990885 CET	49903	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:35.339692116 CET	60583	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:35.341300964 CET	53	49903	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:35.347425938 CET	53	60583	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:35.371351004 CET	53089	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:35.378777027 CET	53	53089	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:35.385200024 CET	57753	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:35.393039942 CET	53	57753	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:54.263176918 CET	56609	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:54.271608114 CET	53	56609	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:54.272459984 CET	55933	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:53:54.281196117 CET	53	55933	1.1.1.1	192.168.2.4
Oct 30, 2024 11:53:54.894952059 CET	53176	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:54:05.667337894 CET	52326	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:54:05.674882889 CET	53	52326	1.1.1.1	192.168.2.4
Oct 30, 2024 11:54:35.066054106 CET	60775	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:54:35.114233017 CET	53	60775	1.1.1.1	192.168.2.4
Oct 30, 2024 11:55:55.910685062 CET	49877	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:55:55.918004990 CET	53	49877	1.1.1.1	192.168.2.4
Oct 30, 2024 11:55:55.919153929 CET	61046	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:55:55.926640034 CET	53	61046	1.1.1.1	192.168.2.4
Oct 30, 2024 11:55:55.927290916 CET	52643	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:55:55.934462070 CET	53	52643	1.1.1.1	192.168.2.4
Oct 30, 2024 11:55:56.546149969 CET	61151	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:55:56.554430008 CET	62679	53	192.168.2.4	1.1.1.1
Oct 30, 2024 11:55:56.561764002 CET	53	62679	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 11:53:07.007791996 CET	192.168.2.4	1.1.1.1	0x8e8	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:07.035782099 CET	192.168.2.4	1.1.1.1	0x47cb	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 11:53:07.820787907 CET	192.168.2.4	1.1.1.1	0xb637	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:07.829324961 CET	192.168.2.4	1.1.1.1	0xbdbe	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:07.837351084 CET	192.168.2.4	1.1.1.1	0x4597	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:08.014187098 CET	192.168.2.4	1.1.1.1	0x482a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:08.028036118 CET	192.168.2.4	1.1.1.1	0xcc0e	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:08.041865110 CET	192.168.2.4	1.1.1.1	0x2876	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 11:53:08.379157066 CET	192.168.2.4	1.1.1.1	0x7075	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:08.388298988 CET	192.168.2.4	1.1.1.1	0xf415	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:08.400477886 CET	192.168.2.4	1.1.1.1	0xed5b	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:09.285080910 CET	192.168.2.4	1.1.1.1	0xcdd6	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.287426949 CET	192.168.2.4	1.1.1.1	0x4122	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.295774937 CET	192.168.2.4	1.1.1.1	0xd0af	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.296885967 CET	192.168.2.4	1.1.1.1	0x9319	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.308334112 CET	192.168.2.4	1.1.1.1	0xc241	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 11:53:09.327394962 CET	192.168.2.4	1.1.1.1	0xaee7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.346232891 CET	192.168.2.4	1.1.1.1	0x6b9d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.361927032 CET	192.168.2.4	1.1.1.1	0xb3f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 11:53:09.657759905 CET	192.168.2.4	1.1.1.1	0x2476	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.667915106 CET	192.168.2.4	1.1.1.1	0x80e9	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.675616980 CET	192.168.2.4	1.1.1.1	0x57fe	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 11:53:11.311916113 CET	192.168.2.4	1.1.1.1	0x2cf5	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:11.439162970 CET	192.168.2.4	1.1.1.1	0xc830	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:11.453133106 CET	192.168.2.4	1.1.1.1	0x768f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:11.472254992 CET	192.168.2.4	1.1.1.1	0xd4e8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:12.328290939 CET	192.168.2.4	1.1.1.1	0xee0b	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:12.334690094 CET	192.168.2.4	1.1.1.1	0x6320	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:12.340104103 CET	192.168.2.4	1.1.1.1	0x4277	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:12.363370895 CET	192.168.2.4	1.1.1.1	0x731c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:12.366483927 CET	192.168.2.4	1.1.1.1	0x96bb	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 11:53:15.417479992 CET	192.168.2.4	1.1.1.1	0x8a17	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:15.425618887 CET	192.168.2.4	1.1.1.1	0x64d4	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:15.464802027 CET	192.168.2.4	1.1.1.1	0xb823	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 11:53:21.807064056 CET	192.168.2.4	1.1.1.1	0x7f11	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:21.809973001 CET	192.168.2.4	1.1.1.1	0xfa24	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:26.602533102 CET	192.168.2.4	1.1.1.1	0x2c56	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.602533102 CET	192.168.2.4	1.1.1.1	0x76bc	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.602861881 CET	192.168.2.4	1.1.1.1	0x1518	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610819101 CET	192.168.2.4	1.1.1.1	0x5671	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.611066103 CET	192.168.2.4	1.1.1.1	0x95db	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.611617088 CET	192.168.2.4	1.1.1.1	0x9245	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.620806932 CET	192.168.2.4	1.1.1.1	0x7da7	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:26.620974064 CET	192.168.2.4	1.1.1.1	0x3c40	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 30, 2024 11:53:26.621186972 CET	192.168.2.4	1.1.1.1	0xb18f	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:26.628988028 CET	192.168.2.4	1.1.1.1	0xab41	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.629514933 CET	192.168.2.4	1.1.1.1	0xaced	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.637403965 CET	192.168.2.4	1.1.1.1	0x49d7	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.637439966 CET	192.168.2.4	1.1.1.1	0x14f7	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.645052910 CET	192.168.2.4	1.1.1.1	0xd9ca	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:26.645669937 CET	192.168.2.4	1.1.1.1	0xa035	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 30, 2024 11:53:33.518949986 CET	192.168.2.4	1.1.1.1	0x61ee	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:35.279824972 CET	192.168.2.4	1.1.1.1	0x352f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 30, 2024 11:53:35.314896107 CET	192.168.2.4	1.1.1.1	0x43bb	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.324340105 CET	192.168.2.4	1.1.1.1	0xcaec	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.332990885 CET	192.168.2.4	1.1.1.1	0xf602	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 30, 2024 11:53:35.339692116 CET	192.168.2.4	1.1.1.1	0x7b23	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.371351004 CET	192.168.2.4	1.1.1.1	0x68ad	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.385200024 CET	192.168.2.4	1.1.1.1	0x7490	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:54.263176918 CET	192.168.2.4	1.1.1.1	0x98e0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:54.272459984 CET	192.168.2.4	1.1.1.1	0x2117	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 11:53:54.894952059 CET	192.168.2.4	1.1.1.1	0x91e0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:54:05.667337894 CET	192.168.2.4	1.1.1.1	0x1b39	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 11:54:35.066054106 CET	192.168.2.4	1.1.1.1	0xf322	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 11:55:55.910685062 CET	192.168.2.4	1.1.1.1	0x875a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:55:55.919153929 CET	192.168.2.4	1.1.1.1	0xc42c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:55:55.927290916 CET	192.168.2.4	1.1.1.1	0x7b84	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 30, 2024 11:55:56.546149969 CET	192.168.2.4	1.1.1.1	0x75a7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:55:56.554430008 CET	192.168.2.4	1.1.1.1	0xb8ba	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 11:53:06.996881008 CET	1.1.1.1	192.168.2.4	0xbae5	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:07.015906096 CET	1.1.1.1	192.168.2.4	0x8e8	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:07.828114986 CET	1.1.1.1	192.168.2.4	0xb637	No error (0)	youtube.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:07.836801052 CET	1.1.1.1	192.168.2.4	0xbdbe	No error (0)	youtube.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:07.844638109 CET	1.1.1.1	192.168.2.4	0x4597	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 30, 2024 11:53:08.022622108 CET	1.1.1.1	192.168.2.4	0x482a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:08.022622108 CET	1.1.1.1	192.168.2.4	0x482a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:08.036304951 CET	1.1.1.1	192.168.2.4	0xcc0e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:08.049088001 CET	1.1.1.1	192.168.2.4	0x2876	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 11:53:08.386986017 CET	1.1.1.1	192.168.2.4	0x7075	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:08.396492958 CET	1.1.1.1	192.168.2.4	0xf415	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.292716980 CET	1.1.1.1	192.168.2.4	0xcdd6	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:09.292716980 CET	1.1.1.1	192.168.2.4	0xcdd6	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.294922113 CET	1.1.1.1	192.168.2.4	0x4122	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.303271055 CET	1.1.1.1	192.168.2.4	0xd0af	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.303271055 CET	1.1.1.1	192.168.2.4	0xd0af	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.304246902 CET	1.1.1.1	192.168.2.4	0xf2a	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:09.304246902 CET	1.1.1.1	192.168.2.4	0xf2a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.304548025 CET	1.1.1.1	192.168.2.4	0x9319	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.334719896 CET	1.1.1.1	192.168.2.4	0xaee7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:09.334719896 CET	1.1.1.1	192.168.2.4	0xaee7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.354527950 CET	1.1.1.1	192.168.2.4	0x6b9d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.665843010 CET	1.1.1.1	192.168.2.4	0x2476	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:09.665843010 CET	1.1.1.1	192.168.2.4	0x2476	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:09.665843010 CET	1.1.1.1	192.168.2.4	0x2476	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.675003052 CET	1.1.1.1	192.168.2.4	0x80e9	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:09.683319092 CET	1.1.1.1	192.168.2.4	0x57fe	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 30, 2024 11:53:11.319592953 CET	1.1.1.1	192.168.2.4	0x2cf5	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:11.446536064 CET	1.1.1.1	192.168.2.4	0xc830	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:11.460994959 CET	1.1.1.1	192.168.2.4	0x768f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:12.311590910 CET	1.1.1.1	192.168.2.4	0x4b9b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:12.311590910 CET	1.1.1.1	192.168.2.4	0x4b9b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:12.329588890 CET	1.1.1.1	192.168.2.4	0x2eda	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:12.336704016 CET	1.1.1.1	192.168.2.4	0xee0b	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:12.336704016 CET	1.1.1.1	192.168.2.4	0xee0b	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:12.342331886 CET	1.1.1.1	192.168.2.4	0x6320	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:12.348627090 CET	1.1.1.1	192.168.2.4	0x4277	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:15.424784899 CET	1.1.1.1	192.168.2.4	0x8a17	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:15.424784899 CET	1.1.1.1	192.168.2.4	0x8a17	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:15.424784899 CET	1.1.1.1	192.168.2.4	0x8a17	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:15.433737993 CET	1.1.1.1	192.168.2.4	0x64d4	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:15.530174971 CET	1.1.1.1	192.168.2.4	0xe841	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610012054 CET	1.1.1.1	192.168.2.4	0x2c56	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610306025 CET	1.1.1.1	192.168.2.4	0x76bc	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610306025 CET	1.1.1.1	192.168.2.4	0x76bc	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610953093 CET	1.1.1.1	192.168.2.4	0x1518	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:26.610953093 CET	1.1.1.1	192.168.2.4	0x1518	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618518114 CET	1.1.1.1	192.168.2.4	0x5671	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618786097 CET	1.1.1.1	192.168.2.4	0x95db	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.618822098 CET	1.1.1.1	192.168.2.4	0x9245	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.628348112 CET	1.1.1.1	192.168.2.4	0x7da7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 11:53:26.628348112 CET	1.1.1.1	192.168.2.4	0x7da7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 11:53:26.628348112 CET	1.1.1.1	192.168.2.4	0x7da7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 11:53:26.628348112 CET	1.1.1.1	192.168.2.4	0x7da7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 30, 2024 11:53:26.628743887 CET	1.1.1.1	192.168.2.4	0xb18f	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 30, 2024 11:53:26.628772974 CET	1.1.1.1	192.168.2.4	0x3c40	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 30, 2024 11:53:26.636750937 CET	1.1.1.1	192.168.2.4	0xab41	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:26.636750937 CET	1.1.1.1	192.168.2.4	0xab41	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.636750937 CET	1.1.1.1	192.168.2.4	0xab41	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.636750937 CET	1.1.1.1	192.168.2.4	0xab41	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.636750937 CET	1.1.1.1	192.168.2.4	0xab41	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.636904001 CET	1.1.1.1	192.168.2.4	0xaced	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.644603968 CET	1.1.1.1	192.168.2.4	0x49d7	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.645107985 CET	1.1.1.1	192.168.2.4	0x14f7	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.645107985 CET	1.1.1.1	192.168.2.4	0x14f7	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.645107985 CET	1.1.1.1	192.168.2.4	0x14f7	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:26.645107985 CET	1.1.1.1	192.168.2.4	0x14f7	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.286966085 CET	1.1.1.1	192.168.2.4	0x71f	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:35.286966085 CET	1.1.1.1	192.168.2.4	0x71f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.323173046 CET	1.1.1.1	192.168.2.4	0x43bb	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.323173046 CET	1.1.1.1	192.168.2.4	0x43bb	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.323173046 CET	1.1.1.1	192.168.2.4	0x43bb	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.323173046 CET	1.1.1.1	192.168.2.4	0x43bb	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.331948042 CET	1.1.1.1	192.168.2.4	0xcaec	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.331948042 CET	1.1.1.1	192.168.2.4	0xcaec	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.331948042 CET	1.1.1.1	192.168.2.4	0xcaec	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.331948042 CET	1.1.1.1	192.168.2.4	0xcaec	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.341300964 CET	1.1.1.1	192.168.2.4	0xf602	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 11:53:35.341300964 CET	1.1.1.1	192.168.2.4	0xf602	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 11:53:35.341300964 CET	1.1.1.1	192.168.2.4	0xf602	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 11:53:35.341300964 CET	1.1.1.1	192.168.2.4	0xf602	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 30, 2024 11:53:35.347425938 CET	1.1.1.1	192.168.2.4	0x7b23	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:35.347425938 CET	1.1.1.1	192.168.2.4	0x7b23	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:35.378777027 CET	1.1.1.1	192.168.2.4	0x68ad	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:36.594542980 CET	1.1.1.1	192.168.2.4	0xb181	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:36.594542980 CET	1.1.1.1	192.168.2.4	0xb181	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:54.271608114 CET	1.1.1.1	192.168.2.4	0x98e0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:53:54.902575016 CET	1.1.1.1	192.168.2.4	0x91e0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:53:54.902575016 CET	1.1.1.1	192.168.2.4	0x91e0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:54:05.665826082 CET	1.1.1.1	192.168.2.4	0x5683	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:55:55.918004990 CET	1.1.1.1	192.168.2.4	0x875a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:55:55.926640034 CET	1.1.1.1	192.168.2.4	0xc42c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:55:56.553224087 CET	1.1.1.1	192.168.2.4	0x75a7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 30, 2024 11:55:56.553224087 CET	1.1.1.1	192.168.2.4	0x75a7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 30, 2024 11:55:56.561764002 CET	1.1.1.1	192.168.2.4	0xb8ba	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	7804	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 11:53:08.065730095 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:53:08.652784109 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76131 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	7804	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 11:53:09.352159023 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:53:09.948462963 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67058 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	7804	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 11:53:10.031833887 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:53:10.627476931 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76133 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:53:11.332068920 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:53:11.456880093 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76134 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:53:12.322182894 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:53:12.447587967 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76135 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:53:15.448817015 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:53:15.573870897 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76138 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:53:21.804615021 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:53:21.930068016 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76144 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:53:23.542741060 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:53:23.667928934 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76146 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:53:33.682158947 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:53:34.127593040 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:53:34.254266024 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76157 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:53:35.906037092 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:53:36.031063080 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76158 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:53:36.578493118 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:53:36.703768015 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76159 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:53:46.704379082 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:53:54.894665956 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:53:55.019821882 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76177 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:54:03.878926992 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:54:04.003695965 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76186 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:54:06.288269997 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:54:06.413487911 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76189 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:54:16.420049906 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:54:26.433782101 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:54:35.859087944 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:54:35.983856916 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76218 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 30, 2024 11:54:45.989850044 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:54:56.002279043 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:55:06.031091928 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:55:16.059318066 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:55:26.065671921 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:55:36.079016924 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:55:56.545892954 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 30, 2024 11:55:56.671222925 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 29 Oct 2024 13:44:17 GMT Age: 76299 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49753	34.107.221.82	80	7804	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 11:53:10.694333076 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:53:11.300075054 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67060 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:53:11.478415012 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:53:11.605485916 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67060 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:53:15.434855938 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:53:15.561836004 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67064 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:53:20.835985899 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:53:20.963049889 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67069 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:53:22.305538893 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:53:22.449773073 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67071 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:53:23.871031046 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:53:23.998028994 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67072 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:53:33.998656034 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:53:34.257584095 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:53:34.384504080 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67083 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:53:36.033086061 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:53:36.160176039 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67085 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:53:36.705897093 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:53:36.833172083 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67085 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:53:46.835944891 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:53:55.023029089 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:53:55.149940968 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67104 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:54:04.006629944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:54:04.133517981 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67113 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:54:06.446134090 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:54:06.572959900 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67115 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:54:16.589458942 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:54:26.596559048 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:54:35.987497091 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:54:36.114831924 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67145 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 30, 2024 11:54:46.121392965 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:54:56.133848906 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:55:06.147000074 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:55:16.159591913 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:55:26.166002035 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:55:36.179301023 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 30, 2024 11:55:56.674429893 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 30, 2024 11:55:56.801548958 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 29 Oct 2024 16:15:31 GMT Age: 67225 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	06:52:57
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x6f0000
File size:	919'552 bytes
MD5 hash:	388A4D9E5A5EC3446324F1DCFEE1F8DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:52:57
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x890000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:52:57
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:53:00
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x890000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:53:00
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:53:00
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x890000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:53:00
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:53:00
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x890000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:53:00
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:53:01
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x890000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:53:01
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:53:01
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:53:01
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:53:02
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	06:53:04
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb6f847-cb9e-4fb5-afb6-641a629cd22d} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b04870510 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	06:53:06
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2920 -parentBuildID 20230927232528 -prefsHandle 3560 -prefMapHandle 3100 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19bf62ce-243b-4030-87bf-9d8b0acb858c} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b16cb5410 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	06:53:11
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5308 -prefMapHandle 1556 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cdc9275-8888-45cf-a7dd-d000686ae1a0} 7804 "\\.\pipe\gecko-crash-server-pipe.7804" 16b15a97310 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	1514
Total number of Limit Nodes:	61

Executed Functions

Function 006F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006F430D

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

GetCurrentProcess.KERNEL32(?,0078CB64,00000000,?,?), ref: 006F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 006F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006F4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 006F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006F44A0

Strings

|O, xrefs: 007336F8
GetNativeSystemInfo, xrefs: 006F4460
kernel32.dll, xrefs: 006F444F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: d3eb0e19b6ded4871dfdadbf5ed48db3b9bc16b4ab4e35b9114f177fc5573d1e
Instruction ID: bfb33f692eb5ddec5effe2fa464038af20d54a5839bb4057c4e65ddd3cce24ea
Opcode Fuzzy Hash: d3eb0e19b6ded4871dfdadbf5ed48db3b9bc16b4ab4e35b9114f177fc5573d1e
Instruction Fuzzy Hash: 08A1D27291A2C4CFD722D7697C819A53FE5AB67308B88D5BCD441A3E23D63C4509CB2D

Function 006F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006F50AA,?,?,00000000,00000000), ref: 006F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006F50AA,?,?,00000000,00000000), ref: 006F42C9
LoadResource.KERNEL32(?,00000000,?,?,006F50AA,?,?,00000000,00000000,?,?,?,?,?,?,006F4F20), ref: 007335BE
SizeofResource.KERNEL32(?,00000000,?,?,006F50AA,?,?,00000000,00000000,?,?,?,?,?,?,006F4F20), ref: 007335D3
LockResource.KERNEL32(006F50AA,?,?,006F50AA,?,?,00000000,00000000,?,?,?,?,?,?,006F4F20,?), ref: 007335E6

Strings

SCRIPT, xrefs: 006F42BF

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8c9eb8e5dda3171f46bb3c9db251046699a43b1cb8552f3a2a42e2e5fefd57a9
Instruction ID: 6ae619d4c4a7bddbe49379928d1abe8708617eb6bf3251e74d3be33d64e7f559
Opcode Fuzzy Hash: 8c9eb8e5dda3171f46bb3c9db251046699a43b1cb8552f3a2a42e2e5fefd57a9
Instruction Fuzzy Hash: 0B117970240704BFEB228BA5DC49F677BBAEFC5B51F208169F50296AA0DB71D9008B30

Function 00732BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 006F2B6B

Part of subcall function 006F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007C1418,?,006F2E7F,?,?,?,00000000), ref: 006F3A78

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,007B2224), ref: 00732C10
ShellExecuteW.SHELL32(00000000,?,?,007B2224), ref: 00732C17

Strings

runas, xrefs: 00732C0B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ea07eb2544b9e9917baf421bb46a8415cb7cb844d13380eeb2bb517a647beffe
Instruction ID: 810fe24c9158d9b237f9410603c16c03b0685cb8b0898ba4a9563d6a1054aa05
Opcode Fuzzy Hash: ea07eb2544b9e9917baf421bb46a8415cb7cb844d13380eeb2bb517a647beffe
Instruction Fuzzy Hash: 4D110A3110835E6AC745FF24D852EBD77A69F91340F44542DF742021A3DF38960A871A

Function 0075D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0075D501
Process32FirstW.KERNEL32(00000000,?), ref: 0075D50F
Process32NextW.KERNEL32(00000000,?), ref: 0075D52F
CloseHandle.KERNELBASE(00000000), ref: 0075D5DC

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 7e35d506056e9c8903c5d4d283166490505b2f59fbd046265e858adf4b366906
Instruction ID: 5f375bf7525dc27c593a1e2038a3a8b6de1e234d43fe69811230efc22501d680
Opcode Fuzzy Hash: 7e35d506056e9c8903c5d4d283166490505b2f59fbd046265e858adf4b366906
Instruction Fuzzy Hash: D731C2710083049FD315EF54C885ABFBBF8EF99344F10092DF685821A1EBB19A49CBA2

Function 0075DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00735222), ref: 0075DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0075DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0075DBEE
FindClose.KERNEL32(00000000), ref: 0075DBFA

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 42c521a66fef9db12bc306570d10d546a65c99ed7971b04a38641253756ce76a
Instruction ID: 4d1624d1ad3212269bec84c3e52e9e8bf17e427575339129a798f9070ab2d7ea
Opcode Fuzzy Hash: 42c521a66fef9db12bc306570d10d546a65c99ed7971b04a38641253756ce76a
Instruction Fuzzy Hash: 50F0A0308509149B92316B78AC0D8AE37ACAE01336F208702F836C20E0EBF85D5886B9

Function 00714CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007228E9,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002,00000000,?,007228E9), ref: 00714D09
TerminateProcess.KERNEL32(00000000,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002,00000000,?,007228E9), ref: 00714D10
ExitProcess.KERNEL32 ref: 00714D22

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9d5f12ca2c66172c14a2fda7e6b5a2e12c2b13bd9c8a428957e4b127a8756132
Instruction ID: ab36784b0e7721a6d028d3618f5912b28790d166e4a13e305f65210a32da91ed
Opcode Fuzzy Hash: 9d5f12ca2c66172c14a2fda7e6b5a2e12c2b13bd9c8a428957e4b127a8756132
Instruction Fuzzy Hash: 04E0B631540548ABCF12AF68ED0DA983B69FB41B81B208014FD498A562CB3DDD82DB94

Function 006FBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#|, xrefs: 007407CE

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#|
API String ID: 3964851224-1286273844
Opcode ID: 323755a368f33e9545462a819c3ebb972911a11aae53afb2488d883baa028358
Instruction ID: 50371d7846ab44650b63ae75ea0d22a347d10d277bdd53a1d17fa52179b19ac5
Opcode Fuzzy Hash: 323755a368f33e9545462a819c3ebb972911a11aae53afb2488d883baa028358
Instruction Fuzzy Hash: 6BA27C70608345CFC714DF28C580B6ABBE2BF89314F14896DEA9A8B352D775EC45CB92

Function 0077AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0077B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0077B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0077B1D4
_wcslen.LIBCMT ref: 0077B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0077B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0077B236
_wcslen.LIBCMT ref: 0077B332

Part of subcall function 007605A7: GetStdHandle.KERNEL32(000000F6), ref: 007605C6

_wcslen.LIBCMT ref: 0077B34B
_wcslen.LIBCMT ref: 0077B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0077B3B6
GetLastError.KERNEL32(00000000), ref: 0077B407
CloseHandle.KERNEL32(?), ref: 0077B439
CloseHandle.KERNEL32(00000000), ref: 0077B44A
CloseHandle.KERNEL32(00000000), ref: 0077B45C
CloseHandle.KERNEL32(00000000), ref: 0077B46E
CloseHandle.KERNEL32(?), ref: 0077B4E3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: f7622a283f917bc23006a5f6a8b8bbc39561bb4b28b5193b59213dcee8641d0e
Instruction ID: f7755ea78470aaa072517814cd61e2719ea4f2cd06ce6fb7eddaf6d3308722c3
Opcode Fuzzy Hash: f7622a283f917bc23006a5f6a8b8bbc39561bb4b28b5193b59213dcee8641d0e
Instruction Fuzzy Hash: C5F19931608344DFCB24EF24C895B6EBBE1AF85354F14855DF9998B2A2CB39EC44CB52

Function 006FD730 Relevance: 21.6, APIs: 14, Instructions: 626timeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006FD807
timeGetTime.WINMM ref: 006FDA07

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InputStateTimetime
String ID:
API String ID: 2164325655-0
Opcode ID: 2b6e0fb0f296dec04e85dfdfce4ce04a2cc0807583638140735ffb06e68b46d3
Instruction ID: 6f826fa52db7b91bec1bb6d2feaa53c9aee87b6d8604f52d27b3a165c456432d
Opcode Fuzzy Hash: 2b6e0fb0f296dec04e85dfdfce4ce04a2cc0807583638140735ffb06e68b46d3
Instruction Fuzzy Hash: 79420F70608246DFD728CF24C888BBAB7E2BF41304F54861DFA6587292D778F855CB92

Function 006F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006F2D07
RegisterClassExW.USER32(00000030), ref: 006F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006F2D42
InitCommonControlsEx.COMCTL32(?), ref: 006F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006F2D6F
LoadIconW.USER32(000000A9), ref: 006F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006F2D94

Strings

TaskbarCreated, xrefs: 006F2D37
AutoIt v3 GUI, xrefs: 006F2D23
+, xrefs: 006F2CF0
0, xrefs: 006F2CE9

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 261b4aa453543745a4393cf2f89ac3ee93f52e93fb760a2885c7f90bfe40ffb7
Instruction ID: 10b8735791ca88a5889bbce3309e6fe9bae6b82ff4509761922e93c747601159
Opcode Fuzzy Hash: 261b4aa453543745a4393cf2f89ac3ee93f52e93fb760a2885c7f90bfe40ffb7
Instruction Fuzzy Hash: E021F4B1941348EFDB01DFA4EC49BDDBBB4FB09700F50812AF611A62A0D7B95540CFA9

Function 0073065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0073039A: CreateFileW.KERNELBASE(00000000,00000000,?,00730704,?,?,00000000,?,00730704,00000000,0000000C), ref: 007303B7

GetLastError.KERNEL32 ref: 0073076F
__dosmaperr.LIBCMT ref: 00730776
GetFileType.KERNELBASE(00000000), ref: 00730782
GetLastError.KERNEL32 ref: 0073078C
__dosmaperr.LIBCMT ref: 00730795
CloseHandle.KERNEL32(00000000), ref: 007307B5
CloseHandle.KERNEL32(?), ref: 007308FF
GetLastError.KERNEL32 ref: 00730931
__dosmaperr.LIBCMT ref: 00730938

Strings

H, xrefs: 007308BD

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ee884e5262730f706690a50c5ced9f7385f672eb177cc19d42a39166bd58ca92
Instruction ID: 814cf7f12f1c01291aa563d9c599fc718ebc3d5a71c66a92a44ce126a0baa576
Opcode Fuzzy Hash: ee884e5262730f706690a50c5ced9f7385f672eb177cc19d42a39166bd58ca92
Instruction Fuzzy Hash: 99A12632A00118CFEF19EF68DC66BAE7BA0AB06320F14415DF8159B2D2D7399D52CBD5

Function 006F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007C1418,?,006F2E7F,?,?,?,00000000), ref: 006F3A78

Part of subcall function 006F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006F3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0073318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007331CE
RegCloseKey.ADVAPI32(?), ref: 00733210
_wcslen.LIBCMT ref: 00733277
_wcslen.LIBCMT ref: 00733286

Strings

\Include\, xrefs: 006F3527
Include, xrefs: 00733184, 007331C5
\, xrefs: 0073328C
Software\AutoIt v3\AutoIt, xrefs: 006F3560

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 65e0905c801d41b548db5ac8a05438668d30a1b8db6d2ed56e7963cafed937df
Instruction ID: eaaa0b604b170fc6a89f2b8c26f1ca75f029a5a878cac33c59359c84becc9441
Opcode Fuzzy Hash: 65e0905c801d41b548db5ac8a05438668d30a1b8db6d2ed56e7963cafed937df
Instruction Fuzzy Hash: 1F71C2714043459EC314EF69DC81DABBBE8FF85340F40852EF545832A2EB7C9A49CB6A

Function 006F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 006F2B9D
LoadIconW.USER32(00000063), ref: 006F2BB3
LoadIconW.USER32(000000A4), ref: 006F2BC5
LoadIconW.USER32(000000A2), ref: 006F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006F2BEF
RegisterClassExW.USER32(?), ref: 006F2C40

Part of subcall function 006F2CD4: GetSysColorBrush.USER32(0000000F), ref: 006F2D07
Part of subcall function 006F2CD4: RegisterClassExW.USER32(00000030), ref: 006F2D31
Part of subcall function 006F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006F2D42
Part of subcall function 006F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006F2D5F
Part of subcall function 006F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006F2D6F
Part of subcall function 006F2CD4: LoadIconW.USER32(000000A9), ref: 006F2D85
Part of subcall function 006F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006F2D94

Strings

#, xrefs: 006F2C16
AutoIt v3, xrefs: 006F2C2F
0, xrefs: 006F2C0F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1c09b66398ca25a6e477380d5259a60204576c0167f158afb6fd9853d64fa475
Instruction ID: 619bda8e1e5dd58b0a3c9750131b52716f3031ba6e666ca34e3cd5ecac6e8477
Opcode Fuzzy Hash: 1c09b66398ca25a6e477380d5259a60204576c0167f158afb6fd9853d64fa475
Instruction Fuzzy Hash: E9217C70E40358ABDB119FA5EC54EA97FB4FB09B54F90802EE600A26A1D3B94510CF98

Function 006F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006F316A,?,?), ref: 006F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,006F316A,?,?), ref: 006F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006F316A,?,?), ref: 006F3232
CreatePopupMenu.USER32 ref: 006F3246
PostQuitMessage.USER32(00000000), ref: 006F3267

Strings

TaskbarCreated, xrefs: 006F322D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 093b3b53cc938ab3c2edec1a4a67c7054767818c41009e875bdcfc2476be4079
Instruction ID: a01d5a45436f9f6cd91b7223eef79f38b44239824edfe5f8bacef976548227b5
Opcode Fuzzy Hash: 093b3b53cc938ab3c2edec1a4a67c7054767818c41009e875bdcfc2476be4079
Instruction Fuzzy Hash: 7E410531240268A6EB156B789D0DFB9371BE706344F54813DFB06853A3CB7A9B4287A9

Function 006F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006F1459
CoUninitialize.COMBASE ref: 006F14F8
UnregisterHotKey.USER32(?), ref: 006F16DD
DestroyWindow.USER32(?), ref: 007324B9
FreeLibrary.KERNEL32(?), ref: 0073251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0073254B

Strings

close all, xrefs: 006F1454

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 661795d4b2ed32a1619c7ae36f55f1a97e9adbeb86cacd76842c4afab4ca0581
Instruction ID: fc8095a10414fe957b3a2407741e96d24e23693c7f4bdf6b8e40508bd08c8b03
Opcode Fuzzy Hash: 661795d4b2ed32a1619c7ae36f55f1a97e9adbeb86cacd76842c4afab4ca0581
Instruction Fuzzy Hash: 33D18D31701212CFDB29EF15C499A29F7A2BF05740F2442ADE94AAB252DB34AD23CF54

Function 006F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,006F1CAD,?), ref: 006F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,006F1CAD,?), ref: 006F2CCF

Strings

AutoIt v3, xrefs: 006F2C89, 006F2C8E, 006F2C8F
edit, xrefs: 006F2CAC

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8b51384d925be66b80aa702c6d80a1636d5e56da78759943126459ad730c4473
Instruction ID: 73ef97aecc4785caf035b1f63602230cc1e68bb42ba33e3d613c39f403f3ba0f
Opcode Fuzzy Hash: 8b51384d925be66b80aa702c6d80a1636d5e56da78759943126459ad730c4473
Instruction Fuzzy Hash: C1F0DA755802D07AEB311717AC08E772FBDD7C7F64B51806EF900A29A1C6791850DBB8

Function 006F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006F3B0F,SwapMouseButtons,00000004,?), ref: 006F3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006F3B0F,SwapMouseButtons,00000004,?), ref: 006F3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006F3B0F,SwapMouseButtons,00000004,?), ref: 006F3B83

Strings

Control Panel\Mouse, xrefs: 006F3B3E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ab26b74802349e11f21f9953a9dc8e6a17e032cf05392f807c6313a8887cb2ac
Instruction ID: addff818681a50a355382d7a5bb5a9530e668ff14bf083e67d44c23cf96e627f
Opcode Fuzzy Hash: ab26b74802349e11f21f9953a9dc8e6a17e032cf05392f807c6313a8887cb2ac
Instruction Fuzzy Hash: E4115AB1511219FFDB218FA4DC44AFEB7B9EF20780B10845AA901D7210E2319E419764

Function 006F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007333A2

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 006F3A04

Strings

Line: , xrefs: 007333EB

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 99b8b40f107eb9d49693ecc1dd9bf5862fe5ea98d149c44ce51b52ae35559321
Instruction ID: 2ab629e3223dbfb8b2d11ed3f3b4978e17b4013b037c09081379d2f9391f04a6
Opcode Fuzzy Hash: 99b8b40f107eb9d49693ecc1dd9bf5862fe5ea98d149c44ce51b52ae35559321
Instruction Fuzzy Hash: 99312671408358AED321EB10DC45FFBB7D9AB41314F00452EF69983292EB789A48C7CA

Function 006F2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00732C8C

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

Part of subcall function 006F2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F2DC4

Strings

X, xrefs: 00732C5A
`e{, xrefs: 00732C85

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e{
API String ID: 779396738-1989916424
Opcode ID: d058bcea549ff1f03d67c2e2872817c5cd7dd9c9aed22a9a318c75672e61678f
Instruction ID: 6396e7e6238377aa46dc700a13be9394f7925e38848aa42167c01199b2a173ec
Opcode Fuzzy Hash: d058bcea549ff1f03d67c2e2872817c5cd7dd9c9aed22a9a318c75672e61678f
Instruction Fuzzy Hash: 1121A571A0029C9FDF41DF94C845BEE7BF9AF49304F108069E605B7242DBBC5A898F65

Function 0070FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00710668

Part of subcall function 007132A4: RaiseException.KERNEL32(?,?,?,0071068A,?,007C1444,?,?,?,?,?,?,0071068A,006F1129,007B8738,006F1129), ref: 00713304

__CxxThrowException@8.LIBVCRUNTIME ref: 00710685

Strings

Unknown exception, xrefs: 00710692

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 14fe580ea54b128606d239b101dc2a2b6e8b0cf61e2d679af51cfd43eabefc63
Instruction ID: 3ff082557eb870f3e78328d944c1df3c4a747753a38f45c0d2c85532e193c835
Opcode Fuzzy Hash: 14fe580ea54b128606d239b101dc2a2b6e8b0cf61e2d679af51cfd43eabefc63
Instruction Fuzzy Hash: 8DF02234A0020CF7CB04B6ACD85ADDE77AC6E00314B604131F824928D2EFBDDAEAC6C0

Function 006F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006F1BF4
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006F1BFC
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006F1C07
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006F1C12
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006F1C1A
Part of subcall function 006F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006F1C22

Part of subcall function 006F1B4A: RegisterWindowMessageW.USER32(00000004,?,006F12C4), ref: 006F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006F136A
OleInitialize.OLE32 ref: 006F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 007324AB

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 08f485441bffbd6edf89561544d260c5f3610b03e966a85ae9a79218e7da894c
Instruction ID: 6d70cc0456171961539d02c42d86215f0f846c678b6175362f2ca123c132296d
Opcode Fuzzy Hash: 08f485441bffbd6edf89561544d260c5f3610b03e966a85ae9a79218e7da894c
Instruction Fuzzy Hash: F671A9B49152448E8388EF79B855E653BE1AB8B3903D4C27ED50AC7363EB3C85218F5C

Function 0075C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006F3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0075C259
KillTimer.USER32(?,00000001,?,?), ref: 0075C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0075C270

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 6d2a444370319f4109785dbccc68116e30a442f66a86055630ff1bb02c0cae0e
Instruction ID: bf8217b8e7f97210d7b851ddb419a0a5e4c217dd5d7e27902e80d94fd2331347
Opcode Fuzzy Hash: 6d2a444370319f4109785dbccc68116e30a442f66a86055630ff1bb02c0cae0e
Instruction Fuzzy Hash: D531D970904344AFEB338F648855BE7BBECAF06305F00449DD6DA97241C7B85A88CB55

Function 007286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007285CC,?,007B8CC8,0000000C), ref: 00728704
GetLastError.KERNEL32(?,007285CC,?,007B8CC8,0000000C), ref: 0072870E
__dosmaperr.LIBCMT ref: 00728739

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 3f3a40236356bad329c4ca4fc8cf67f4b2f88a42722f72991bbb891d6f281a12
Instruction ID: 78f0b26da4a3fdfa55ff383634b7d4d3781b1adbca27e3acfb2c282a2f37d0b9
Opcode Fuzzy Hash: 3f3a40236356bad329c4ca4fc8cf67f4b2f88a42722f72991bbb891d6f281a12
Instruction Fuzzy Hash: 50018932A07230A6D2A0A334B84DB7E27494B82778F39411DF8148B1D3DEBECC818292

Function 006FDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 006FDB7B
DispatchMessageW.USER32(?), ref: 006FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006FDB9F
Sleep.KERNELBASE(0000000A), ref: 006FDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00741CC9

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: a0ecb034015c8e412e320c01ed2672c70c93fa99ad08e673da71db5348b6b2e6
Instruction ID: 3992c808abeaa52968c3b651923552ca7c461b7eb7cb759349eff1a9923b13f5
Opcode Fuzzy Hash: a0ecb034015c8e412e320c01ed2672c70c93fa99ad08e673da71db5348b6b2e6
Instruction Fuzzy Hash: F4F054306443459BE730DB608C89FEA73A9EB45350F508A28E619C30D0DB38A4849B29

Function 00701310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007017F6

Strings

CALL, xrefs: 007017C6

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 8bd1c1f38162c0f164bd3b815f3850c84027ba4e20e7aa7e733910cf5ab3c51a
Instruction ID: f0fb413540be04d3ae5303bf0c7f50742ac210e515c0182aedb3b6ba8cde1755
Opcode Fuzzy Hash: 8bd1c1f38162c0f164bd3b815f3850c84027ba4e20e7aa7e733910cf5ab3c51a
Instruction Fuzzy Hash: 76229B70608241DFC714DF14C884A2ABBF1BF85314F548A6DF4968B3A2D77AE951CB92

Function 006F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 006F3908

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: aa9c22aa9bf5d9bd45aaab8beb1ee790ffddca71b48e40d1a6d7cc8ace9e6ec9
Instruction ID: b076c5f99da09a3f395cb3310365c06473dd5ab22949947a05f8b9c13ff470f0
Opcode Fuzzy Hash: aa9c22aa9bf5d9bd45aaab8beb1ee790ffddca71b48e40d1a6d7cc8ace9e6ec9
Instruction Fuzzy Hash: 7531B1705043449FD721DF24D884BE7BBE8FB49748F00492EFA9983341E7B9AA44CB56

Function 0070F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0070F661

Part of subcall function 006FD730: GetInputState.USER32 ref: 006FD807

Sleep.KERNEL32(00000000), ref: 0074F2DE

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 64fe47f009f58e54b75aa31e1abf5f1620d59d113d45db650c809fc3d0d48b57
Instruction ID: 192a172e0c1c9b7921cacc8387b441db4d7cf94cfdb0efdbc49a6e2f7ff85665
Opcode Fuzzy Hash: 64fe47f009f58e54b75aa31e1abf5f1620d59d113d45db650c809fc3d0d48b57
Instruction Fuzzy Hash: 5EF08C312802099FD350EF69D459B6AB7EAFF46760F00402AE959C72A0DB74B800CBA8

Function 006F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E9C
Part of subcall function 006F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006F4EAE
Part of subcall function 006F4E90: FreeLibrary.KERNEL32(00000000,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4EFD

Part of subcall function 006F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E62
Part of subcall function 006F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006F4E74
Part of subcall function 006F4E59: FreeLibrary.KERNEL32(00000000,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E87

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7919660873c5c5730be5c3678afb1a602f33becd61a453befbb8a3c5ca3b5885
Instruction ID: 4f6d9a5912f484d799da3136ebcbd1eebd5e5f03e4ef5c397744da33d1af0555
Opcode Fuzzy Hash: 7919660873c5c5730be5c3678afb1a602f33becd61a453befbb8a3c5ca3b5885
Instruction Fuzzy Hash: 4811E731610209ABDB24FB64DC07FBE77A6AF80710F10842DF646A65C1DE749E459764

Function 00728402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00728440

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: bd741925cfc033a8e6f10ee59d40d04e4c43115ad3ef45cbf81c168e085ca6fb
Instruction ID: a8dfe66e76d78645882cc718ea8104d1e3e4ab3258c9ba3828d65bdc59e67ad5
Opcode Fuzzy Hash: bd741925cfc033a8e6f10ee59d40d04e4c43115ad3ef45cbf81c168e085ca6fb
Instruction Fuzzy Hash: 3211187590410AEFCB05DF58E94599A7BF5EF48314F144059F808AB312DB35EA21CBA5

Function 0071E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 89d35c641f45834f52d01ccadfd0ada6d12470f7817bdf94f8a339b99201c9b3
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 3FF02D32511A20EBC7313E6D9C0DBDA33A89F52330F100715FD21931D2CB7CE88289A6

Function 00723820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f68e799db8d5642a417fe5d779a2290add1fcc2429904d590d204c765f12506b
Instruction ID: 00fb8e42888eb6fc247f1e28535fa7fe42c80cb8513aff4843af31f4894709a6
Opcode Fuzzy Hash: f68e799db8d5642a417fe5d779a2290add1fcc2429904d590d204c765f12506b
Instruction Fuzzy Hash: 93E0E5331002349AE721266ABC09BDA3759AB42FB0F160026FD059A5C1CB2DDD0182F0

Function 006F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4F6D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b6d8b35fd168b447f1fdb83ffa08b10653653540de5406d45c408c69dffafcdd
Instruction ID: 5e81bb97224f6cd6d6b310e92864c2c032c2a0becbe783af9c79aa87731597ea
Opcode Fuzzy Hash: b6d8b35fd168b447f1fdb83ffa08b10653653540de5406d45c408c69dffafcdd
Instruction Fuzzy Hash: E9F03071506755CFDB349F68D494863B7E6BF54329320C97EE2DE82A21CB319884DF10

Function 00782A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00782A66

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 7a824b23ab57762db266ed9383c6a5d58c3f2a3e74a763bb56a8a8142ec6d461
Instruction ID: 4e9cafbbc2bc0a8473f16809b829ed518cb251becfaf3a2e65b3e02cb0a071f9
Opcode Fuzzy Hash: 7a824b23ab57762db266ed9383c6a5d58c3f2a3e74a763bb56a8a8142ec6d461
Instruction Fuzzy Hash: EAE04F7639011AAAC718FB30DC888FA735CEF503967108536AC2AC2111EB38999687A0

Function 006F30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 006F314E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 045856c2fccc6746f36f197aa7923b4bcfc634d16c69033f70fc8e4d110f0e16
Instruction ID: e2cfade92d782b7e5d68521b068452be8167d34505292cf7f15ebddd9c4242d7
Opcode Fuzzy Hash: 045856c2fccc6746f36f197aa7923b4bcfc634d16c69033f70fc8e4d110f0e16
Instruction Fuzzy Hash: 55F0A7709003589FE752DB24DC49BD57BBCB70170CF0040E9A64896283D7784798CF55

Function 006F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006F2DC4

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: c273ec153243ad6a233154a54d39eb5c7f1c8566040e4448e3cbb5ebf50cc5f8
Instruction ID: 8646eb9d05ec5e4f82dfabc3c5fd303199abb9500026e1ce3017d3e535a4bd62
Opcode Fuzzy Hash: c273ec153243ad6a233154a54d39eb5c7f1c8566040e4448e3cbb5ebf50cc5f8
Instruction Fuzzy Hash: BCE0CD726001245BD7119258DC05FEA77DDDFC8790F044075FD09D7248D974AD808654

Function 006F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006F3908

Part of subcall function 006FD730: GetInputState.USER32 ref: 006FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 006F2B6B

Part of subcall function 006F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006F314E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: b82e9e42c42bb3905a29932e20b9a5defeeb0222abd97b726935b57ed2fcfcf0
Instruction ID: 0a2a1430e74186a31e279ce161757eba35f902e487869157281d9aecf88536da
Opcode Fuzzy Hash: b82e9e42c42bb3905a29932e20b9a5defeeb0222abd97b726935b57ed2fcfcf0
Instruction Fuzzy Hash: 07E0263130425C02CA48BB3498129BDA34BCBD2392F80143EF34243263CE288645432A

Function 0073039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00730704,?,?,00000000,?,00730704,00000000,0000000C), ref: 007303B7

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d449854f82fa2ac3603ad0a3e5acaa4bcd5a8aa759ae897da951b84352582ce9
Instruction ID: 417a8fe82aa286ef05461d616f921cae280ab48bece95c43877f64a9f0850ea5
Opcode Fuzzy Hash: d449854f82fa2ac3603ad0a3e5acaa4bcd5a8aa759ae897da951b84352582ce9
Instruction Fuzzy Hash: E2D06C3204010DBBDF028F84DD4AEDA3BAAFB48714F118000BE1856020C736E821AB94

Function 006F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006F1CBC

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 2ed80db7acf26cc4e70df6325e5d74c93342329f083b86b2bae76261ac4b2a7a
Instruction ID: 2ac375eb8d8debe194e5de060c1e98905746a755dcfb8cf1efb39f741a6144b0
Opcode Fuzzy Hash: 2ed80db7acf26cc4e70df6325e5d74c93342329f083b86b2bae76261ac4b2a7a
Instruction Fuzzy Hash: ADC09B352C03049FF6155780BC5AF117754A348B04F64C005F609555E3C3F51431D758

Non-executed Functions

Function 00789576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0078961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0078965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0078969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007896C9
SendMessageW.USER32 ref: 007896F2
GetKeyState.USER32(00000011), ref: 0078978B
GetKeyState.USER32(00000009), ref: 00789798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007897AE
GetKeyState.USER32(00000010), ref: 007897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007897E9
SendMessageW.USER32 ref: 00789810
SendMessageW.USER32(?,00001030,?,00787E95), ref: 00789918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0078992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00789941
SetCapture.USER32(?), ref: 0078994A
ClientToScreen.USER32(?,?), ref: 007899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007899D6
ReleaseCapture.USER32 ref: 007899E1
GetCursorPos.USER32(?), ref: 00789A19
ScreenToClient.USER32(?,?), ref: 00789A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00789A80
SendMessageW.USER32 ref: 00789AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00789AEB
SendMessageW.USER32 ref: 00789B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00789B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00789B4A
GetCursorPos.USER32(?), ref: 00789B68
ScreenToClient.USER32(?,?), ref: 00789B75
GetParent.USER32(?), ref: 00789B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00789BFA
SendMessageW.USER32 ref: 00789C2B
ClientToScreen.USER32(?,?), ref: 00789C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00789CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00789CDE
SendMessageW.USER32 ref: 00789D01
ClientToScreen.USER32(?,?), ref: 00789D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00789D82

Part of subcall function 00709944: GetWindowLongW.USER32(?,000000EB), ref: 00709952

GetWindowLongW.USER32(?,000000F0), ref: 00789E05

Strings

@GUI_DRAGID, xrefs: 0078997D
F, xrefs: 00789D07
p#|, xrefs: 00789990

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#|
API String ID: 3429851547-2998581402
Opcode ID: e7f96a0b66cb70bc0c7d9cc410f12e70f484bd6848227bfd7af0749270081dfa
Instruction ID: 391cc37cd13a00ab3ccd0a427f083d52df191fef17a394b400b31840b8bb8476
Opcode Fuzzy Hash: e7f96a0b66cb70bc0c7d9cc410f12e70f484bd6848227bfd7af0749270081dfa
Instruction Fuzzy Hash: 17428A70244240EFDB25EF24CC44EBABBE5EF49310F18466DF699872A1E739E850CB55

Function 00784873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00784908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00784927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0078494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0078495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0078497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00784A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00784A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00784A7E
IsMenu.USER32(?), ref: 00784A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00784AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00784B20
GetWindowLongW.USER32(?,000000F0), ref: 00784B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00784BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00784C82
wsprintfW.USER32 ref: 00784CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00784CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00784CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00784D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00784D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00784D5A

Strings

%d/%02d/%02d, xrefs: 00784CA8

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 04355c6d351574a619277001ad8af371a8395ade348fbdb269917c9b9ed808cb
Instruction ID: e92870cfc897ca186c64f31cbde98abd1c3615df21439a9765147f37726b5e1b
Opcode Fuzzy Hash: 04355c6d351574a619277001ad8af371a8395ade348fbdb269917c9b9ed808cb
Instruction Fuzzy Hash: 19121071680255ABEB25AF28CC49FAE7BF8FF44310F144169F515DB2E1DBB89940CB60

Function 0070F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0070F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0074F474
IsIconic.USER32(00000000), ref: 0074F47D
ShowWindow.USER32(00000000,00000009), ref: 0074F48A
SetForegroundWindow.USER32(00000000), ref: 0074F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0074F4AA
GetCurrentThreadId.KERNEL32 ref: 0074F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0074F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0074F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0074F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0074F4DE
SetForegroundWindow.USER32(00000000), ref: 0074F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F4F6
keybd_event.USER32(00000012,00000000), ref: 0074F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F50B
keybd_event.USER32(00000012,00000000), ref: 0074F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F519
keybd_event.USER32(00000012,00000000), ref: 0074F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0074F528
keybd_event.USER32(00000012,00000000), ref: 0074F52D
SetForegroundWindow.USER32(00000000), ref: 0074F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0074F557

Strings

Shell_TrayWnd, xrefs: 0074F46F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 5f46899d4f1d3a3d2c373726635a6e9e0b7e7acb80c5d0035e6b1b78573790a7
Instruction ID: 9a15fe23ea14f96198f41597f367b180c1770884184518e40bb36ce34b1f39d9
Opcode Fuzzy Hash: 5f46899d4f1d3a3d2c373726635a6e9e0b7e7acb80c5d0035e6b1b78573790a7
Instruction Fuzzy Hash: CD317471B80218BBEB216BB55C4AFBF7E6CEB44B50F204065F601E61D1D7B85D10AB74

Function 00751201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0075170D
Part of subcall function 007516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0075173A
Part of subcall function 007516C3: GetLastError.KERNEL32 ref: 0075174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00751286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007512A8
CloseHandle.KERNEL32(?), ref: 007512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007512D1
GetProcessWindowStation.USER32 ref: 007512EA
SetProcessWindowStation.USER32(00000000), ref: 007512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00751310

Part of subcall function 007510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007511FC), ref: 007510D4
Part of subcall function 007510BF: CloseHandle.KERNEL32(?,?,007511FC), ref: 007510E9

Strings

, xrefs: 0075125A
Z{, xrefs: 00751392
default, xrefs: 0075130B
winsta0, xrefs: 007512CC

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z{
API String ID: 22674027-874364712
Opcode ID: 2eaffe5bcb5e3652a3a22e57c221e712da6aa412c1679f9909b0135613e240ab
Instruction ID: 245574a88036ff71d3641f2656f19fe3a08682fa984146c00da1fa51475ce9f5
Opcode Fuzzy Hash: 2eaffe5bcb5e3652a3a22e57c221e712da6aa412c1679f9909b0135613e240ab
Instruction Fuzzy Hash: 3E819B71A00249AFDF219FA4DC49FEE7BB9EF04706F148129FD10A61A0D7B98949CB64

Function 00750B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00751114
Part of subcall function 007510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751120
Part of subcall function 007510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 0075112F
Part of subcall function 007510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751136
Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0075114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00750BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00750C00
GetLengthSid.ADVAPI32(?), ref: 00750C17
GetAce.ADVAPI32(?,00000000,?), ref: 00750C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00750C6D
GetLengthSid.ADVAPI32(?), ref: 00750C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00750C8C
HeapAlloc.KERNEL32(00000000), ref: 00750C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00750CB4
CopySid.ADVAPI32(00000000), ref: 00750CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00750CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00750D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00750D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750D45
HeapFree.KERNEL32(00000000), ref: 00750D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750D55
HeapFree.KERNEL32(00000000), ref: 00750D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750D65
HeapFree.KERNEL32(00000000), ref: 00750D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00750D78
HeapFree.KERNEL32(00000000), ref: 00750D7F

Part of subcall function 00751193: GetProcessHeap.KERNEL32(00000008,00750BB1,?,00000000,?,00750BB1,?), ref: 007511A1
Part of subcall function 00751193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00750BB1,?), ref: 007511A8
Part of subcall function 00751193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00750BB1,?), ref: 007511B7

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: cc2f4d1cee01c892fb93b639cbe6f2bb473a6d0892a27a6ec8ea2a825cd5a193
Instruction ID: 185483a9b0fa871c2bce86a78c8aac2766bd16635e6d9c2c89f5e93bd7a63ff1
Opcode Fuzzy Hash: cc2f4d1cee01c892fb93b639cbe6f2bb473a6d0892a27a6ec8ea2a825cd5a193
Instruction Fuzzy Hash: 72715D71A0020AABDF11DFE4DC49FEEBBB8BF05341F148515ED14A6191D7B9A909CBB0

Function 0076EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0078CC08), ref: 0076EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0076EB37
GetClipboardData.USER32(0000000D), ref: 0076EB43
CloseClipboard.USER32 ref: 0076EB4F
GlobalLock.KERNEL32(00000000), ref: 0076EB87
CloseClipboard.USER32 ref: 0076EB91
GlobalUnlock.KERNEL32(00000000), ref: 0076EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0076EBC9
GetClipboardData.USER32(00000001), ref: 0076EBD1
GlobalLock.KERNEL32(00000000), ref: 0076EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0076EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0076EC38
GetClipboardData.USER32(0000000F), ref: 0076EC44
GlobalLock.KERNEL32(00000000), ref: 0076EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0076EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0076EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0076ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0076ECF3
CountClipboardFormats.USER32 ref: 0076ED14
CloseClipboard.USER32 ref: 0076ED59

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0146bf1957a2626fb259eb3e1ebb4238de7a29ba1b64589548d24b7b6d4ed8a6
Instruction ID: 4404d7f34f2237ee630e3336d7ba97201f6038773100f548b5fa0cb4050f9fec
Opcode Fuzzy Hash: 0146bf1957a2626fb259eb3e1ebb4238de7a29ba1b64589548d24b7b6d4ed8a6
Instruction Fuzzy Hash: AA6101782042059FD301EF20D888F3A77A4AF84744F28851DF95B872A2DB39DD05CBB6

Function 0076698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007669BE
FindClose.KERNEL32(00000000), ref: 00766A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00766A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00766A75

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00766AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00766ADF

Strings

%03d, xrefs: 00766DA2
%4d, xrefs: 00766BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00766B6A
%02d, xrefs: 00766C00, 00766C0A, 00766C5A, 00766CAA, 00766CFA, 00766D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00766B32

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d6e6e491498f5bf8d27e31ca161e4410b35f2a8245762a2cae123dcc9a8bee8c
Instruction ID: d1c0e1b93ae42a96693c7a46fd13f79c360aae7c7898552e2dfb932ae4de7967
Opcode Fuzzy Hash: d6e6e491498f5bf8d27e31ca161e4410b35f2a8245762a2cae123dcc9a8bee8c
Instruction Fuzzy Hash: 0BD160B2508344AFC354EBA4C885EBBB7EDAF88704F44491DF685C6191EB38DA04CB62

Function 00769642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00769663
GetFileAttributesW.KERNEL32(?), ref: 007696A1
SetFileAttributesW.KERNEL32(?,?), ref: 007696BB
FindNextFileW.KERNEL32(00000000,?), ref: 007696D3
FindClose.KERNEL32(00000000), ref: 007696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0076974A
SetCurrentDirectoryW.KERNEL32(007B6B7C), ref: 00769768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00769772
FindClose.KERNEL32(00000000), ref: 0076977F
FindClose.KERNEL32(00000000), ref: 0076978F

Strings

*.*, xrefs: 007696F5

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: a58f187623d99f051618d45e3410e2409c59fc011f59bb9076c485a3dfd117ae
Instruction ID: 4e262bc9e429f572775f87dd016ed5c6afbf1ee16df3399eb358d5345393d915
Opcode Fuzzy Hash: a58f187623d99f051618d45e3410e2409c59fc011f59bb9076c485a3dfd117ae
Instruction Fuzzy Hash: 2A31B572540219AEDF15AFB4EC49AEE77ACAF49320F208165FA16E20D0DB3CDD44CB24

Function 0076979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00769819
FindClose.KERNEL32(00000000), ref: 00769824
FindFirstFileW.KERNEL32(*.*,?), ref: 00769840
SetCurrentDirectoryW.KERNEL32(?), ref: 00769890
SetCurrentDirectoryW.KERNEL32(007B6B7C), ref: 007698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007698B8
FindClose.KERNEL32(00000000), ref: 007698C5
FindClose.KERNEL32(00000000), ref: 007698D5

Part of subcall function 0075DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0075DB00

Strings

*.*, xrefs: 0076983B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 0a58c34c98b88d676bb7650e0b475e4acd12880612eb16e7e3a180cbe253f124
Instruction ID: 3b7ea4a954050bdb0877674eae8f3e2dc657391f0a8d63cf0c78d54e144dcfea
Opcode Fuzzy Hash: 0a58c34c98b88d676bb7650e0b475e4acd12880612eb16e7e3a180cbe253f124
Instruction Fuzzy Hash: 1031C77254021AAADF15AFB4DC48ADE77ACAF46320F208155EE11A30D0DB3CDD85CB64

Function 0077BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0077BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0077BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0077C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0077C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0077C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0077C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0077C382
RegCloseKey.ADVAPI32(00000000), ref: 0077C38F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 2ed562f26029bde4c2dda4a61903f455eb33a470bad24a76d84c8fe64cb037f5
Instruction ID: 6599e65ff68f993805badaf388c1717feebf6e3da91991f5be4cd8c61c6d25e9
Opcode Fuzzy Hash: 2ed562f26029bde4c2dda4a61903f455eb33a470bad24a76d84c8fe64cb037f5
Instruction Fuzzy Hash: B0027071604200AFDB15CF24C895E2ABBE5EF89358F18C49DF84ADB2A2D735EC45CB52

Function 00768195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00768257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00768267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00768273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00768310
SetCurrentDirectoryW.KERNEL32(?), ref: 00768324
SetCurrentDirectoryW.KERNEL32(?), ref: 00768356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0076838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00768395

Strings

*.*, xrefs: 0076839B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 2583f88ad4a83735a3148a3e4a98fd6b39f619d8c727d066a43f31ea2ac93eb1
Instruction ID: 6966f23882d20f9d7347539d527305490eda45d06f292df4d47f0d6bbb41735d
Opcode Fuzzy Hash: 2583f88ad4a83735a3148a3e4a98fd6b39f619d8c727d066a43f31ea2ac93eb1
Instruction Fuzzy Hash: A8618DB25043099FCB50EF64C8449AEB3E9FF89310F04891DFA8AC7251DB39E945CB96

Function 0075D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

Part of subcall function 0075E199: GetFileAttributesW.KERNEL32(?,0075CF95), ref: 0075E19A

FindFirstFileW.KERNEL32(?,?), ref: 0075D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0075D1DD
MoveFileW.KERNEL32(?,?), ref: 0075D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0075D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0075D237

Part of subcall function 0075D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0075D21C,?,?), ref: 0075D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0075D253
FindClose.KERNEL32(00000000), ref: 0075D264

Strings

\*.*, xrefs: 0075D0CD, 0075D0D6, 0075D0EB

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3efe82975dc6dd2b533cf63dd8ebac02aa5b9c85cac791820bcfcb73a600d4eb
Instruction ID: ef9c61889bef9c79f82f29c517a78333ba6bee415b301c4c676ed8127da2a322
Opcode Fuzzy Hash: 3efe82975dc6dd2b533cf63dd8ebac02aa5b9c85cac791820bcfcb73a600d4eb
Instruction Fuzzy Hash: 8861AD3180511D9BCF25EBE0C9929FDB7B6AF15301F204169E90277291EB786F0DCB64

Function 0076ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0076ED91
EmptyClipboard.USER32 ref: 0076ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0076EDAC
CloseClipboard.USER32 ref: 0076EEA3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1d433345739e007795023dc037aeb654d452cf65e5766adf40ad3f86fa5571f1
Instruction ID: bc9576be86d27f0f733062295de579ceb024eb41510a00384b4d4f4a0ee410cf
Opcode Fuzzy Hash: 1d433345739e007795023dc037aeb654d452cf65e5766adf40ad3f86fa5571f1
Instruction Fuzzy Hash: 864182356046119FE711DF15D848F19BBE5FF44328F24C09DE8168BAA2D77AEC41CBA4

Function 0075E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0075170D
Part of subcall function 007516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0075173A
Part of subcall function 007516C3: GetLastError.KERNEL32 ref: 0075174A

ExitWindowsEx.USER32(?,00000000), ref: 0075E932

Strings

, xrefs: 0075E920
SeShutdownPrivilege, xrefs: 0075E902
, xrefs: 0075E95C
@, xrefs: 0075E925

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 2b2e7c4b117c12c7d90523498a59288d59bf9e1041d9d5e98c3f8327d733059e
Instruction ID: 8372db146b15fc07f741e701f1968cb17ad9d9037ed44f986237ce8b16ce0009
Opcode Fuzzy Hash: 2b2e7c4b117c12c7d90523498a59288d59bf9e1041d9d5e98c3f8327d733059e
Instruction Fuzzy Hash: F5012B72A10210ABEB182674AC8AFFF725CDB04743F254422FC03E20D1D7EC6D4882A5

Function 00771204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00771276
WSAGetLastError.WSOCK32 ref: 00771283
bind.WSOCK32(00000000,?,00000010), ref: 007712BA
WSAGetLastError.WSOCK32 ref: 007712C5
closesocket.WSOCK32(00000000), ref: 007712F4
listen.WSOCK32(00000000,00000005), ref: 00771303
WSAGetLastError.WSOCK32 ref: 0077130D
closesocket.WSOCK32(00000000), ref: 0077133C

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f32b7a055f25461b2369a6be1ddf666b36a33926cd858f0b1bd2bea64ddf6bc6
Instruction ID: e6099ecf034785d0af87bd3b67bd56c3a2d92b192ef014f5842178ff30b7a14d
Opcode Fuzzy Hash: f32b7a055f25461b2369a6be1ddf666b36a33926cd858f0b1bd2bea64ddf6bc6
Instruction Fuzzy Hash: F44183316001009FDB10DF68C498B29BBE6BF46358F68C198D95A9F293C779ED85CBE1

Function 0075D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

Part of subcall function 0075E199: GetFileAttributesW.KERNEL32(?,0075CF95), ref: 0075E19A

FindFirstFileW.KERNEL32(?,?), ref: 0075D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0075D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0075D481
FindClose.KERNEL32(00000000), ref: 0075D498
FindClose.KERNEL32(00000000), ref: 0075D4A1

Strings

\*.*, xrefs: 0075D3F2

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 51a0e0f4e9768224d210e2bc2c0d1e3bb22b8424ee051e641f9b0a5490cdd30e
Instruction ID: 031cb8306a2e121ab9cfe66d4bb7da1c7f7890ee2746d58081a72a9dc151bf88
Opcode Fuzzy Hash: 51a0e0f4e9768224d210e2bc2c0d1e3bb22b8424ee051e641f9b0a5490cdd30e
Instruction Fuzzy Hash: EA318D710083899BC225EF64C8918BFB7E9BE91341F404A1DF9D592291EB74AE0D8767

Function 0072E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0072E645

Strings

1#IND, xrefs: 0072F83D
1#INF, xrefs: 0072F852
1#SNAN, xrefs: 0072F844
1#QNAN, xrefs: 0072F84B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d8e1548292b49f4e65de767891889716c67a5cd9825f6a37839116d1e85bdbc1
Instruction ID: e3d3907dfb85b903ca39f63b230aa840d37dc49aff41b9d666b6541c021c3a14
Opcode Fuzzy Hash: d8e1548292b49f4e65de767891889716c67a5cd9825f6a37839116d1e85bdbc1
Instruction Fuzzy Hash: 18C22B72E046288FDB25CE28ED447EAB7B5EB49305F1541EAD84DE7241E778AE818F40

Function 0076648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007664DC
CoInitialize.OLE32(00000000), ref: 00766639
CoCreateInstance.OLE32(0078FCF8,00000000,00000001,0078FB68,?), ref: 00766650
CoUninitialize.OLE32 ref: 007668D4

Strings

.lnk, xrefs: 007664BA, 00766524, 007665E0

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9f15c5b2206e12cd40489f2a0ed8ceb16e54e76a9ba7e26470486d5c3975ff41
Instruction ID: 0dcf667158a03ae67e46dbaaafaa20a3d27080d1a1d3cfa194faad14f4b01ae4
Opcode Fuzzy Hash: 9f15c5b2206e12cd40489f2a0ed8ceb16e54e76a9ba7e26470486d5c3975ff41
Instruction Fuzzy Hash: ABD14B715083059FC314EF24C881A6BB7E9FF94704F50496DF6968B2A2EB70ED05CBA6

Function 007722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007722E8

Part of subcall function 0076E4EC: GetWindowRect.USER32(?,?), ref: 0076E504

GetDesktopWindow.USER32 ref: 00772312
GetWindowRect.USER32(00000000), ref: 00772319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00772355
GetCursorPos.USER32(?), ref: 00772381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007723DF

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 94e14e3fc4bfb39b6316009fcf61c52e3a36f0877392366ffc469de3f414d4c6
Instruction ID: a32b034916f33f58c61e9ba03bc726c63390cf88ff098c09b19010078ac193f5
Opcode Fuzzy Hash: 94e14e3fc4bfb39b6316009fcf61c52e3a36f0877392366ffc469de3f414d4c6
Instruction Fuzzy Hash: 413104721043059FCB20DF14D848F9BBBE9FF84354F104919F99997182DB38EA09CBA2

Function 00769B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00769B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00769C8B

Part of subcall function 00763874: GetInputState.USER32 ref: 007638CB
Part of subcall function 00763874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00763966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00769BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00769C75

Strings

*.*, xrefs: 00769B5D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 47a5e3c764a83ae042188892ab559d2d02cead62c976f05a89e9c0df960af6c5
Instruction ID: c4051c243f947cb6d34c517dd0e654399f72c883632f1d4e5610bbcacd317711
Opcode Fuzzy Hash: 47a5e3c764a83ae042188892ab559d2d02cead62c976f05a89e9c0df960af6c5
Instruction Fuzzy Hash: 954180B194421A9FCF55DF64C989AEEBBB9EF05310F204059F906A2191EB389E84CF64

Function 0070997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00709A4E
GetSysColor.USER32(0000000F), ref: 00709B23
SetBkColor.GDI32(?,00000000), ref: 00709B36

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 8ba80c43f4d7593c57599d0c50862352191084c311dc8f2160ba130d8a684c46
Instruction ID: 8e48776cd0c3e488f3ab629538a606b2a39ef6991e10fff6a013babdafe79fba
Opcode Fuzzy Hash: 8ba80c43f4d7593c57599d0c50862352191084c311dc8f2160ba130d8a684c46
Instruction Fuzzy Hash: 92A106B0209444FEE729AA2C8C8DE7B3ADDDB86350B558319F612D69D3CB2D9D01C376

Function 00771806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0077304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0077307A
Part of subcall function 0077304E: _wcslen.LIBCMT ref: 0077309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0077185D
WSAGetLastError.WSOCK32 ref: 00771884
bind.WSOCK32(00000000,?,00000010), ref: 007718DB
WSAGetLastError.WSOCK32 ref: 007718E6
closesocket.WSOCK32(00000000), ref: 00771915

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0030fc8364ca060fee9c9b1aa6cd0c8ec2259b2f5877ac40c0661f4cb5746f2a
Instruction ID: 24c93251120ff6210d421b816d9aa475b7c9d25fd6f9be4660c93a3b930a20f9
Opcode Fuzzy Hash: 0030fc8364ca060fee9c9b1aa6cd0c8ec2259b2f5877ac40c0661f4cb5746f2a
Instruction Fuzzy Hash: 2A51B371A402049FDB10AF24C886F3A77E6AB45728F54C45CFA095F3C3C775AD418BA5

Function 00781C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00781CC0
IsWindowEnabled.USER32 ref: 00781CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00781CDB
IsIconic.USER32 ref: 00781CE9
IsZoomed.USER32 ref: 00781CF7

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d36ec0b42df1be5caa9c2af7ebdf803230f9ca7f3b7e549930a47de256d6d2fc
Instruction ID: 6be39a0c512a095129c42b0d68a1772c7272aec84622dc2cf20c5a0f537d8d4e
Opcode Fuzzy Hash: d36ec0b42df1be5caa9c2af7ebdf803230f9ca7f3b7e549930a47de256d6d2fc
Instruction Fuzzy Hash: 9721D6317C02015FD721AF1AC844B267BA9EF85325B598068E845CB352D779DC43CBA4

Function 006F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 006F813C
VUUU, xrefs: 006F83FA
VUUU, xrefs: 006F843C
VUUU, xrefs: 006F83E8
VUUU, xrefs: 00735DF0

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d5212dfbe54eda9ff058103fd65e9f3ae6f6208db9da2887de4ee4529831d01e
Instruction ID: 51d157787780522fc46dedbb13c82e8670b6a9f5551586503b4d9319a3b0b9cf
Opcode Fuzzy Hash: d5212dfbe54eda9ff058103fd65e9f3ae6f6208db9da2887de4ee4529831d01e
Instruction Fuzzy Hash: DEA25E71A0061ECFEF24CF58C8417BEB7B2BB54314F2485A9D915AB286EB749D81CB90

Function 00758298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007582AA

Strings

(, xrefs: 007582F0
tb{, xrefs: 007584F4
|, xrefs: 007582DA

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb{$|
API String ID: 1659193697-2424425762
Opcode ID: fc8de6ca8a1d0755a042a99b62ccd7a828b4a1ff4533c4016b65438e6c1933d5
Instruction ID: d6fd577f1fd255f5104dcd2a5b53bc4fe6395b4ed12bb0fcab4c6a4da3222669
Opcode Fuzzy Hash: fc8de6ca8a1d0755a042a99b62ccd7a828b4a1ff4533c4016b65438e6c1933d5
Instruction Fuzzy Hash: 3F323975A00605DFC768CF59C0819AAB7F0FF48710B15C56EE89AEB3A1EB74E941CB40

Function 0075AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0075AAAC
SetKeyboardState.USER32(00000080), ref: 0075AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0075AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0075AB88

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 40513e9ab12224b186063bc48017ca530ee520c7b0f134e277decbaaa81d02d2
Instruction ID: 073cd4af78875cb7496392593274f760d11e960e1b9150c215b9d2b10a660f01
Opcode Fuzzy Hash: 40513e9ab12224b186063bc48017ca530ee520c7b0f134e277decbaaa81d02d2
Instruction Fuzzy Hash: E231FCB0A40248BEFF358A64CC05BFA77A6AB44312F14433BF981565D1D3BD8989C7E6

Function 0072BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0072BB7F

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

GetTimeZoneInformation.KERNEL32 ref: 0072BB91
WideCharToMultiByte.KERNEL32(00000000,?,007C121C,000000FF,?,0000003F,?,?), ref: 0072BC09
WideCharToMultiByte.KERNEL32(00000000,?,007C1270,000000FF,?,0000003F,?,?,?,007C121C,000000FF,?,0000003F,?,?), ref: 0072BC36

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 0e4dea1476df6a4213a1a67497d6bed598f6b24f5b2a57ffda901cd77a2139e7
Instruction ID: 66979a42133f6b16f1fc1de8399fc6b1bca54fd3e808d6546d2eeae559424536
Opcode Fuzzy Hash: 0e4dea1476df6a4213a1a67497d6bed598f6b24f5b2a57ffda901cd77a2139e7
Instruction Fuzzy Hash: 2E31C4B1A04255DFCB11DF69EC8097DBBB8FF46350764826EE060E72A2D7389D41CB64

Function 0076CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0076CE89
GetLastError.KERNEL32(?,00000000), ref: 0076CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0076CEFE

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 6a68a1169e33cd6dc2c81c3e3f4312bdadbd0d8b32a14d9bebe23cfb299b3a20
Instruction ID: f10b1a183c64d82cebf25dacf6613ded5936a87948b403cb8022de6755ef7c3d
Opcode Fuzzy Hash: 6a68a1169e33cd6dc2c81c3e3f4312bdadbd0d8b32a14d9bebe23cfb299b3a20
Instruction Fuzzy Hash: C721B0B25003059BE732DF65C948BA6B7FCEB10314F10841EEA87D2191E779EE44CB64

Function 00765C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00765CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00765D17
FindClose.KERNEL32(?), ref: 00765D5F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: c0a0d985a55f0220481a07ddda898ed3085559bf108a8b2286543e3ec0c7ece1
Instruction ID: 0e15442345051acab69c67550e155aefb70d81de10d14f58c0d78ca5149fd965
Opcode Fuzzy Hash: c0a0d985a55f0220481a07ddda898ed3085559bf108a8b2286543e3ec0c7ece1
Instruction Fuzzy Hash: 29519974704A019FC714CF28C4D4AAAB7E4FF49324F14855EE99A8B3A2CB34ED44CBA1

Function 00722622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0072271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00722724
UnhandledExceptionFilter.KERNEL32(?), ref: 00722731

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: dd965d0c43a2e8c3b38e8de39a5cd4c3e0c208a68284a05afdaa8d03b0149d7f
Instruction ID: 5bf8273e004ac992a457038b1850a035939794ff1999e44467df463e49ee43e4
Opcode Fuzzy Hash: dd965d0c43a2e8c3b38e8de39a5cd4c3e0c208a68284a05afdaa8d03b0149d7f
Instruction Fuzzy Hash: FF31D77494122CABCB21DF68DC897DDBBB8AF08310F5081DAE41CA72A1E7749F818F45

Function 007651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00765238
SetErrorMode.KERNEL32(00000000), ref: 007652A1

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0d290ce92187b5c26585d97dc0fdc30ceaf6df03d638fd62ab386847d9261e85
Instruction ID: fcba2fda55c32763ccf7f9d6f138a2743949c58ebbabca00a073281fe5adad3b
Opcode Fuzzy Hash: 0d290ce92187b5c26585d97dc0fdc30ceaf6df03d638fd62ab386847d9261e85
Instruction Fuzzy Hash: D1316B75A00508DFDB00DF54D888EADBBB5FF48314F188099E905AB3A2CB35E846CBA0

Function 007516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0070FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00710668
Part of subcall function 0070FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00710685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0075170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0075173A
GetLastError.KERNEL32 ref: 0075174A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 7e650b9801c1f8d2c488e945d5d87ee282c1215ae8ae43993695565f7850fb94
Instruction ID: a8acd766461cde6dd45ae41ddc78bc026ed034f7e73a709d2f7bdf15e303f7bb
Opcode Fuzzy Hash: 7e650b9801c1f8d2c488e945d5d87ee282c1215ae8ae43993695565f7850fb94
Instruction Fuzzy Hash: 411101B2500304EFD7289F64EC86EABB7F9EB44711B20852EE45653681EB78BC418B20

Function 0075D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0075D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0075D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0075D650

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 29a770467d28d94bdabb12f477136e3704aabd6347871aae580d27dcf3536e91
Instruction ID: 59044493744779d3752fbd3e751ee06c6e3aedf93ddbe045716990b4b6e02f26
Opcode Fuzzy Hash: 29a770467d28d94bdabb12f477136e3704aabd6347871aae580d27dcf3536e91
Instruction Fuzzy Hash: 36117C71E01228BBDB208F949C48FAFBBBCEB45B50F108111F904E7290C2B44A058BA1

Function 00751663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0075168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007516A1
FreeSid.ADVAPI32(?), ref: 007516B1

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f0b26960f140cec9e3e71c8ff22989b7be0069f58faca88d7a29588d681199e7
Instruction ID: 799be79c4c61676ae9308c147a5fd6a2315ae5f9bfd06efc2f66066beb8b12b8
Opcode Fuzzy Hash: f0b26960f140cec9e3e71c8ff22989b7be0069f58faca88d7a29588d681199e7
Instruction Fuzzy Hash: CFF04971940308FBDB00CFE09C89EAEBBBCEB04241F504460E500E2180D774AA048B64

Function 0074D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0074D28C

Strings

X64, xrefs: 0074D2A8

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7537543f3e06c5d2b59ff7ae6f939fd7997e0debba408cdcac58c254a34073bc
Instruction ID: 02aa5243219dbabb5daaf2508a65863e7fc47346bd269a1ba14c2470b70157d9
Opcode Fuzzy Hash: 7537543f3e06c5d2b59ff7ae6f939fd7997e0debba408cdcac58c254a34073bc
Instruction Fuzzy Hash: 78D0C9B480111DEBCBA0CB90DC88DD9B3BCBB04345F104251F106A2140D77899488F20

Function 0071CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a784fde2932e66391fa6593ce2eb468100691ea19348762339c60e3ae029bb85
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 48024B72E402199BDF15CFADC8806EDBBF5EF48314F25816AD819EB380D734AE418B94

Function 006FCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#|, xrefs: 006FCF7F
Variable is not of type 'Object'., xrefs: 00740C40

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#|
API String ID: 0-140544570
Opcode ID: 116a8c93bcb21619c344646a270963424b021dd6540ffbbcf3422729e1c3909c
Instruction ID: d01eeec8b42d4c7b103de8fdc97a25af08f397a9beeb8b2638a010f7c62bb072
Opcode Fuzzy Hash: 116a8c93bcb21619c344646a270963424b021dd6540ffbbcf3422729e1c3909c
Instruction Fuzzy Hash: 55328D7090021CDFCF14DF94CA95AFDB7B6BF05314F148059EA06AB292D779AD46CBA0

Function 007668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00766918
FindClose.KERNEL32(00000000), ref: 00766961

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c9cba707c3a41332daddbb39c39cf1122c26cdb390d59a20471d631463d5811b
Instruction ID: 946586fbf5d891cbf882aafd5d0fc2684294cb645e6391514f2d02595fb78898
Opcode Fuzzy Hash: c9cba707c3a41332daddbb39c39cf1122c26cdb390d59a20471d631463d5811b
Instruction Fuzzy Hash: AF11D0316042059FD710CF29C484A26BBE5FF84328F54C69DE86A8F2A2CB34EC05CB90

Function 007637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00774891,?,?,00000035,?), ref: 007637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00774891,?,?,00000035,?), ref: 007637F4

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: eaaa90872d037d478e97af73e84e713d38d6ce93225d656bb64fc7df5135b71a
Instruction ID: 46d4d1bac44366ae50372ed912194b3b33dc3458729e757cc6e1ce58dd98935c
Opcode Fuzzy Hash: eaaa90872d037d478e97af73e84e713d38d6ce93225d656bb64fc7df5135b71a
Instruction Fuzzy Hash: D0F0E5B06052296AE72017769C8DFEB3BAEEFC4761F000265F509D2281D9749904C7B4

Function 0075B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0075B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0075B270

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3eb39bee4975ec1909556d39160a227f9a57ee218eb47d90af6b2538227a0715
Instruction ID: dbe7bb4b0b8816c845003aed18cff498e1e8ceec8dd7106588717e00d8123309
Opcode Fuzzy Hash: 3eb39bee4975ec1909556d39160a227f9a57ee218eb47d90af6b2538227a0715
Instruction Fuzzy Hash: CAF01D7184428DABDF059FA0C805BFE7BB4FF08305F10C009F955A5191C77D86159FA4

Function 007510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007511FC), ref: 007510D4
CloseHandle.KERNEL32(?,?,007511FC), ref: 007510E9

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ab8b0be0a0f3ff2a20b87fe338eae88f66232465f8669fff0d7e8dd82983938e
Instruction ID: 52a08e18ee6b74f55ae8786dd88e28ddb965372eeb77f812890c4c6af4894243
Opcode Fuzzy Hash: ab8b0be0a0f3ff2a20b87fe338eae88f66232465f8669fff0d7e8dd82983938e
Instruction Fuzzy Hash: 8AE04F32004600EEE7262B61FC09E7377E9EB04311B20C92DF4A5808F1DB76AC90DB64

Function 0072676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00726766,?,?,00000008,?,?,0072FEFE,00000000), ref: 00726998

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2905eec165dfff64997dd97ff0de311c23e2a9d5816b9a15c4bf76501c82d1d6
Instruction ID: 91d3b1df60aad6147dc9de3d94ed8f0737ddaffeebbe5b29866f539f06fed5d8
Opcode Fuzzy Hash: 2905eec165dfff64997dd97ff0de311c23e2a9d5816b9a15c4bf76501c82d1d6
Instruction Fuzzy Hash: 51B148316106189FD719CF28D48AB657BA0FF05364F25C69AE8D9CF2A2C739E981CB40

Function 0070B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0074851F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9e3c7c6e11921ca34d6ae5860b379845dad78f4eed114fb801859351fa38e6de
Instruction ID: 5e88f9de49730de69faf2a7de7a68e0142094b836f3f58ece2115c2b80dc3968
Opcode Fuzzy Hash: 9e3c7c6e11921ca34d6ae5860b379845dad78f4eed114fb801859351fa38e6de
Instruction Fuzzy Hash: 8A124071900229DFDB54CF58C881AEEB7F5FF48710F14819AE849EB295DB389E81CB91

Function 0076EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0076EABD

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f95f11fd11d90becfa6e7ed1c822834d2b5decadc272e625332b7645e5169d67
Instruction ID: a05868667fbddac56f579678e69aee6dd9d0fa2de95856abc2dd87c5a49d911e
Opcode Fuzzy Hash: f95f11fd11d90becfa6e7ed1c822834d2b5decadc272e625332b7645e5169d67
Instruction Fuzzy Hash: 2AE04F352002089FC710EF99D844EAAF7EAAF98770F10C42AFD4AC7351DB74E8408BA4

Function 007109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007103EE), ref: 007109DA

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 497e48832632899f06585627cf79dbf50c98f76b5e9902b9452f4e19d5cac428
Instruction ID: 904296e70eab61751267da4243684bd7227597b102c653e16a97a5edd82e2cdf
Opcode Fuzzy Hash: 497e48832632899f06585627cf79dbf50c98f76b5e9902b9452f4e19d5cac428
Instruction Fuzzy Hash:

Function 0071781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0071798B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 5b141596717b04cbeca30450a2fb426da03f5e764549d8829c8621b5e6f8cda2
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: DE515AB160C7459BDB3C456C889E7FE63B99B12340F180509E882DB2C2C61DEECAD356

Function 00762046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&|, xrefs: 00762053

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: 0&|
API String ID: 0-1095205553
Opcode ID: 84dbe7e1acdd3b8362112475fe2ca0a8550df4907b7eff91fae41d2abaa92318
Instruction ID: 4c39fa1226f2f874897c7de784906fef8e5a90cde67c5f74a5baf4926ed8c6d1
Opcode Fuzzy Hash: 84dbe7e1acdd3b8362112475fe2ca0a8550df4907b7eff91fae41d2abaa92318
Instruction Fuzzy Hash: 3621D5322206158BD728CF79C82267A73E5A754310F14862EE4A7D37D1DE3EA905CB94

Function 00726DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067eee942d04fbce1f5fcfb2c44beb9201b80a07337c43c1a36f222c5916e57d
Instruction ID: 1eec1fa6f4d6a65e187051957936a749c5ffa8745bf7c3b02ea72e8ba241647d
Opcode Fuzzy Hash: 067eee942d04fbce1f5fcfb2c44beb9201b80a07337c43c1a36f222c5916e57d
Instruction Fuzzy Hash: E3325721D29F514DD727A635ED62335A289AFB73C5F15C337F81AB59AAEB2CC4838100

Function 0070CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6f28e58858fe4bced97187e8df461b60da526c961d31a20f6aab28edfd508f
Instruction ID: ade38043bbb61fe05644ea87c892396dea8e9e2b81539dd518de3ce22f549491
Opcode Fuzzy Hash: 5a6f28e58858fe4bced97187e8df461b60da526c961d31a20f6aab28edfd508f
Instruction Fuzzy Hash: AB322431B02115CBEF6ACF28C4D067E77E1EB45304F29866AD44A9B292E73CDD81DB61

Function 006F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34246337b4e15007510922d128394e6c5a563c010c86a073ef749e24a5c57127
Instruction ID: e4fd4e029b0f3187815befbf3a6d5e5e239febc050153fd63d8e0676303c0ae9
Opcode Fuzzy Hash: 34246337b4e15007510922d128394e6c5a563c010c86a073ef749e24a5c57127
Instruction Fuzzy Hash: 6F2290B0A04609DFDF14CFA4C881AFEB7F6FF44300F144629E916A7291EB39A955CB54

Function 006F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576b7bc6f381cf710cc412c15247c9d4538ba55f444df2414d753a8459fe9004
Instruction ID: 05b66eafda1619f997a29fe017104e8dc38ecaac20a5c0664cc4bea33bd06559
Opcode Fuzzy Hash: 576b7bc6f381cf710cc412c15247c9d4538ba55f444df2414d753a8459fe9004
Instruction Fuzzy Hash: EE02B4B1A00209EBDF14DF64D881BAEB7B2FF44300F118169E9169B3D1EB35AE51CB95

Function 00729EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7076f3f756463febdcdbf3319e23dfdb81d6062cb862dacc51a5fe1237f01de6
Instruction ID: 77a2de8879f3c632e4e8d010829035629ec0413e7c1c46c3d7765211db2467ff
Opcode Fuzzy Hash: 7076f3f756463febdcdbf3319e23dfdb81d6062cb862dacc51a5fe1237f01de6
Instruction Fuzzy Hash: 4AB12320D6AF505DD72396398831336B65CAFBB6D5F91D31BFC2A74D22EB2686834140

Function 00711C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 87558c01b2c2096b0eaa61ed1fe254848871f534a2894b163aa6ec7fb4fd5f27
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6F91AA722080E34ADB2D467E94340BEFFE15A923A235A079DD5F2CF1C5FE18D998D620

Function 00711F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 579f56e5051b5728953e472afe63100ccb577fbf192b85ee47388aad444df1fb
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6B917B722090E34AD76D863D84740BDFFE15A923A131A079DD5F2CF1C6EE28D9E5E620

Function 007119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 32f8ddb0aa0125807037b8225808e58753f24e5817b7bdbea925e78d1cb81e86
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D591A37220D0E34ADB2D427E84740BDFFE15A923A135A479ED5F2CE1C1FD28D5A4D620

Function 00717A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f2d8fb9554034da7b57cab2a4b76432bcf956f5bc44325fa079945c87bc2a2
Instruction ID: 65a1f723822b0c915a2c774eb89ee040b6101187353bd43d5ee6017fcdd77e7d
Opcode Fuzzy Hash: 40f2d8fb9554034da7b57cab2a4b76432bcf956f5bc44325fa079945c87bc2a2
Instruction Fuzzy Hash: 9E6118B160C74996DB3C5A2C8995BFE63B9DF41700F244919E842DB2C1DB1DDEC2C396

Function 00717CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155914fd3cfd53e57316b3c98b5c6d2af9e174612cc4bb90497549baed847948
Instruction ID: ee5e4d417bb9930c0e04b40094fd9cb68a10fac1bb928fd1240112bc2e06386a
Opcode Fuzzy Hash: 155914fd3cfd53e57316b3c98b5c6d2af9e174612cc4bb90497549baed847948
Instruction Fuzzy Hash: A461467130C60D96DB3C4A2C6896BFE23F49F42704F104959E9C2DB2C1DA1EEDC6C256

Function 00711706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 74e2377194124575f37d05107b23843174a73c9973cd779d81f9868402ac1a52
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 118163726090E30DDB6D823E85344BEFFE15A923B135A479DD5F2CE1C1EE289694E620

Function 00772ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00772B30
DeleteObject.GDI32(00000000), ref: 00772B43
DestroyWindow.USER32 ref: 00772B52
GetDesktopWindow.USER32 ref: 00772B6D
GetWindowRect.USER32(00000000), ref: 00772B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00772CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00772CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772CF8
GetClientRect.USER32(00000000,?), ref: 00772D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00772D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D80
GlobalLock.KERNEL32(00000000), ref: 00772D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772D98
GlobalUnlock.KERNEL32(00000000), ref: 00772DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772DA8
GlobalFree.KERNEL32(00000000), ref: 00772DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0078FC38,00000000), ref: 00772DDB
GlobalFree.KERNEL32(00000000), ref: 00772DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00772E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00772E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00772E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0077303F

Strings

, xrefs: 00772FC5
AutoIt v3, xrefs: 00772CF2
DISPLAY, xrefs: 00772EA2
static, xrefs: 00772D3A, 00772E91

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b7d0cd24f97609c75debcaf556f8dcf92568cedd2072246cd28b13e724f6a2fa
Instruction ID: 9824b90020045b80b193656a953e2cb58b8aaee30b6222d37baaccd9ed0afbe5
Opcode Fuzzy Hash: b7d0cd24f97609c75debcaf556f8dcf92568cedd2072246cd28b13e724f6a2fa
Instruction Fuzzy Hash: 39027F71900208AFDB15DF64CC89EAE7BB9FF49350F108158F915AB2A1DB78ED01CB64

Function 007870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0078712F
GetSysColorBrush.USER32(0000000F), ref: 00787160
GetSysColor.USER32(0000000F), ref: 0078716C
SetBkColor.GDI32(?,000000FF), ref: 00787186
SelectObject.GDI32(?,?), ref: 00787195
InflateRect.USER32(?,000000FF,000000FF), ref: 007871C0
GetSysColor.USER32(00000010), ref: 007871C8
CreateSolidBrush.GDI32(00000000), ref: 007871CF
FrameRect.USER32(?,?,00000000), ref: 007871DE
DeleteObject.GDI32(00000000), ref: 007871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00787230
FillRect.USER32(?,?,?), ref: 00787262
GetWindowLongW.USER32(?,000000F0), ref: 00787284

Part of subcall function 007873E8: GetSysColor.USER32(00000012), ref: 00787421
Part of subcall function 007873E8: SetTextColor.GDI32(?,?), ref: 00787425
Part of subcall function 007873E8: GetSysColorBrush.USER32(0000000F), ref: 0078743B
Part of subcall function 007873E8: GetSysColor.USER32(0000000F), ref: 00787446
Part of subcall function 007873E8: GetSysColor.USER32(00000011), ref: 00787463
Part of subcall function 007873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00787471
Part of subcall function 007873E8: SelectObject.GDI32(?,00000000), ref: 00787482
Part of subcall function 007873E8: SetBkColor.GDI32(?,00000000), ref: 0078748B
Part of subcall function 007873E8: SelectObject.GDI32(?,?), ref: 00787498
Part of subcall function 007873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007874B7
Part of subcall function 007873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007874CE
Part of subcall function 007873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007874DB

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a6e21b40c91abf5bddb595f936ad36c5e88c43cf353386a0f60903bb882abfa8
Instruction ID: be51df0df916fac22941e5d8dbaba171575a269cf26cf59f90d650a01ab8c321
Opcode Fuzzy Hash: a6e21b40c91abf5bddb595f936ad36c5e88c43cf353386a0f60903bb882abfa8
Instruction Fuzzy Hash: 64A1B072448305EFDB06AF60DC48E5B7BA9FF89320F304A19F962961E1D738E944CB65

Function 00708D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00708E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00746AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00746AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00746F43

Part of subcall function 00708F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00708BE8,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 00708FC5

SendMessageW.USER32(?,00001053), ref: 00746F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00746F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00746FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00746FB7

Strings

0, xrefs: 00746DCF

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 6a1a028eb8594c5e491d902a64a5ea05d3a773e381ce138322e43b35f5413181
Instruction ID: 3a69abcf036d06a0250c2a0ddf2bce76566739300c814011aa9d292105663c80
Opcode Fuzzy Hash: 6a1a028eb8594c5e491d902a64a5ea05d3a773e381ce138322e43b35f5413181
Instruction Fuzzy Hash: AB12BE70600251DFDB25CF24C888BA5B7E1FB46300F6485A9F5958B2A2CB39EC51DFA6

Function 00772711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0077273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0077286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00772900
GetClientRect.USER32(00000000,?), ref: 0077290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00772955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00772964
GetStockObject.GDI32(00000011), ref: 00772974
SelectObject.GDI32(00000000,00000000), ref: 00772978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00772988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00772991
DeleteDC.GDI32(00000000), ref: 0077299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00772A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00772A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00772A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00772A77
GetStockObject.GDI32(00000011), ref: 00772A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00772A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00772A97

Strings

AutoIt v3, xrefs: 007728F8
DISPLAY, xrefs: 0077295A
static, xrefs: 0077294F, 00772A71
msctls_progress32, xrefs: 00772A13

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 264b1dc13d571fb2cd0368f794fa311372746b61eeaf7c10ca134f39ab7f10f5
Instruction ID: f69cf8864e50b11d122cc1b7fd95fdc7d8b10526f20625587284271bb31ee8c3
Opcode Fuzzy Hash: 264b1dc13d571fb2cd0368f794fa311372746b61eeaf7c10ca134f39ab7f10f5
Instruction Fuzzy Hash: 5CB162B1A40209AFDB14DF68CD89FAE7BB9EB05714F108118FA15E7291D778ED40CBA4

Function 00764ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00764AED
GetDriveTypeW.KERNEL32(?,0078CB68,?,\\.\,0078CC08), ref: 00764BCA
SetErrorMode.KERNEL32(00000000,0078CB68,?,\\.\,0078CC08), ref: 00764D36

Strings

Removable, xrefs: 00764C10, 00764C15
ATA, xrefs: 00764C98
SCSI, xrefs: 00764C8A
FileBackedVirtual, xrefs: 00764CEC
PhysicalDrive, xrefs: 00764B76
USB, xrefs: 00764CB4
SSA, xrefs: 00764CA6
ATAPI, xrefs: 00764C91
SAS, xrefs: 00764CC9
Unknown, xrefs: 00764BED, 00764C83
Fixed, xrefs: 00764C09
RAMDisk, xrefs: 00764BF4
1394, xrefs: 00764C9F
MMC, xrefs: 00764CDE
SATA, xrefs: 00764CD0
Network, xrefs: 00764C02
\\.\, xrefs: 00764B3F
CDROM, xrefs: 00764BFB
iSCSI, xrefs: 00764CC2
Virtual, xrefs: 00764CE5
Fibre, xrefs: 00764CAD
RAID, xrefs: 00764CBB
SSD, xrefs: 00764C4A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 530c3b80d751626368767e08cf3d8714f62f674684b045b3fdec0fe3a239177a
Instruction ID: a62570f7710f179d1cceceb6059f88aa7dc41c348914373f1142afbdd155e3f9
Opcode Fuzzy Hash: 530c3b80d751626368767e08cf3d8714f62f674684b045b3fdec0fe3a239177a
Instruction Fuzzy Hash: F261D0B070510ADBCB54DF28CA91AB97BB1AF04340B288419FE07AB791DB3DED41DB65

Function 007873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00787421
SetTextColor.GDI32(?,?), ref: 00787425
GetSysColorBrush.USER32(0000000F), ref: 0078743B
GetSysColor.USER32(0000000F), ref: 00787446
CreateSolidBrush.GDI32(?), ref: 0078744B
GetSysColor.USER32(00000011), ref: 00787463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00787471
SelectObject.GDI32(?,00000000), ref: 00787482
SetBkColor.GDI32(?,00000000), ref: 0078748B
SelectObject.GDI32(?,?), ref: 00787498
InflateRect.USER32(?,000000FF,000000FF), ref: 007874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0078752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00787554
InflateRect.USER32(?,000000FD,000000FD), ref: 00787572
DrawFocusRect.USER32(?,?), ref: 0078757D
GetSysColor.USER32(00000011), ref: 0078758E
SetTextColor.GDI32(?,00000000), ref: 00787596
DrawTextW.USER32(?,007870F5,000000FF,?,00000000), ref: 007875A8
SelectObject.GDI32(?,?), ref: 007875BF
DeleteObject.GDI32(?), ref: 007875CA
SelectObject.GDI32(?,?), ref: 007875D0
DeleteObject.GDI32(?), ref: 007875D5
SetTextColor.GDI32(?,?), ref: 007875DB
SetBkColor.GDI32(?,?), ref: 007875E5

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e5b8d23687b3e0a2a93c133b6e77f689f84769494711d28d99aa6520ba25c7d8
Instruction ID: adfaaa96afbffe21092051664207bd97fd9462e8cfa7c4d1402bbb678355ad41
Opcode Fuzzy Hash: e5b8d23687b3e0a2a93c133b6e77f689f84769494711d28d99aa6520ba25c7d8
Instruction Fuzzy Hash: 46616E72D40218EFDF059FA4DC49EAE7FB9EB08320F218115F915AB2A1D7789940CBA4

Function 00780FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00781128
GetDesktopWindow.USER32 ref: 0078113D
GetWindowRect.USER32(00000000), ref: 00781144
GetWindowLongW.USER32(?,000000F0), ref: 00781199
DestroyWindow.USER32(?), ref: 007811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0078120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0078121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00781232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00781245
IsWindowVisible.USER32(00000000), ref: 007812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007812D0
GetWindowRect.USER32(00000000,?), ref: 007812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0078130E
GetMonitorInfoW.USER32(00000000,?), ref: 00781328
CopyRect.USER32(?,?), ref: 0078133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007813AA

Strings

(, xrefs: 0078131B
0, xrefs: 007810D3
tooltips_class32, xrefs: 007811E6

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: fba2226dea6a22a820fe746667c154aeb9dce281b8096017e8cbf36109f98e6f
Instruction ID: 79626eb9fc2be9dfa5b28fe78f6882f9fe7d669834b0b3b5555e9b4b177cb5f9
Opcode Fuzzy Hash: fba2226dea6a22a820fe746667c154aeb9dce281b8096017e8cbf36109f98e6f
Instruction Fuzzy Hash: 95B1BE71644341AFD700EF64C888B6BBBE9FF84310F40891CF9999B2A1D735E845CBA6

Function 00708891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00708968
GetSystemMetrics.USER32(00000007), ref: 00708970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0070899B
GetSystemMetrics.USER32(00000008), ref: 007089A3
GetSystemMetrics.USER32(00000004), ref: 007089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00708A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00708A3C
GetClientRect.USER32(00000000,000000FF), ref: 00708A5A
GetStockObject.GDI32(00000011), ref: 00708A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00708A81

Part of subcall function 0070912D: GetCursorPos.USER32(?), ref: 00709141
Part of subcall function 0070912D: ScreenToClient.USER32(00000000,?), ref: 0070915E
Part of subcall function 0070912D: GetAsyncKeyState.USER32(00000001), ref: 00709183
Part of subcall function 0070912D: GetAsyncKeyState.USER32(00000002), ref: 0070919D

SetTimer.USER32(00000000,00000000,00000028,007090FC), ref: 00708AA8

Strings

AutoIt v3 GUI, xrefs: 00708A20

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 715c597f980aef09f9a0ad9c3994cf66c390be2eae56f5b67324d7ae885ef6fc
Instruction ID: 6401232ba5d88105b64214e7f1864ceb24a29ed022e6ed79716bb170fe3721d1
Opcode Fuzzy Hash: 715c597f980aef09f9a0ad9c3994cf66c390be2eae56f5b67324d7ae885ef6fc
Instruction Fuzzy Hash: 58B16D71A40209DFDF15DF68CC49BAA3BB5FB49314F218229FA15A72D0DB38E840CB55

Function 00750D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00751114
Part of subcall function 007510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751120
Part of subcall function 007510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 0075112F
Part of subcall function 007510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751136
Part of subcall function 007510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0075114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00750DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00750E29
GetLengthSid.ADVAPI32(?), ref: 00750E40
GetAce.ADVAPI32(?,00000000,?), ref: 00750E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00750E96
GetLengthSid.ADVAPI32(?), ref: 00750EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00750EB5
HeapAlloc.KERNEL32(00000000), ref: 00750EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00750EDD
CopySid.ADVAPI32(00000000), ref: 00750EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00750F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00750F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00750F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750F6E
HeapFree.KERNEL32(00000000), ref: 00750F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750F7E
HeapFree.KERNEL32(00000000), ref: 00750F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00750F8E
HeapFree.KERNEL32(00000000), ref: 00750F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00750FA1
HeapFree.KERNEL32(00000000), ref: 00750FA8

Part of subcall function 00751193: GetProcessHeap.KERNEL32(00000008,00750BB1,?,00000000,?,00750BB1,?), ref: 007511A1
Part of subcall function 00751193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00750BB1,?), ref: 007511A8
Part of subcall function 00751193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00750BB1,?), ref: 007511B7

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 09958bc268ad3cb8aa8ecc5bf7908215b84524ac4d73ba186bb3123e33dd18e7
Instruction ID: 44b0ab8088c148651034bb9230fdaba50a5687ef42b6c60e8b2d76fcce29ceb6
Opcode Fuzzy Hash: 09958bc268ad3cb8aa8ecc5bf7908215b84524ac4d73ba186bb3123e33dd18e7
Instruction Fuzzy Hash: B6715E7190020AEBDF219FA4DC49FEEBBB8BF04741F148115F919E6191D7799A09CBB0

Function 0077C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0078CC08,00000000,?,00000000,?,?), ref: 0077C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0077C5A4
_wcslen.LIBCMT ref: 0077C5F4
_wcslen.LIBCMT ref: 0077C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0077C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0077C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0077C84D
RegCloseKey.ADVAPI32(?), ref: 0077C881
RegCloseKey.ADVAPI32(00000000), ref: 0077C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0077C960

Strings

REG_EXPAND_SZ, xrefs: 0077C5CD
REG_QWORD, xrefs: 0077C8C3
REG_DWORD, xrefs: 0077C804
REG_MULTI_SZ, xrefs: 0077C6F5
REG_BINARY, xrefs: 0077C913
REG_SZ, xrefs: 0077C644

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 221223d2f6300ccd4f444bc9880e62a8979e39ccfe9d7f2b9889327cf2140d36
Instruction ID: d3ebae17e31971fdb62de6e80e078127e1119c216cd7e198d37a33d29927448a
Opcode Fuzzy Hash: 221223d2f6300ccd4f444bc9880e62a8979e39ccfe9d7f2b9889327cf2140d36
Instruction Fuzzy Hash: 8F1267352042019FDB15DF24C881A2AB7E6EF88754F14C89CF98A9B3A2DB35FD45CB85

Function 0078091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007809C6
_wcslen.LIBCMT ref: 00780A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00780A54
_wcslen.LIBCMT ref: 00780A8A
_wcslen.LIBCMT ref: 00780B06
_wcslen.LIBCMT ref: 00780B81

Part of subcall function 0070F9F2: _wcslen.LIBCMT ref: 0070F9FD

Part of subcall function 00752BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00752BFA

Strings

SELECT, xrefs: 00780D11
GETTOTALCOUNT, xrefs: 007809F2, 00780A17
EXPAND, xrefs: 00780BF8
COLLAPSE, xrefs: 00780B01, 00780B1C
EXISTS, xrefs: 00780B7C, 00780B97
GETTEXT, xrefs: 00780C97
ISCHECKED, xrefs: 00780CE1
UNCHECK, xrefs: 00780D3E
CHECK, xrefs: 00780A85, 00780AA0
GETSELECTED, xrefs: 00780C4E
GETITEMCOUNT, xrefs: 00780C1E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 20eaf88e0eec19585bb09baef393912ae022ed87ffb1e88d25e0b56af66ec69a
Instruction ID: 73ba9d24a6f8112ca6db4ce58ee19e109a2adb95051309455ef39aef8cf1e298
Opcode Fuzzy Hash: 20eaf88e0eec19585bb09baef393912ae022ed87ffb1e88d25e0b56af66ec69a
Instruction Fuzzy Hash: FCE1AC71248301CFC758EF24C45096AB7E2BF98314F14895CF8969B3A2DB38ED49CB92

Function 0077C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
_wcslen.LIBCMT ref: 0077C9F1
_wcslen.LIBCMT ref: 0077CA68
_wcslen.LIBCMT ref: 0077CA9E
_wcslen.LIBCMT ref: 0077CAF9
_wcslen.LIBCMT ref: 0077CB2F
_wcslen.LIBCMT ref: 0077CB7F

Strings

HKCU, xrefs: 0077CBCE
HKEY_CLASSES_ROOT, xrefs: 0077CAF3, 0077CAF8
HKU, xrefs: 0077CBF0
HKEY_USERS, xrefs: 0077CBDF
HKEY_CURRENT_CONFIG, xrefs: 0077CB79, 0077CB7E
HKLM, xrefs: 0077CA98, 0077CA9D
HKEY_LOCAL_MACHINE, xrefs: 0077CA62, 0077CA67
HKCC, xrefs: 0077CBAC
HKCR, xrefs: 0077CB29, 0077CB2E
HKEY_CURRENT_USER, xrefs: 0077CBBD

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 26faa52ef5fd53481696ddb05aecb6fe4ed3bbced7cb683a4e3cc6cb2e7a0e5f
Instruction ID: 48b1a3a6888d44cdb3ae678f1c3b1a63f02e1639d89a5fb6e7e8c7355bde553b
Opcode Fuzzy Hash: 26faa52ef5fd53481696ddb05aecb6fe4ed3bbced7cb683a4e3cc6cb2e7a0e5f
Instruction Fuzzy Hash: B271E67260016A8BCF22DE7CCD416FA33919BA87D4B25C52CF85DA7294EA3DDD44C3A0

Function 0078833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0078835A
_wcslen.LIBCMT ref: 0078836E
_wcslen.LIBCMT ref: 00788391
_wcslen.LIBCMT ref: 007883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0078361A,?), ref: 0078844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00788487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00788501
FreeLibrary.KERNEL32(?), ref: 0078850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0078851D
DestroyIcon.USER32(?), ref: 0078852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00788549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00788555

Strings

.exe, xrefs: 00788388
.dll, xrefs: 007883AB
.icl, xrefs: 00788368

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 6b412e0254c9c2ba2627ba600f2472ba604e526f5d74ca266c39eeb1aa9cfcd7
Instruction ID: cba729cb586143a4dcae90faa06fe8ee46b06703b14b4d7ea96f9ecf7ff498b5
Opcode Fuzzy Hash: 6b412e0254c9c2ba2627ba600f2472ba604e526f5d74ca266c39eeb1aa9cfcd7
Instruction Fuzzy Hash: 8761D172580219FAEB14EF64CC45BFE77A8BF04721F608509F915E60D1DB78A990C7A0

Function 006F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 00735279
#requireadmin, xrefs: 006F77FF
#ce, xrefs: 006F78ED
#OnAutoItStartRegister, xrefs: 006F7817
Unterminated group of comments, xrefs: 0073528C
', xrefs: 00735169
#include-once, xrefs: 006F782F
#pragma compile, xrefs: 006F77D3
", xrefs: 00735153
Bad directive syntax error, xrefs: 0073519A
#comments-start, xrefs: 006F785F, 006F78B1
#notrayicon, xrefs: 006F77E7
#include, xrefs: 006F7847
#cs, xrefs: 006F7873, 006F78C5
#comments-end, xrefs: 006F78D9

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 64448ebeecb36dd279d00fc27267511321e7b34ec61ebe00cc38cf00b5133544
Instruction ID: c6229d0b700f9a94923fc7205740f3bf559b54c57198078aee75d17d1967ef05
Opcode Fuzzy Hash: 64448ebeecb36dd279d00fc27267511321e7b34ec61ebe00cc38cf00b5133544
Instruction Fuzzy Hash: 1B81F6B1644609FBEB21BF64CC46FFE77AAAF15300F044024FA04AA1D6EB78D955C7A1

Function 00763E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00763EF8
_wcslen.LIBCMT ref: 00763F03
_wcslen.LIBCMT ref: 00763F5A
_wcslen.LIBCMT ref: 00763F98
GetDriveTypeW.KERNEL32(?), ref: 00763FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0076401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00764059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00764087

Strings

wait, xrefs: 00764044
close cd wait, xrefs: 00764072
type cdaudio alias cd wait, xrefs: 00764001
closed, xrefs: 00763F08, 00763F2D, 00763F46, 00763F7E, 00763F97
open , xrefs: 00763FE5
close, xrefs: 00763EFE, 00763F18
set cd door , xrefs: 00764028
open, xrefs: 00763F54, 00763F59

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 3cbd617b2ff9051a8ff7b1ceb22c6d6df0a5ee297bf172bc9799fa6c13f34208
Instruction ID: a2d7883c05ab1d7f271356490f4627562f4e175b7b5a08a8872abaec26b05bfd
Opcode Fuzzy Hash: 3cbd617b2ff9051a8ff7b1ceb22c6d6df0a5ee297bf172bc9799fa6c13f34208
Instruction Fuzzy Hash: 987124726042169FC310EF24C8809BBB7F5EF94754F10492DFA9693291EB38ED45CB51

Function 00755A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00755A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00755A40
SetWindowTextW.USER32(?,?), ref: 00755A57
GetDlgItem.USER32(?,000003EA), ref: 00755A6C
SetWindowTextW.USER32(00000000,?), ref: 00755A72
GetDlgItem.USER32(?,000003E9), ref: 00755A82
SetWindowTextW.USER32(00000000,?), ref: 00755A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00755AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00755AC3
GetWindowRect.USER32(?,?), ref: 00755ACC
_wcslen.LIBCMT ref: 00755B33
SetWindowTextW.USER32(?,?), ref: 00755B6F
GetDesktopWindow.USER32 ref: 00755B75
GetWindowRect.USER32(00000000), ref: 00755B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00755BD3
GetClientRect.USER32(?,?), ref: 00755BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00755C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00755C2F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 7f3484598fe8607e13042e80e4a55a6bbd374854c4a649561542f8f5adf5162b
Instruction ID: 3a96d082bc561c26d955753d6f09b825a9918f901eeb439f8b73c5875247ac95
Opcode Fuzzy Hash: 7f3484598fe8607e13042e80e4a55a6bbd374854c4a649561542f8f5adf5162b
Instruction Fuzzy Hash: 8371A271A00B05DFDB21DFA8CD59BAEBBF5FF48705F104518E542A25A0D7B8E904CB60

Function 0076FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0076FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0076FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0076FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0076FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0076FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0076FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0076FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0076FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0076FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0076FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0076FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0076FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0076FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0076FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0076FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0076FECC
GetCursorInfo.USER32(?), ref: 0076FEDC
GetLastError.KERNEL32 ref: 0076FF1E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: fc72c8e21f8080ce7cec6e5b28b0bb923723177a9509ab0d0e6607f37d34cf81
Instruction ID: f79cb431d93f6fe3879e79bdba3deffdea568ad6f0aa986026fd1b6ef19c1c22
Opcode Fuzzy Hash: fc72c8e21f8080ce7cec6e5b28b0bb923723177a9509ab0d0e6607f37d34cf81
Instruction Fuzzy Hash: 244153B0D443196ADB109FBA9C8585EBFE8FF04354B50452AE519E7281DB7899018F91

Function 007530F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0075318D
_wcslen.LIBCMT ref: 007531F8

Strings

NAME, xrefs: 00753335, 00753346
CLASS, xrefs: 00753188, 007531A5
[{, xrefs: 0075339A
INSTANCE, xrefs: 00753453
CLASSNN, xrefs: 007531F3, 00753204
REGEXPCLASS, xrefs: 00753255, 00753266
TEXT, xrefs: 0075347C

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[{
API String ID: 176396367-669646794
Opcode ID: 9ae6060e64349fff247518dbdba72be8148d856ed597807c8dd0f333e6cb176c
Instruction ID: 4852e6b19362d05293c4e77bc153c8206258e10b0ffbb7b7cc225fb0a57bae5d
Opcode Fuzzy Hash: 9ae6060e64349fff247518dbdba72be8148d856ed597807c8dd0f333e6cb176c
Instruction Fuzzy Hash: A7E1F932A00516EBCB149F78C4517FEFBB1BF04791F548129E856E7260DBB8AE8D8790

Function 007100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007100C6

Part of subcall function 007100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007C070C,00000FA0,7E437F93,?,?,?,?,007323B3,000000FF), ref: 0071011C
Part of subcall function 007100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007323B3,000000FF), ref: 00710127
Part of subcall function 007100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007323B3,000000FF), ref: 00710138
Part of subcall function 007100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0071014E
Part of subcall function 007100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0071015C
Part of subcall function 007100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0071016A
Part of subcall function 007100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00710195
Part of subcall function 007100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007101A0

___scrt_fastfail.LIBCMT ref: 007100E7

Part of subcall function 007100A3: __onexit.LIBCMT ref: 007100A9

Strings

WakeAllConditionVariable, xrefs: 00710162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00710122
kernel32.dll, xrefs: 00710133
SleepConditionVariableCS, xrefs: 00710154
InitializeConditionVariable, xrefs: 00710148

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: eee71713bd19dbb1a8c87b44e9be1979cf6aaa35df2df00320e45628780fa942
Instruction ID: e66e1c273826ffa72c42a0f7e1840a10cf95471ea7ff20e14ee962c3d4cbaa17
Opcode Fuzzy Hash: eee71713bd19dbb1a8c87b44e9be1979cf6aaa35df2df00320e45628780fa942
Instruction Fuzzy Hash: FA21C8B2A84714EBD7116B78AC4DB9D3394EB04F51F108129F901E26D1DABC98808BE4

Function 007644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0078CC08), ref: 00764527
_wcslen.LIBCMT ref: 0076453B
_wcslen.LIBCMT ref: 00764599
_wcslen.LIBCMT ref: 007645F4
_wcslen.LIBCMT ref: 0076463F
_wcslen.LIBCMT ref: 007646A7

Part of subcall function 0070F9F2: _wcslen.LIBCMT ref: 0070F9FD

GetDriveTypeW.KERNEL32(?,007B6BF0,00000061), ref: 00764743

Strings

fixed, xrefs: 00764635, 0076463A
unknown, xrefs: 00764708
removable, xrefs: 007645EA, 007645EF
all, xrefs: 00764531, 00764536
cdrom, xrefs: 0076458F, 00764594
ramdisk, xrefs: 007646F1
network, xrefs: 0076469D, 007646A2

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 7495e85859b1ead8de7cdb2a6b1d2b0feb18b9d3cefa75c9cb7e2a29eab00119
Instruction ID: 8b9ce1a1ecece5846fc3a31751f9e6f51c645ee377d4b3d00df8b8afa5776fb4
Opcode Fuzzy Hash: 7495e85859b1ead8de7cdb2a6b1d2b0feb18b9d3cefa75c9cb7e2a29eab00119
Instruction Fuzzy Hash: E6B1CF716083029FC714DF28C890A7AB7E5BFA5760F50491DF997C7292E738E944CBA2

Function 0078911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

DragQueryPoint.SHELL32(?,?), ref: 00789147

Part of subcall function 00787674: ClientToScreen.USER32(?,?), ref: 0078769A
Part of subcall function 00787674: GetWindowRect.USER32(?,?), ref: 00787710
Part of subcall function 00787674: PtInRect.USER32(?,?,00788B89), ref: 00787720

SendMessageW.USER32(?,000000B0,?,?), ref: 007891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00789225
SendMessageW.USER32(?,000000B0,?,?), ref: 0078923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00789255
SendMessageW.USER32(?,000000B1,?,?), ref: 00789277
DragFinish.SHELL32(?), ref: 0078927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00789371

Strings

@GUI_DRAGFILE, xrefs: 00789320
@GUI_DROPID, xrefs: 0078929E
p#|, xrefs: 007892BB
@GUI_DRAGID, xrefs: 007892E9

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#|
API String ID: 221274066-704254282
Opcode ID: 724aa9b50a8b6baa82540750f990b18b5c5a20d2a0cf435abe284b4d79b5a50a
Instruction ID: 82b4458ee9ca065fbe53dd0a0b236cbbd416fadf477bf234c2c212343454a7db
Opcode Fuzzy Hash: 724aa9b50a8b6baa82540750f990b18b5c5a20d2a0cf435abe284b4d79b5a50a
Instruction Fuzzy Hash: BC61AC71108305AFC701EF60DC89EAFBBE9EF89350F10092DF695921A1DB349A49CB66

Function 00773FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0078CC08), ref: 007740BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007740CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0078CC08), ref: 007740F2
FreeLibrary.KERNEL32(00000000,?,0078CC08), ref: 0077413E
StringFromGUID2.OLE32(?,?,00000028,?,0078CC08), ref: 007741A8
SysFreeString.OLEAUT32(00000009), ref: 00774262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007742C8
SysFreeString.OLEAUT32(?), ref: 007742F2

Strings

GetModuleHandleExW, xrefs: 007740C7
kernel32.dll, xrefs: 007740B6

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: c5782ec47fd886c64e534500d338038d92914f035dbb9e7b3aa0e6cae2f49dd2
Instruction ID: 25a301e12b4901255c6104c5322589cb8d9ea88b55e9673d9046e3418ebaa2b8
Opcode Fuzzy Hash: c5782ec47fd886c64e534500d338038d92914f035dbb9e7b3aa0e6cae2f49dd2
Instruction Fuzzy Hash: 3B122875A00119EFDF14DF94C884EAEBBB9BF45354F24C098E909AB251D735ED42CBA0

Function 006F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(007C1990), ref: 00732F8D
GetMenuItemCount.USER32(007C1990), ref: 0073303D
GetCursorPos.USER32(?), ref: 00733081
SetForegroundWindow.USER32(00000000), ref: 0073308A
TrackPopupMenuEx.USER32(007C1990,00000000,?,00000000,00000000,00000000), ref: 0073309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007330A9

Strings

0, xrefs: 006F327D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5c61ad56d8daacd943fa27e7c3a9613fed289e25bd07b40a938394ffe6823376
Instruction ID: 9f30a9d84441f52882867247d7bd43e5218b76219c0f1c18628d96a9df15bc14
Opcode Fuzzy Hash: 5c61ad56d8daacd943fa27e7c3a9613fed289e25bd07b40a938394ffe6823376
Instruction Fuzzy Hash: 13713C70644216BEFB359F24CC49FAABF65FF01364F204216F6246A2E2C7B9AD11C764

Function 00786CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00786DEB

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00786E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00786E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00786E94
DestroyWindow.USER32(?), ref: 00786EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006F0000,00000000), ref: 00786EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00786EFD
GetDesktopWindow.USER32 ref: 00786F16
GetWindowRect.USER32(00000000), ref: 00786F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00786F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00786F4D

Part of subcall function 00709944: GetWindowLongW.USER32(?,000000EB), ref: 00709952

Strings

tooltips_class32, xrefs: 00786E58, 00786EDD
0, xrefs: 00786D98

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: a6955c1b14df404ddb1a6f48329d183adfe00db6c04a87dde382daa279af5834
Instruction ID: 1c50e25f7d7cf64e9ec8685aa1ebcc982307d35a2c2ca9458caf952cc8df88d6
Opcode Fuzzy Hash: a6955c1b14df404ddb1a6f48329d183adfe00db6c04a87dde382daa279af5834
Instruction Fuzzy Hash: 94717870284244AFDB21DF18DC48FAABBE9FB89304F54446DFA8987261D778E905CB25

Function 0076C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0076C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0076C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0076C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0076C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0076C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0076C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0076C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0076C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0076C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0076C5F0
InternetCloseHandle.WININET(00000000), ref: 0076C5FB

Strings

, xrefs: 0076C575

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 16df5e4230239937fd3373e6be41bbdeb5cab2899969ac21bd74fc946cf21a8b
Instruction ID: 5c342a209f024a323c885b20ed4ef4a2f8acffaa5ba6af2d7654d21d3c84fcd4
Opcode Fuzzy Hash: 16df5e4230239937fd3373e6be41bbdeb5cab2899969ac21bd74fc946cf21a8b
Instruction Fuzzy Hash: 22515EB1540208BFEB228F61CD48ABB7BBCFF08744F24841AF987D6551DB38E9549B64

Function 0078856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00788592
GetFileSize.KERNEL32(00000000,00000000), ref: 007885A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 007885AD
CloseHandle.KERNEL32(00000000), ref: 007885BA
GlobalLock.KERNEL32(00000000), ref: 007885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007885D7
GlobalUnlock.KERNEL32(00000000), ref: 007885E0
CloseHandle.KERNEL32(00000000), ref: 007885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007885F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0078FC38,?), ref: 00788611
GlobalFree.KERNEL32(00000000), ref: 00788621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00788641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00788671
DeleteObject.GDI32(00000000), ref: 00788699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007886AF

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 5612f5c273118012d324dc64a6d7cd3d168f7faec5c1bdb6b19582e96122195e
Instruction ID: 9455179b720ddb24584b13ea8b58290d2fce87123568c050a45cec4e719f8244
Opcode Fuzzy Hash: 5612f5c273118012d324dc64a6d7cd3d168f7faec5c1bdb6b19582e96122195e
Instruction Fuzzy Hash: 03413D75680208AFDB11DF65DC88EAA7BB9FF89711F208058F905D7251DB389D01DB35

Function 007614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00761502
VariantCopy.OLEAUT32(?,?), ref: 0076150B
VariantClear.OLEAUT32(?), ref: 00761517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00761657
VariantInit.OLEAUT32(?), ref: 00761708
SysFreeString.OLEAUT32(?), ref: 0076178C
VariantClear.OLEAUT32(?), ref: 007617D8
VariantClear.OLEAUT32(?), ref: 007617E7
VariantInit.OLEAUT32(00000000), ref: 00761823

Strings

Default, xrefs: 007616AF
%4d%02d%02d%02d%02d%02d, xrefs: 00761625

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8eef3bb8e908d23a8372b5bf78fda24cc8e402c7c5ef037aee154cf145064357
Instruction ID: 447e5a87b5115c9485694d26e9814906ca33f21cbe9f1394481d512d5a44a5ef
Opcode Fuzzy Hash: 8eef3bb8e908d23a8372b5bf78fda24cc8e402c7c5ef037aee154cf145064357
Instruction Fuzzy Hash: 10D1F271A00205EBDB109F65D88DB79F7B5BF44700F58815AF807AB582EB38ED50DB61

Function 0077B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0077B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0077B80A
RegCloseKey.ADVAPI32(?), ref: 0077B87E
RegCloseKey.ADVAPI32(?), ref: 0077B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0077B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0077B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0077B922
FreeLibrary.KERNEL32(00000000), ref: 0077B983
RegCloseKey.ADVAPI32(00000000), ref: 0077B994

Strings

RegDeleteKeyExW, xrefs: 0077B8FE
advapi32.dll, xrefs: 0077B8ED

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0076d48f25cd45e33f1baf0a263b472da73dd3776eeeebb178a134823d715b13
Instruction ID: 9ba3bc1f61596b5e199808fe296a123f317f8057bd5389162c2dbe51a70d6c34
Opcode Fuzzy Hash: 0076d48f25cd45e33f1baf0a263b472da73dd3776eeeebb178a134823d715b13
Instruction Fuzzy Hash: 02C16C70208201EFDB14DF14C494F2ABBE5BF84358F14C45CE5AA8B2A2CB79E845CB92

Function 0077255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007725E8
CreateCompatibleDC.GDI32(?), ref: 007725F4
SelectObject.GDI32(00000000,?), ref: 00772601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0077266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007726D0
SelectObject.GDI32(?,?), ref: 007726D8
DeleteObject.GDI32(?), ref: 007726E1
DeleteDC.GDI32(?), ref: 007726E8
ReleaseDC.USER32(00000000,?), ref: 007726F3

Strings

(, xrefs: 0077268D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 86ab45f636ee05850a4b4731e8cac93a22a6616a2513aeb4d5075ab562567ca6
Instruction ID: 44e01638d8fc8123b0e1ceabaed59ddc4a356817a6e70a0f8672131cc8b38f4f
Opcode Fuzzy Hash: 86ab45f636ee05850a4b4731e8cac93a22a6616a2513aeb4d5075ab562567ca6
Instruction Fuzzy Hash: 2E6115B5D00209EFCF05CFA4D888AAEBBF5FF48310F20852AE559A7251E734A941CF64

Function 0072DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0072DAA1

Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D659
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D66B
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D67D
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D68F
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6A1
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6B3
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6C5
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6D7
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6E9
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D6FB
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D70D
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D71F
Part of subcall function 0072D63C: _free.LIBCMT ref: 0072D731

_free.LIBCMT ref: 0072DA96

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 0072DAB8
_free.LIBCMT ref: 0072DACD
_free.LIBCMT ref: 0072DAD8
_free.LIBCMT ref: 0072DAFA
_free.LIBCMT ref: 0072DB0D
_free.LIBCMT ref: 0072DB1B
_free.LIBCMT ref: 0072DB26
_free.LIBCMT ref: 0072DB5E
_free.LIBCMT ref: 0072DB65
_free.LIBCMT ref: 0072DB82
_free.LIBCMT ref: 0072DB9A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fbab61daa6e1ca46dd4917aa0dbf40bc73da13ffb298b3acdc7fc0b6b8ef5514
Instruction ID: 12c952bde6553e6687f1add7f44f500840b6ec9c168d5ef4ccfbddabc94a47db
Opcode Fuzzy Hash: fbab61daa6e1ca46dd4917aa0dbf40bc73da13ffb298b3acdc7fc0b6b8ef5514
Instruction Fuzzy Hash: ED315C71604224EFEB31AB38F849B5677E9FF04310F518429E489E71A2DA38FC818B60

Function 0075365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0075369C
_wcslen.LIBCMT ref: 007536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00753797
GetClassNameW.USER32(?,?,00000400), ref: 0075380C
GetDlgCtrlID.USER32(?), ref: 0075385D
GetWindowRect.USER32(?,?), ref: 00753882
GetParent.USER32(?), ref: 007538A0
ScreenToClient.USER32(00000000), ref: 007538A7
GetClassNameW.USER32(?,?,00000100), ref: 00753921
GetWindowTextW.USER32(?,?,00000400), ref: 0075395D

Strings

%s%u, xrefs: 00753734

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: fb780586aa6200fa9b1dd8b182551f0d9ece2ac654cb408ff93c150d23bcfe57
Instruction ID: 1a11795e8818dc097fa23be0d0152b4a382a3325a392ef9139e2cb1668e900cb
Opcode Fuzzy Hash: fb780586aa6200fa9b1dd8b182551f0d9ece2ac654cb408ff93c150d23bcfe57
Instruction Fuzzy Hash: A191F9B1204606EFD709DF24C885BEAF7A8FF44355F008519FD99C21A0DB78EA59CBA1

Function 00754954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00754994
GetWindowTextW.USER32(?,?,00000400), ref: 007549DA
_wcslen.LIBCMT ref: 007549EB
CharUpperBuffW.USER32(?,00000000), ref: 007549F7
_wcsstr.LIBVCRUNTIME ref: 00754A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00754A64
GetWindowTextW.USER32(?,?,00000400), ref: 00754A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00754AE6
GetClassNameW.USER32(?,?,00000400), ref: 00754B20
GetWindowRect.USER32(?,?), ref: 00754B8B

Strings

ThumbnailClass, xrefs: 00754A6F, 00754AF1

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: c4f5fd482cc76d94b6b341c630ab877385cfe699313dd2b2cb2654f211574e27
Instruction ID: abf19ec6c0d414644cbe29b8e1c9bf19b6f3918c205c02f58f417f8b64f98beb
Opcode Fuzzy Hash: c4f5fd482cc76d94b6b341c630ab877385cfe699313dd2b2cb2654f211574e27
Instruction Fuzzy Hash: 6591BE71104209DFDB05CF14C985BEA77E8FF84319F048469FD859A096EBB8ED89CBA1

Function 0075BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(007C1990,000000FF,00000000,00000030), ref: 0075BFAC
SetMenuItemInfoW.USER32(007C1990,00000004,00000000,00000030), ref: 0075BFE1
Sleep.KERNEL32(000001F4), ref: 0075BFF3
GetMenuItemCount.USER32(?), ref: 0075C039
GetMenuItemID.USER32(?,00000000), ref: 0075C056
GetMenuItemID.USER32(?,-00000001), ref: 0075C082
GetMenuItemID.USER32(?,?), ref: 0075C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0075C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0075C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0075C145

Strings

0, xrefs: 0075BF3D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: fd7b940bde4ea6cab50fa1ab640436956e5009e611b2d26c41723d42afdf3ec7
Instruction ID: 4a39ad5e68741e2cd9ff9a5cd94b995146448749a8feec4e905135768df78b62
Opcode Fuzzy Hash: fd7b940bde4ea6cab50fa1ab640436956e5009e611b2d26c41723d42afdf3ec7
Instruction Fuzzy Hash: ED616FB0900349AFDF12CF68DD88BFE7BA8EB05345F104055ED15A3291D7B9AD59CB60

Function 0077CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0077CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0077CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0077CD48

Part of subcall function 0077CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0077CCAA
Part of subcall function 0077CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0077CCBD
Part of subcall function 0077CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0077CCCF
Part of subcall function 0077CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0077CD05
Part of subcall function 0077CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0077CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0077CCF3

Strings

RegDeleteKeyExW, xrefs: 0077CCC9
advapi32.dll, xrefs: 0077CCB8

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: c5e524595237d347c6b36f7d18dd78a077343d1adece20a420431257d3cf4a66
Instruction ID: b045c0fe27b37ccbc5acbd8e7216c0e1c85f58dc7a76a29281d9ea40e21167ee
Opcode Fuzzy Hash: c5e524595237d347c6b36f7d18dd78a077343d1adece20a420431257d3cf4a66
Instruction Fuzzy Hash: 813183B1A41118BBDB228B50DC88EFFBB7CEF49780F108169B909E6140D7389A45DBB4

Function 00763D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00763D40
_wcslen.LIBCMT ref: 00763D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00763D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00763DBE
RemoveDirectoryW.KERNEL32(?), ref: 00763DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00763E55
CloseHandle.KERNEL32(00000000), ref: 00763E60
CloseHandle.KERNEL32(00000000), ref: 00763E6B

Strings

\??\%s, xrefs: 00763D5B
\, xrefs: 00763D77
:, xrefs: 00763D82

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: d46e0ae64b63659f3f4a27ab2327a3dcea221244c38558c10b6863e29bce3269
Instruction ID: adeff77e454b14f9bb07e036f309f0f19760c1e7c9f3d2713554d97a034693cd
Opcode Fuzzy Hash: d46e0ae64b63659f3f4a27ab2327a3dcea221244c38558c10b6863e29bce3269
Instruction Fuzzy Hash: 423183B1A40209ABDB219BA4DC49FEF77BCEF89700F1041A5F915D6190E7789744CB64

Function 0075E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0075E6B4

Part of subcall function 0070E551: timeGetTime.WINMM(?,?,0075E6D4), ref: 0070E555

Sleep.KERNEL32(0000000A), ref: 0075E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0075E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0075E727
SetActiveWindow.USER32 ref: 0075E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0075E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0075E773
Sleep.KERNEL32(000000FA), ref: 0075E77E
IsWindow.USER32 ref: 0075E78A
EndDialog.USER32(00000000), ref: 0075E79B

Strings

BUTTON, xrefs: 0075E719

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7d917289d48beae6e35ec2d8ce96406d988b01d1e75e40c1753b182eb4cd4e08
Instruction ID: 7014dcb33fa94f3a853937121aca6634ba5ca6369022c1a360dde5a15c98ac17
Opcode Fuzzy Hash: 7d917289d48beae6e35ec2d8ce96406d988b01d1e75e40c1753b182eb4cd4e08
Instruction Fuzzy Hash: 6D21A4B0340244AFEB055F20ECC9E653B69FB5534AF208828F951915B2DFBD9D099B3C

Function 0075E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0075EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0075EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0075EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0075EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0075EAA7

Strings

alias PlayMe, xrefs: 0075EA36
play PlayMe wait, xrefs: 0075EA91
close PlayMe, xrefs: 0075EA6E, 0075EA9B
play PlayMe, xrefs: 0075EAA2
status PlayMe mode, xrefs: 0075EA58
open , xrefs: 0075EA0C

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7b7ce32fe2901ae32a3b1980b79fed0c32526992dc2dd20ff3ea84e133f543a3
Instruction ID: 8917b95d265feee65eff03a0a2a25dbc65c85336e2a580e6174b11f4b918460e
Opcode Fuzzy Hash: 7b7ce32fe2901ae32a3b1980b79fed0c32526992dc2dd20ff3ea84e133f543a3
Instruction Fuzzy Hash: 7A117372A9026D79D724E7B1DC4AEFF6B7CEBD1B40F00442DBA11A20D1EEB81A45C5B0

Function 00755CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00755CE2
GetWindowRect.USER32(00000000,?), ref: 00755CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00755D59
GetDlgItem.USER32(?,00000002), ref: 00755D69
GetWindowRect.USER32(00000000,?), ref: 00755D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00755DCF
GetDlgItem.USER32(?,000003E9), ref: 00755DDD
GetWindowRect.USER32(00000000,?), ref: 00755DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00755E31
GetDlgItem.USER32(?,000003EA), ref: 00755E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00755E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00755E67

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 37fc532a057888145fd4584b96f97d0ada8e86125eae3feb62a59ba6e21f196e
Instruction ID: 1883a302a67e59c02bbaabe777226b062de0d1b66b81d340a902004954bd23d9
Opcode Fuzzy Hash: 37fc532a057888145fd4584b96f97d0ada8e86125eae3feb62a59ba6e21f196e
Instruction Fuzzy Hash: 96512F71B40609AFDF18CF68DD99AAE7BB5FF48301F248129F915E6290D7749E04CB60

Function 00708BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00708F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00708BE8,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 00708FC5

DestroyWindow.USER32(?), ref: 00708C81
KillTimer.USER32(00000000,?,?,?,?,00708BBA,00000000,?), ref: 00708D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00746973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 007469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00708BBA,00000000,?), ref: 007469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00708BBA,00000000), ref: 007469D4
DeleteObject.GDI32(00000000), ref: 007469E6

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 8419eac3b3b65147e12ec46c5ba9f5c3cb3023ad9e36e5a314939522d125a837
Instruction ID: ef3d2a40cc47f696936859003e0aba3e73c6df71032fadb201e885a2dd47dab9
Opcode Fuzzy Hash: 8419eac3b3b65147e12ec46c5ba9f5c3cb3023ad9e36e5a314939522d125a837
Instruction Fuzzy Hash: B361AF30102600DFDB669F14D948B2677F1FB42312F64866CE0829A9A0CB7DBD90DF6A

Function 00709838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00709944: GetWindowLongW.USER32(?,000000EB), ref: 00709952

GetSysColor.USER32(0000000F), ref: 00709862

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 3bb73a9189323ad994f2a82dd7e7530b2e9846deee1cf80bbe215d19496be240
Instruction ID: d540e176220e47c5f1c598983384b4ecb3fac53ee7257b557d86a751e97fc2e5
Opcode Fuzzy Hash: 3bb73a9189323ad994f2a82dd7e7530b2e9846deee1cf80bbe215d19496be240
Instruction Fuzzy Hash: 6741A171544644EFDB215F389C88BB93BA5AB46330F248715FAA28B2E3D7399C41DB20

Function 00728D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.q, xrefs: 0072903A, 00728FD0, 00728FF2

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: .q
API String ID: 0-2393120612
Opcode ID: b2b4698ade1b7e969dd0221b34b0c8931477b74cddff6daae37d4cb1f67d607b
Instruction ID: 7b5d890c2336b60a44089c652920c63548469d72719a24cb468cd58db69cb3e3
Opcode Fuzzy Hash: b2b4698ade1b7e969dd0221b34b0c8931477b74cddff6daae37d4cb1f67d607b
Instruction Fuzzy Hash: 0FC10575E0426AEFCB21DFA8E845BEDBBB0BF09310F184059E515A7392CB3D9941CB61

Function 007596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0073F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00759717
LoadStringW.USER32(00000000,?,0073F7F8,00000001), ref: 00759720

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0073F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00759742
LoadStringW.USER32(00000000,?,0073F7F8,00000001), ref: 00759745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00759866

Strings

Error: , xrefs: 0075981D
Line %d:, xrefs: 007597A0
Line %d (File "%s"):, xrefs: 0075978F
^ ERROR, xrefs: 007597FB
%s (%d) : ==> %s: %s %s, xrefs: 0075984A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3b3f1f992dab0ccce3a8e2a13a3d57d263fb001475fa9e6f1412bbc1242b4709
Instruction ID: 53dff9934effa73d0a5ba84cc42df78de0c749341256499a4ac3094341e0fff2
Opcode Fuzzy Hash: 3b3f1f992dab0ccce3a8e2a13a3d57d263fb001475fa9e6f1412bbc1242b4709
Instruction Fuzzy Hash: E8414B7280021DAACB45EBE0CD86EFE7379AF14341F200429F70572192EA796F48CB75

Function 007506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00750804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0075082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00750837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0075083C

Strings

\CLSID, xrefs: 00750724
\IPC$, xrefs: 00750784
SOFTWARE\Classes\, xrefs: 0075070E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f8dafb145044a6ae4b2a856035026bf50786c264aaa0e050f5a574eb0c74b575
Instruction ID: d219c69a87d7eea47d1fd82b3a4dbb875234d138f65661f58675d4647dde8d3a
Opcode Fuzzy Hash: f8dafb145044a6ae4b2a856035026bf50786c264aaa0e050f5a574eb0c74b575
Instruction Fuzzy Hash: B04118B2C1022DABDF15EBA4DC85DFDB779BF04390F144129E915A3261EB74AE04CBA4

Function 00783F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0078403B
CreateCompatibleDC.GDI32(00000000), ref: 00784042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00784055
SelectObject.GDI32(00000000,00000000), ref: 0078405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00784068
DeleteDC.GDI32(00000000), ref: 00784072
GetWindowLongW.USER32(?,000000EC), ref: 0078407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00784092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0078409E

Strings

static, xrefs: 00783FD3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: a77d80340aaefd36314f2252b13844cb85e63355739a55b23b1a5ac899977703
Instruction ID: decafb127829df729cd6ba150c3ae0375f56964c492bacb4c514f420a62f661a
Opcode Fuzzy Hash: a77d80340aaefd36314f2252b13844cb85e63355739a55b23b1a5ac899977703
Instruction Fuzzy Hash: 82318032580219ABDF22AF64DC48FDB3B69EF0D720F104211FA14A60A0D779D820DB64

Function 00773C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00773C5C
CoInitialize.OLE32(00000000), ref: 00773C8A
CoUninitialize.OLE32 ref: 00773C94
_wcslen.LIBCMT ref: 00773D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00773DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00773ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00773F0E
CoGetObject.OLE32(?,00000000,0078FB98,?), ref: 00773F2D
SetErrorMode.KERNEL32(00000000), ref: 00773F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00773FC4
VariantClear.OLEAUT32(?), ref: 00773FD8

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 4503ef084823df79a23f3395ed8f0d92370b8e4f07ef56c5ad5da510527f1607
Instruction ID: d550ce4e73ba067b8c3e39022257928e0b13d38c99b550d1190ec20e0aa95d8b
Opcode Fuzzy Hash: 4503ef084823df79a23f3395ed8f0d92370b8e4f07ef56c5ad5da510527f1607
Instruction Fuzzy Hash: 9EC166716083059FDB00DF68C88492BBBE9FF89784F10891DF98A9B250D775EE05CB62

Function 00767A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00767AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00767B8F
SHGetDesktopFolder.SHELL32(?), ref: 00767BA3
CoCreateInstance.OLE32(0078FD08,00000000,00000001,007B6E6C,?), ref: 00767BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00767C74
CoTaskMemFree.OLE32(?,?), ref: 00767CCC
SHBrowseForFolderW.SHELL32(?), ref: 00767D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00767D7A
CoTaskMemFree.OLE32(00000000), ref: 00767D81
CoTaskMemFree.OLE32(00000000), ref: 00767DD6
CoUninitialize.OLE32 ref: 00767DDC

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 6ac634fe10facd8857e9e76c4039683546e6bda4eb6b855a0c10a39fb3071f58
Instruction ID: 9e0a588f4f9123726da1928419f903d5d7702a9cbceabed55399d90e0ca08370
Opcode Fuzzy Hash: 6ac634fe10facd8857e9e76c4039683546e6bda4eb6b855a0c10a39fb3071f58
Instruction Fuzzy Hash: 62C12A75A04109AFCB14DFA4C884DAEBBF9FF48354B148498E91ADB361D734EE45CBA0

Function 0078541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00785504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00785515
CharNextW.USER32(00000158), ref: 00785544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00785585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0078559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007855AC

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 7328d4428e422e6545b85af50cddc9d9edc654dd94aca999edb251ce33cebfbb
Instruction ID: fe72a6848a80de42802a13e699a7b7b34a1f6b9962c65fca8e9cc17728d45376
Opcode Fuzzy Hash: 7328d4428e422e6545b85af50cddc9d9edc654dd94aca999edb251ce33cebfbb
Instruction Fuzzy Hash: 8B61A070A80608EFDF11AF54CC84DFE7BB9EF05721F208195F929A6290D77C9A80DB60

Function 0074FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0074FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0074FB08
VariantInit.OLEAUT32(?), ref: 0074FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0074FB3A
VariantCopy.OLEAUT32(?,?), ref: 0074FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0074FBA1
VariantClear.OLEAUT32(?), ref: 0074FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0074FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0074FBCC
VariantClear.OLEAUT32(?), ref: 0074FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0074FBE9

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: dfcb48ee2e354e28066a233203fd8ed9276631ef6841e08bf9cfae590fb60ac7
Instruction ID: c02f544abf7a5736330dd99f3ef1d8fcfced276d04e58fd1d027cdc45cb219c9
Opcode Fuzzy Hash: dfcb48ee2e354e28066a233203fd8ed9276631ef6841e08bf9cfae590fb60ac7
Instruction Fuzzy Hash: 7E415F75A00219DFCB01DF64D858DAEBBB9FF49354F10C069E90AA7261CB38A945CBA4

Function 00759C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00759CA1
GetAsyncKeyState.USER32(000000A0), ref: 00759D22
GetKeyState.USER32(000000A0), ref: 00759D3D
GetAsyncKeyState.USER32(000000A1), ref: 00759D57
GetKeyState.USER32(000000A1), ref: 00759D6C
GetAsyncKeyState.USER32(00000011), ref: 00759D84
GetKeyState.USER32(00000011), ref: 00759D96
GetAsyncKeyState.USER32(00000012), ref: 00759DAE
GetKeyState.USER32(00000012), ref: 00759DC0
GetAsyncKeyState.USER32(0000005B), ref: 00759DD8
GetKeyState.USER32(0000005B), ref: 00759DEA

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9d9198fa41a8d682ff76d443be7d1d5f288242e7c75ad33009a13967670ea5f3
Instruction ID: 30c3bdb5939949c4b32f1b72b57e9704c58a20ec064dd55a38e1d919cdcadc49
Opcode Fuzzy Hash: 9d9198fa41a8d682ff76d443be7d1d5f288242e7c75ad33009a13967670ea5f3
Instruction Fuzzy Hash: 0A41A4346047C9A9FF71967088143E5BEB06B11345F08805ADFC65A6C2EBEDA9CCC7A2

Function 0077055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007705BC
inet_addr.WSOCK32(?), ref: 0077061C
gethostbyname.WSOCK32(?), ref: 00770628
IcmpCreateFile.IPHLPAPI ref: 00770636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007707B9
WSACleanup.WSOCK32 ref: 007707BF

Strings

Ping, xrefs: 00770676

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f8015fcf237b8110fa3396199cc3a9ec8579804f5a40ca2b02f29164a4e19ddf
Instruction ID: cce3b79c96911d325d18ee02f25c78c6d1cc8ad134976bd0a21d04e67bccf565
Opcode Fuzzy Hash: f8015fcf237b8110fa3396199cc3a9ec8579804f5a40ca2b02f29164a4e19ddf
Instruction Fuzzy Hash: 7E918A75604201DFDB24CF15C888F2ABBE1AF84358F14C5A9E5698B6A2C738ED41CFD1

Function 00778CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00778CF3

Part of subcall function 00758E54: _wcslen.LIBCMT ref: 00758E77

_wcslen.LIBCMT ref: 00778D4E
_wcslen.LIBCMT ref: 00778D9C
_wcslen.LIBCMT ref: 00778DDC
_wcslen.LIBCMT ref: 00778E6E

Strings

none, xrefs: 00778E65, 00778E6A
cdecl, xrefs: 00778D48, 00778D4D
winapi, xrefs: 00778D96, 00778D9B
stdcall, xrefs: 00778DD6, 00778DDB

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4e865d26b1bcfb030f79a8cba36f4c52bc58001fe5554bf99733409850eb8486
Instruction ID: cc6fe095db737f8d91cd04d7983331495a5e658dc5b563460a0b21c9115e6edf
Opcode Fuzzy Hash: 4e865d26b1bcfb030f79a8cba36f4c52bc58001fe5554bf99733409850eb8486
Instruction Fuzzy Hash: C551D731A405169BCF64DF6CC8449BEB7A6BF643A4B208229E529E73C4DF78DD40C791

Function 0077372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00773774
CoUninitialize.OLE32 ref: 0077377F
CoCreateInstance.OLE32(?,00000000,00000017,0078FB78,?), ref: 007737D9
IIDFromString.OLE32(?,?), ref: 0077384C
VariantInit.OLEAUT32(?), ref: 007738E4
VariantClear.OLEAUT32(?), ref: 00773936

Strings

Failed to create object, xrefs: 007737E4, 0077389A
Invalid parameter, xrefs: 00773865
NULL Pointer assignment, xrefs: 0077381E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e816d7742408c5e78cfa0e20f0aa13c8610c4cfef74bf41a97a75070c5b72af6
Instruction ID: 099ffa9bf7b1d27d9bb6eedebb37015aaa51948e1cb5f76558ab01171af23cab
Opcode Fuzzy Hash: e816d7742408c5e78cfa0e20f0aa13c8610c4cfef74bf41a97a75070c5b72af6
Instruction Fuzzy Hash: 7761C1B0208301EFD710DF54C889F6AB7E4EF48750F108909F9899B291C778EE48DBA6

Function 00763388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007633CF

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007633F0

Strings

Error: , xrefs: 007634D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00763504
Incorrect parameters to object property !, xrefs: 007634AB
Line %d (File "%s"):, xrefs: 00763443, 0076345C
^ ERROR , xrefs: 0076349E
"%s" (%d) : ==> %s:, xrefs: 00763522

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 99f8fdca20ca3f4d1d2d8e228d56354cb71b779b3bf872edc60593c6a1a0dd7a
Instruction ID: 78c4cdee54c3f165de55a398c07988ca7066bdc011a5be2a3144514be9a681dd
Opcode Fuzzy Hash: 99f8fdca20ca3f4d1d2d8e228d56354cb71b779b3bf872edc60593c6a1a0dd7a
Instruction Fuzzy Hash: 445192B2900259AADF15EBE0CD46EFEB779EF04340F204069F60572192EB796F58CB64

Function 0075B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0075B5FC
_wcslen.LIBCMT ref: 0075B608
_wcslen.LIBCMT ref: 0075B64D
_wcslen.LIBCMT ref: 0075B68C
_wcslen.LIBCMT ref: 0075B6C7

Strings

REMOVE, xrefs: 0075B602, 0075B607
EXISTS, xrefs: 0075B686, 0075B68B
APPEND, xrefs: 0075B6C1, 0075B6C6
KEYS, xrefs: 0075B647, 0075B64C

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 40cfeadae82c185158ef096958d836b64946d1443aed56a4ffd42feef3f0b164
Instruction ID: db8fda3f0b131fe515acdc3ceee4930c879137f8caf041394daaddb7177a07d6
Opcode Fuzzy Hash: 40cfeadae82c185158ef096958d836b64946d1443aed56a4ffd42feef3f0b164
Instruction Fuzzy Hash: EB41D532A000279ACB205F7DC8905FEB7A5EFA0755B24452AED21DB284E77DDD8AC790

Function 00765393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00765416
GetLastError.KERNEL32 ref: 00765420
SetErrorMode.KERNEL32(00000000,READY), ref: 007654A7

Strings

UNKNOWN, xrefs: 00765444
READY, xrefs: 00765460, 00765468
NOTREADY, xrefs: 0076544B
READONLY, xrefs: 00765452
INVALID, xrefs: 00765459

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 3b8e7ec1cfaa6ed7f26d9ee4c3653ed115c23fdc36599e7716a5a1780f6f8380
Instruction ID: bd9717827c21566033214c46c38781ef8eec149bf8970e097deff72adaea3df9
Opcode Fuzzy Hash: 3b8e7ec1cfaa6ed7f26d9ee4c3653ed115c23fdc36599e7716a5a1780f6f8380
Instruction Fuzzy Hash: 0C31C375A005489FCB11DF68C484BAA7FB4FF05305F1480A9E906DB292DF79DD86DBA0

Function 00783C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00783C79
SetMenu.USER32(?,00000000), ref: 00783C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00783D10
IsMenu.USER32(?), ref: 00783D24
CreatePopupMenu.USER32 ref: 00783D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00783D5B
DrawMenuBar.USER32 ref: 00783D63

Strings

0, xrefs: 00783C54
F, xrefs: 00783D4E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 29bbe522185d1d24ccdf789e965fabc82bc66f910a5f4784c13c6ef0d2e5e6ce
Instruction ID: c9ff8da0dc2af69a5960a6826345918449c4857957bb653877399c74aa17a3f8
Opcode Fuzzy Hash: 29bbe522185d1d24ccdf789e965fabc82bc66f910a5f4784c13c6ef0d2e5e6ce
Instruction Fuzzy Hash: B8418B75A01209EFDF14DF68D844EAA7BB5FF49310F244028F90697360D738AA10CFA4

Function 00751EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00751F64
GetDlgCtrlID.USER32 ref: 00751F6F
GetParent.USER32 ref: 00751F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00751F8E
GetDlgCtrlID.USER32(?), ref: 00751F97
GetParent.USER32(?), ref: 00751FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00751FAE

Strings

ListBox, xrefs: 00751F21
ComboBox, xrefs: 00751EEC

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 00946dfccc9f0c13f191146aad2d86eeb4b03dd789493c4f55f56aa994bc282d
Instruction ID: 1d7402e61a9391ecdb3754ec7d4074f7e929d76dc6aaeacb18614420e1e4bb6c
Opcode Fuzzy Hash: 00946dfccc9f0c13f191146aad2d86eeb4b03dd789493c4f55f56aa994bc282d
Instruction Fuzzy Hash: 3021FF70A00218BBCF05AFA0DC84EFEBBB9EF05341B104599F961A32E1DB794908CB74

Function 00751FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00752043
GetDlgCtrlID.USER32 ref: 0075204E
GetParent.USER32 ref: 0075206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0075206D
GetDlgCtrlID.USER32(?), ref: 00752076
GetParent.USER32(?), ref: 0075208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0075208D

Strings

ListBox, xrefs: 00752002
ComboBox, xrefs: 00751FCD

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b4c847c661155a66f0e2e74d1d9bbf92b7ac5a0fe70343b327336fd0b9ffc1f1
Instruction ID: 5f159bebdc1dee2398129272a4d39a872270b9363983c96277582969f192d0b3
Opcode Fuzzy Hash: b4c847c661155a66f0e2e74d1d9bbf92b7ac5a0fe70343b327336fd0b9ffc1f1
Instruction Fuzzy Hash: 522101B1A00208BBCF01AFA0CC85EFEBBB9EF05340F104455F965A31A2DABD4909CB74

Function 00783A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00783A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00783AA0
GetWindowLongW.USER32(?,000000F0), ref: 00783AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00783AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00783B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00783BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00783BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00783BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00783BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00783C13

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 2b5217332b70628de70eb2d36904d564b7a06239b083c792c6a2f3b8da87be82
Instruction ID: 9d90404b9290680fab63a3589dfddade3b03aceeb10eddf0fb339db5edc2900b
Opcode Fuzzy Hash: 2b5217332b70628de70eb2d36904d564b7a06239b083c792c6a2f3b8da87be82
Instruction Fuzzy Hash: 16617FB5940248AFDB10DF68CC81EEE77F8EF09710F1041A9FA15A7292D778AE45DB60

Function 0075B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0075B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B165
GetWindowThreadProcessId.USER32(00000000), ref: 0075B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0075B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0075A1E1,?,00000001), ref: 0075B21D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d05a92c2470e946d081ad448301862561217f3cc7a88b58557334756238f2fde
Instruction ID: e1fa470ee8ed2b5fc97f0c78e312b568c0345db098024ffcb3005f5cca2dc856
Opcode Fuzzy Hash: d05a92c2470e946d081ad448301862561217f3cc7a88b58557334756238f2fde
Instruction Fuzzy Hash: BD318E72640604AFDB119F64EC49FBD7BAABB51312F20C019FE01DA190D7BC9A848F78

Function 00722C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00722C94

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 00722CA0
_free.LIBCMT ref: 00722CAB
_free.LIBCMT ref: 00722CB6
_free.LIBCMT ref: 00722CC1
_free.LIBCMT ref: 00722CCC
_free.LIBCMT ref: 00722CD7
_free.LIBCMT ref: 00722CE2
_free.LIBCMT ref: 00722CED
_free.LIBCMT ref: 00722CFB

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6cdaeb16ae950897123b5bb02bbd3f5dd34a0acce4833595c865a34a9247c166
Instruction ID: 4ba1eb87de32280607a79ed89fd75a1658bc2be73e68c27ac4a544f0887edac3
Opcode Fuzzy Hash: 6cdaeb16ae950897123b5bb02bbd3f5dd34a0acce4833595c865a34a9247c166
Instruction Fuzzy Hash: 62119476100118FFCB02EF54E846CDD3BA5BF09350F9144A5F9886B232D635FA919F90

Function 00767DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00767FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00767FC1
GetFileAttributesW.KERNEL32(?), ref: 00767FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00768005
SetCurrentDirectoryW.KERNEL32(?), ref: 00768017
SetCurrentDirectoryW.KERNEL32(?), ref: 00768060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007680B0

Strings

*.*, xrefs: 00768066

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 58883dfdefe54fa52d6fa2c3cb82fca1ba61625cd1d0d9c8a67f5443cea8d793
Instruction ID: 04f09617abdb3e516a5a7abda52a9417306852107230f9f94092b7f9aca5c4fb
Opcode Fuzzy Hash: 58883dfdefe54fa52d6fa2c3cb82fca1ba61625cd1d0d9c8a67f5443cea8d793
Instruction Fuzzy Hash: CE81C0725082059BCB28EF54C8449BAB3E9BF88354F144D5EFD86C7250EB3ADD49CB52

Function 006F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006F5C7A

Part of subcall function 006F5D0A: GetClientRect.USER32(?,?), ref: 006F5D30
Part of subcall function 006F5D0A: GetWindowRect.USER32(?,?), ref: 006F5D71
Part of subcall function 006F5D0A: ScreenToClient.USER32(?,?), ref: 006F5D99

GetDC.USER32 ref: 007346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00734708
SelectObject.GDI32(00000000,00000000), ref: 00734716
SelectObject.GDI32(00000000,00000000), ref: 0073472B
ReleaseDC.USER32(?,00000000), ref: 00734733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007347C4

Strings

U, xrefs: 00734693

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7303afe74a6e53cbce81f969d1864dc4245e50acf17667ad310d1e094eb3b328
Instruction ID: 4c7eedaf408b0fdb5500e689764b595cec6e08fa5ed67cde1aca675bd300278b
Opcode Fuzzy Hash: 7303afe74a6e53cbce81f969d1864dc4245e50acf17667ad310d1e094eb3b328
Instruction Fuzzy Hash: 9A71D131500209DFDF298F64C985ABA3BB2FF46360F144269EA565A2A7C338AC41DF60

Function 0076359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007635E4

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

LoadStringW.USER32(007C2390,?,00000FFF,?), ref: 0076360A

Strings

Error: , xrefs: 007636EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00763724
Line %d (File "%s"):, xrefs: 0076366B
^ ERROR, xrefs: 007636C9
"%s" (%d) : ==> %s:, xrefs: 00763742

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 37145be153f7ab62fc36173322615a993c22a85ae12a2620b86095f96146f86f
Instruction ID: e10a40480995b39667355dd7d2eebb9b19676080376a61d7f6e5c3939bb3626e
Opcode Fuzzy Hash: 37145be153f7ab62fc36173322615a993c22a85ae12a2620b86095f96146f86f
Instruction Fuzzy Hash: 9C516FB2800259AADF15EBA0DC46EFDBB75EF05340F144129F60572192DB391B98DB64

Function 0076C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0076C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0076C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0076C2CA
GetLastError.KERNEL32 ref: 0076C322
SetEvent.KERNEL32(?), ref: 0076C336
InternetCloseHandle.WININET(00000000), ref: 0076C341

Strings

, xrefs: 0076C2BB

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6d985060a6edf76e10a6f8f124ca63c1ac058bb2508b60797d03432635154eb1
Instruction ID: 3018b3c625e58c766e3bad2db9617578e3239a745f1d3adb10e57b83d7c9b4e3
Opcode Fuzzy Hash: 6d985060a6edf76e10a6f8f124ca63c1ac058bb2508b60797d03432635154eb1
Instruction Fuzzy Hash: 87316BB1640208AFD7239F66DC88ABB7AFCEB49744B14851EF88796240DB38DD049B75

Function 0075989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00733AAF,?,?,Bad directive syntax error,0078CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007598BC
LoadStringW.USER32(00000000,?,00733AAF,?), ref: 007598C3

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00759987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 007598F1
Line %d:, xrefs: 00759912
Line %d (File "%s"):, xrefs: 0075992D
Error: , xrefs: 00759955
., xrefs: 0075996D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: ed0178f4acf853678f697cf9c6cc0b4be4a31954d97c112f345b7b611cb94980
Instruction ID: cf5ed17916c7cb4248747f4303e38a24201b56d205eafc854ea87648b027dae8
Opcode Fuzzy Hash: ed0178f4acf853678f697cf9c6cc0b4be4a31954d97c112f345b7b611cb94980
Instruction Fuzzy Hash: 4F21717284026EEBDF16EF90CC0AEFD7775BF14341F044429F615620A2EB79A618CB20

Function 0075209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0075214D

Strings

smallicons, xrefs: 00752115
SHELLDLL_DefView, xrefs: 007520CC
largeicons, xrefs: 007520E1
details, xrefs: 007520FB
list, xrefs: 0075212F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d1d2e55f5f6327fc04d6920ea078af23a57108bcc42dea4863de1ec89db8361c
Instruction ID: 616e47f73424716a9405112a684a4330a11bb0be592494c653550452081593bd
Opcode Fuzzy Hash: d1d2e55f5f6327fc04d6920ea078af23a57108bcc42dea4863de1ec89db8361c
Instruction Fuzzy Hash: 1511E7B6684B0AF9F60522249C0AEE7379CDF06325B204126FE04A50D2FABD58475654

Function 0072CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0072CEB7
_free.LIBCMT ref: 0072CF22
_free.LIBCMT ref: 0072CF48
_free.LIBCMT ref: 0072CF71
_free.LIBCMT ref: 0072CFA9
_free.LIBCMT ref: 0072CFDA
_free.LIBCMT ref: 0072D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0072D09C
_free.LIBCMT ref: 0072D0B5

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: a8656a42edb4eac80db2e938770c0a843939830362fd8ba680bb4888a257d615
Instruction ID: 4f8c82df85369014c29155fa517e4f15253ad8322821a2b9e406b4f81b56eb6e
Opcode Fuzzy Hash: a8656a42edb4eac80db2e938770c0a843939830362fd8ba680bb4888a257d615
Instruction Fuzzy Hash: DF617772A04320EFDB32AFB4BD89A6D7BA5AF15310F04426DF841A7292E63D9D4187D0

Function 007850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00785186
ShowWindow.USER32(?,00000000), ref: 007851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007851D1

Part of subcall function 00786FBA: DeleteObject.GDI32(00000000), ref: 00786FE6

GetWindowLongW.USER32(?,000000F0), ref: 0078520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0078521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0078524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00785287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00785296

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 179d1a943607db8083e47ec500a43ae4d63386c51a36f7350144f2928a370530
Instruction ID: c63cc40b62dc488f0d260b9683e407a3d790ea09e3d068b5556f5df8376a7d7d
Opcode Fuzzy Hash: 179d1a943607db8083e47ec500a43ae4d63386c51a36f7350144f2928a370530
Instruction Fuzzy Hash: 49518F70AD0A08FEEF21AF28CC4DBD93BA5BB05361F248111F615D62E1CB7DA990DB51

Function 00708B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00746890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00708874,00000000,00000000,00000000,000000FF,00000000), ref: 00746901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0074691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00708874,00000000,00000000,00000000,000000FF,00000000), ref: 0074692D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a6f4f88c4fc41413974022a7447c5a4767f1ece617887e1eaf28cf9dbad60ab0
Instruction ID: 00be32ce6fc7760494847da7be1a7e85abeca5984f1ac061f71b80baea5b73bb
Opcode Fuzzy Hash: a6f4f88c4fc41413974022a7447c5a4767f1ece617887e1eaf28cf9dbad60ab0
Instruction Fuzzy Hash: BD516AB0600209EFDB20CF24CC55FAA7BF5EB59760F204628F956962E0DB78E990DB51

Function 0076C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0076C182
GetLastError.KERNEL32 ref: 0076C195
SetEvent.KERNEL32(?), ref: 0076C1A9

Part of subcall function 0076C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0076C272
Part of subcall function 0076C253: GetLastError.KERNEL32 ref: 0076C322
Part of subcall function 0076C253: SetEvent.KERNEL32(?), ref: 0076C336
Part of subcall function 0076C253: InternetCloseHandle.WININET(00000000), ref: 0076C341

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 7c7f177256f71029dbdf45b4c1b64152087c8bfb9c8f62293ac039ca6bbf58fa
Instruction ID: ee995f543d033202cf4b090cc2f275ba57ca47af16357acfff83cf2858ebf3b0
Opcode Fuzzy Hash: 7c7f177256f71029dbdf45b4c1b64152087c8bfb9c8f62293ac039ca6bbf58fa
Instruction Fuzzy Hash: 1F318A71240605AFDB229FB5DC58A77BBF8FF18300B14842EFD9B86610D739E8149BA0

Function 007525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00753A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00753A57
Part of subcall function 00753A3D: GetCurrentThreadId.KERNEL32 ref: 00753A5E
Part of subcall function 00753A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007525B3), ref: 00753A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00752601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00752605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0075260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00752623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00752627

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a57c55acbc9da54c2f47d03062b264fe7253e7246ed5121c578da1a4f43f69c2
Instruction ID: cb2648fa751256cf50849e800b85249f6d6f483923dbe5629194305c542494f7
Opcode Fuzzy Hash: a57c55acbc9da54c2f47d03062b264fe7253e7246ed5121c578da1a4f43f69c2
Instruction Fuzzy Hash: 3601F570780214BBFB1067688C8EF993F59DB4AB52F204011F314AE0E1C9F518498A79

Function 00751803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00751449,?,?,00000000), ref: 0075180C
HeapAlloc.KERNEL32(00000000,?,00751449,?,?,00000000), ref: 00751813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00751449,?,?,00000000), ref: 00751828
GetCurrentProcess.KERNEL32(?,00000000,?,00751449,?,?,00000000), ref: 00751830
DuplicateHandle.KERNEL32(00000000,?,00751449,?,?,00000000), ref: 00751833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00751449,?,?,00000000), ref: 00751843
GetCurrentProcess.KERNEL32(00751449,00000000,?,00751449,?,?,00000000), ref: 0075184B
DuplicateHandle.KERNEL32(00000000,?,00751449,?,?,00000000), ref: 0075184E
CreateThread.KERNEL32(00000000,00000000,00751874,00000000,00000000,00000000), ref: 00751868

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a58311335bc974cc3abb949d523aeba84d24a826c081e0e95ce0f0079266cf19
Instruction ID: b5cf55e92d97822bf4f7c9113cb8a7e9312b6e5041710581ea8a4511d2dfb7d4
Opcode Fuzzy Hash: a58311335bc974cc3abb949d523aeba84d24a826c081e0e95ce0f0079266cf19
Instruction Fuzzy Hash: C701BFB5680308BFE711ABA5DC8EF573B6CEB89B11F518411FA05DB191D6759C00CB34

Function 00723E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00723F0B
__alldvrm.LIBCMT ref: 0072410C
__alldvrm.LIBCMT ref: 0072412E

Strings

}}q, xrefs: 00723E8A
}}q, xrefs: 00723E96, 00723EF1, 00723F0A, 00724090
}}q, xrefs: 007240CD

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}q$}}q$}}q
API String ID: 1036877536-4147771642
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: e7fc4d438e78d5b23faaacc86be14e9627dd67e3856e5606c36ce41f593676f0
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 77A18B72E007A69FEB21CF18E8917AEBBF4EF61350F1441ADE5859B282C23C9D81C750

Function 0077A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0075D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0075D501
Part of subcall function 0075D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0075D50F
Part of subcall function 0075D4DC: CloseHandle.KERNELBASE(00000000), ref: 0075D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0077A16D
GetLastError.KERNEL32 ref: 0077A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0077A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0077A268
GetLastError.KERNEL32(00000000), ref: 0077A273
CloseHandle.KERNEL32(00000000), ref: 0077A2C4

Strings

SeDebugPrivilege, xrefs: 0077A18F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 540513f56aad41e6f2b3ea8dc56b35635d4b29d10aae7d9e15846f9b33605e56
Instruction ID: 37f663d38c15f42fd836a01bef9102819a744e07ebbec559621508f81ff6f84c
Opcode Fuzzy Hash: 540513f56aad41e6f2b3ea8dc56b35635d4b29d10aae7d9e15846f9b33605e56
Instruction Fuzzy Hash: 69619071204242AFEB10DF18C494F29BBE1AF84358F54C49CE45A8B7A3C77AEC45CB96

Function 00783886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00783925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0078393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00783954
_wcslen.LIBCMT ref: 00783999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007839F4

Strings

SysListView32, xrefs: 007838F7

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: db986a58536a828a65cbe028fc81234e602975ce299ef5154719a103e1f4ba08
Instruction ID: e2842cc984d57a1d63e0b54bae4065658f2348368f5b2ed07be70f0ad34bcc89
Opcode Fuzzy Hash: db986a58536a828a65cbe028fc81234e602975ce299ef5154719a103e1f4ba08
Instruction Fuzzy Hash: ED41E771A40208ABDF21AF68CC49FEA77A9EF08754F100126F544E7181D778DE80CB94

Function 0075BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0075BCFD
IsMenu.USER32(00000000), ref: 0075BD1D
CreatePopupMenu.USER32 ref: 0075BD53
GetMenuItemCount.USER32(00CC62F8), ref: 0075BDA4
InsertMenuItemW.USER32(00CC62F8,?,00000001,00000030), ref: 0075BDCC

Strings

0, xrefs: 0075BCA8
2, xrefs: 0075BD37

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 99651cf760704b39609eb4ce7c0b4f93e6043f92c10b04a96f9ec1b132868601
Instruction ID: 386d1b282b8b455a632f98134ab78a557b350cd6fcd6f9424092dd1eafba8b86
Opcode Fuzzy Hash: 99651cf760704b39609eb4ce7c0b4f93e6043f92c10b04a96f9ec1b132868601
Instruction Fuzzy Hash: B5517B70A00309DBDF11CFA8D888BFEBBF4AF45316F248159EC1197291D7B8A949CB61

Function 00712D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00712D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00712D53
_ValidateLocalCookies.LIBCMT ref: 00712DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00712E0C
_ValidateLocalCookies.LIBCMT ref: 00712E61

Strings

csm, xrefs: 00712DF6
&Hq, xrefs: 00712DFE, 00712E07, 00712E18

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hq$csm
API String ID: 1170836740-317068433
Opcode ID: b3f7ed0c9a83d83299ef0f0873e31c18a238bf715fa21ad7c1669a5dc733f9c8
Instruction ID: 175750d4f8c881dbfc515427b00d5abb0d47f08f8a0487aaf561e1f6cfcdf7af
Opcode Fuzzy Hash: b3f7ed0c9a83d83299ef0f0873e31c18a238bf715fa21ad7c1669a5dc733f9c8
Instruction Fuzzy Hash: 72416234A00209EBCF10DF6CD849ADEBBA5BF45324F148155E9146B3D3D739AAA6CBD0

Function 0075C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0075C913

Strings

info, xrefs: 0075C8B4
warning, xrefs: 0075C8FC
stop, xrefs: 0075C8E4
question, xrefs: 0075C8CC
blank, xrefs: 0075C895

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3d4611a5dbf2fad985378be9907091a3a0f2fa59de56789dc40da533ccf81ecd
Instruction ID: d5ebca643b4d40691b99835648592fabd401d1ea85355c3123b453de7bdb4073
Opcode Fuzzy Hash: 3d4611a5dbf2fad985378be9907091a3a0f2fa59de56789dc40da533ccf81ecd
Instruction Fuzzy Hash: E9110D32689306BEE7025B549C83FEA679CDF15766B60402AFD00B62C2EBFC7D445268

Function 0075DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0075DE42
gethostname.WSOCK32(?,00000100), ref: 0075DE5C
gethostbyname.WSOCK32(?), ref: 0075DE69
inet_ntoa.WSOCK32(?), ref: 0075DEAB
_strcat.LIBCMT ref: 0075DEB9
WSACleanup.WSOCK32 ref: 0075DEDE

Strings

0.0.0.0, xrefs: 0075DE87

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 01afabe6267bc758ec049d831c3e5e8bfd836a977abb2b8d4982619e80279223
Instruction ID: 4296d53dace2ae8e54e57a1523784d3b74a81f3a3193b6f94e57f11bcd1f4249
Opcode Fuzzy Hash: 01afabe6267bc758ec049d831c3e5e8bfd836a977abb2b8d4982619e80279223
Instruction Fuzzy Hash: 8311E171944119EBDB31AB249C0BEEE77ACDB11712F1001A9F905AA091EFBC9E858B60

Function 0075ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0075ED2A
_wcslen.LIBCMT ref: 0075ED3B
_wcslen.LIBCMT ref: 0075ED79
_wcslen.LIBCMT ref: 0075EDAF
_wcslen.LIBCMT ref: 0075EDDF
_wcslen.LIBCMT ref: 0075EDEF
_wcslen.LIBCMT ref: 0075EE2B
_wcslen.LIBCMT ref: 0075EE5A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 424cc9ff9b3bff7e3e49e669453a6b6023aa6b8ac4840d8519a8f4a95e5cc4d2
Instruction ID: c8e9cf535339611322ccd8637d62911d96357a915f7bcb464b262aedc60a5255
Opcode Fuzzy Hash: 424cc9ff9b3bff7e3e49e669453a6b6023aa6b8ac4840d8519a8f4a95e5cc4d2
Instruction Fuzzy Hash: 5641B366C10218B5DB11EBF8888E9CFB7B8AF45710F508466E914F3162FB38E785C7A5

Function 0070F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0070F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0074F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0074F454

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c76fcf18afdbe6d8ecede97a0904efb1f7734709e1b115d11b84949ff56de640
Instruction ID: 58062a9ddef47536a55838bdada3611ee509dafff885bb1d858e57239f44a91e
Opcode Fuzzy Hash: c76fcf18afdbe6d8ecede97a0904efb1f7734709e1b115d11b84949ff56de640
Instruction Fuzzy Hash: 6A410931628680FED7359B2DD888B2A7BD1AB96314F24863DE047D2DE1D73DB881C711

Function 00782D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00782D1B
GetDC.USER32(00000000), ref: 00782D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00782D2E
ReleaseDC.USER32(00000000,00000000), ref: 00782D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00782D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00782D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00785A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00782DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00782DE1

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 14427f616d73fa6907ea19979327dabc114a9bb531a94df9feb3790701645590
Instruction ID: 9aaa591067bc6a00d8c51464526928253b7cefff33d1e563a5ad6e937866a6e9
Opcode Fuzzy Hash: 14427f616d73fa6907ea19979327dabc114a9bb531a94df9feb3790701645590
Instruction Fuzzy Hash: ED319C72281214BFEB158F50CC8AFEB3FA9EF09751F148065FE089A291D6799C41CBB4

Function 00755622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00755637
_memcmp.LIBVCRUNTIME ref: 00755659
_memcmp.LIBVCRUNTIME ref: 00755671
_memcmp.LIBVCRUNTIME ref: 00755684
_memcmp.LIBVCRUNTIME ref: 0075569E
_memcmp.LIBVCRUNTIME ref: 007556B1
_memcmp.LIBVCRUNTIME ref: 007556C9
_memcmp.LIBVCRUNTIME ref: 007556E4

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 618a3bf5aa80ac921cdcd7c0ef17d74cc0e01a78d56c9147e87be2492173cb7b
Instruction ID: 30419b0e74881b562b65933df5e45b863faf76f21ca6775c2e6807151a2c6ec8
Opcode Fuzzy Hash: 618a3bf5aa80ac921cdcd7c0ef17d74cc0e01a78d56c9147e87be2492173cb7b
Instruction Fuzzy Hash: 4021DAA1A81949F7D31465258DA2FFA335CEF14786F940020FE049E581F7ACEE1886A5

Function 00774FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00775007
NULL Pointer assignment, xrefs: 0077502E, 00775383

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: df91a5bad2662d50a2b42cc68be5ea8bc64726b19142cd286b19b1dc13afc349
Instruction ID: cdebb49b68b67ee788687039e004ed00d93bc27adbe0c89837a5f8c611282718
Opcode Fuzzy Hash: df91a5bad2662d50a2b42cc68be5ea8bc64726b19142cd286b19b1dc13afc349
Instruction Fuzzy Hash: D3D1C771A0060A9FDF10CF68C885BAEB7B5FF48384F14C469E919AB291D7B4DD45CB60

Function 00731522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 007315CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00731651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007316E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007316FB

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00731777
__freea.LIBCMT ref: 007317A2
__freea.LIBCMT ref: 007317AE

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2dda1da09ee7e2aa06c67f6762c8bbff0244695e9239fc5e4be017da9576a378
Instruction ID: 173d6199f30aec0eaed584f86fc0d25ca0937f4058abdcee8b90f320c39cb468
Opcode Fuzzy Hash: 2dda1da09ee7e2aa06c67f6762c8bbff0244695e9239fc5e4be017da9576a378
Instruction Fuzzy Hash: DC919371E002169AEF218FB4CC85EEE7BB5AF49710F984669E805E7242DB3DDD50CB60

Function 00774523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00774648
VariantInit.OLEAUT32(?), ref: 00774749
VariantClear.OLEAUT32(?), ref: 00774753
VariantClear.OLEAUT32(?), ref: 007747B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0077472C
Null Object assignment in FOR..IN loop, xrefs: 007745D8, 00774706, 007747BE

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: c4cc29f407af4a4e26553ac35b374baa6a1e178e76fc229a60f0b8b91ad1038a
Instruction ID: c8e7b2d352b5d70aaf4c2618f54d1d951ed69fb90584610b7acb7969ea0000aa
Opcode Fuzzy Hash: c4cc29f407af4a4e26553ac35b374baa6a1e178e76fc229a60f0b8b91ad1038a
Instruction Fuzzy Hash: B6916271A00219EBDF24CFA4C845FAEBBB8EF46754F10C559F519AB280D7789941CFA0

Function 00761187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0076125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00761284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0076135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00761430

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 65483c050741166fbd26d691ca11e564710b325ec8c79bd34461196793ec2722
Instruction ID: c7ae924ef3fd78fe7d662162ee61e43a8d466a2c6913b0ffa6c22eafc1a497f3
Opcode Fuzzy Hash: 65483c050741166fbd26d691ca11e564710b325ec8c79bd34461196793ec2722
Instruction Fuzzy Hash: 1591C271A00209DFDB01DFA4C899BBE7BB5FF45324F598029E902E7291D77CA941CB94

Function 0070948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 50c4801a2cea4c39e82ed2f7ed8bc837fc7cc70796b3d983852495cc1ce427b4
Instruction ID: 7e7c15ce928e9e1878e3b21cbc256493149d1ba38d742b50e05cfa682511daf3
Opcode Fuzzy Hash: 50c4801a2cea4c39e82ed2f7ed8bc837fc7cc70796b3d983852495cc1ce427b4
Instruction Fuzzy Hash: 74915C71D40219EFCB15CFA9CC88AEEBBB8FF49320F248155E515B7292D378A951CB60

Function 00773947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0077396B
CharUpperBuffW.USER32(?,?), ref: 00773A7A
_wcslen.LIBCMT ref: 00773A8A
VariantClear.OLEAUT32(?), ref: 00773C1F

Part of subcall function 00760CDF: VariantInit.OLEAUT32(00000000), ref: 00760D1F
Part of subcall function 00760CDF: VariantCopy.OLEAUT32(?,?), ref: 00760D28
Part of subcall function 00760CDF: VariantClear.OLEAUT32(?), ref: 00760D34

Strings

Incorrect Parameter format, xrefs: 007739A6, 00773BA1
AUTOIT.ERROR, xrefs: 00773A80, 00773A85

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 91652315efbddcf4db30e007a875b216a3d65f17a1d9efa616824daee338305a
Instruction ID: a9945a5eb244a4553fdb799320341d015296751d2d89daa60813075a069c87b4
Opcode Fuzzy Hash: 91652315efbddcf4db30e007a875b216a3d65f17a1d9efa616824daee338305a
Instruction Fuzzy Hash: 989164756083059FCB04EF24C48596AB7E5FF88354F14892EF88A9B351DB38EE05CB92

Function 00774BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0075000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?,?,0075035E), ref: 0075002B
Part of subcall function 0075000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750046
Part of subcall function 0075000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750054
Part of subcall function 0075000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?), ref: 00750064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00774C51
_wcslen.LIBCMT ref: 00774D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00774DCF
CoTaskMemFree.OLE32(?), ref: 00774DDA

Strings

NULL Pointer assignment, xrefs: 00774E23, 00774E52

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 1564ae66068353b1baf69a6a34bd4ee7c0113274bf52be60d1fefba0d42dd93c
Instruction ID: 9d0046661b032ce2696cd3fc625af29639961f15502db80d7de1bd825310d975
Opcode Fuzzy Hash: 1564ae66068353b1baf69a6a34bd4ee7c0113274bf52be60d1fefba0d42dd93c
Instruction Fuzzy Hash: 54913771D0021DEFDF15DFA4C880AEEB7B9BF08350F108569E919A7281EB749A44CFA0

Function 007820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00782183
GetMenuItemCount.USER32(00000000), ref: 007821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007821DD
_wcslen.LIBCMT ref: 00782213
GetMenuItemID.USER32(?,?), ref: 0078224D
GetSubMenu.USER32(?,?), ref: 0078225B

Part of subcall function 00753A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00753A57
Part of subcall function 00753A3D: GetCurrentThreadId.KERNEL32 ref: 00753A5E
Part of subcall function 00753A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007525B3), ref: 00753A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007822E3

Part of subcall function 0075E97B: Sleep.KERNEL32 ref: 0075E9F3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: bc9b5b398bf0d184959e5727dcfaeebea7f4f33007a507ffe5e915519fc69d0d
Instruction ID: 71575960c1d1819f5536aaa5bf033b841b1ecf0f6357a87b1f8a780d85332123
Opcode Fuzzy Hash: bc9b5b398bf0d184959e5727dcfaeebea7f4f33007a507ffe5e915519fc69d0d
Instruction Fuzzy Hash: 61717175E40209EFCB10EF64C845AAEB7F5FF48321F258459E916EB352D738AD428B90

Function 00787E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00CC62A8), ref: 00787F37
IsWindowEnabled.USER32(00CC62A8), ref: 00787F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0078801E
SendMessageW.USER32(00CC62A8,000000B0,?,?), ref: 00788051
IsDlgButtonChecked.USER32(?,?), ref: 00788089
GetWindowLongW.USER32(00CC62A8,000000EC), ref: 007880AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007880C3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2941ff41e178d64e65feb8dd29d14db28ff99ec63104c2df10479d5cee0acc71
Instruction ID: 3d307188b51241ebca09802228fec48df1edcca65fcae6107f5215f8b6524329
Opcode Fuzzy Hash: 2941ff41e178d64e65feb8dd29d14db28ff99ec63104c2df10479d5cee0acc71
Instruction Fuzzy Hash: 0D71B274688204AFEB25AF55CC84FAA7BB5FF09300F644059FA4697261CB39EC46DB20

Function 0075AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0075AEF9
GetKeyboardState.USER32(?), ref: 0075AF0E
SetKeyboardState.USER32(?), ref: 0075AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0075AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0075AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0075AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0075B020

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 19407b863129cd9cb4f4917e81377a3d1dccb253b3bdeab7ef728dc30555df53
Instruction ID: 43c2b46accf22bb0b10e43eae4984bcafa97ba056e8e1f13d6277e2c5393c59a
Opcode Fuzzy Hash: 19407b863129cd9cb4f4917e81377a3d1dccb253b3bdeab7ef728dc30555df53
Instruction Fuzzy Hash: 275103A0A043D53DFB3242348C4ABFABEA95B06305F088599E9D9454C2D3EDECCCD361

Function 0075ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0075AD19
GetKeyboardState.USER32(?), ref: 0075AD2E
SetKeyboardState.USER32(?), ref: 0075AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0075ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0075ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0075AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0075AE38

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ccfb31d704fede2079639bfafd95c8c7687f75776f9be1e6a40c3b0182a76a79
Instruction ID: 98b0ec7c0f03fcb248c619e2d550cc0bba7561d2347df88a85d786f2bc1d6897
Opcode Fuzzy Hash: ccfb31d704fede2079639bfafd95c8c7687f75776f9be1e6a40c3b0182a76a79
Instruction Fuzzy Hash: C95108A16047D53DFB3353348C46BFABEA86B05302F0886A8E5D5568C2D2DCEC8CD762

Function 0072542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00733CD6,?,?,?,?,?,?,?,?,00725BA3,?,?,00733CD6,?,?), ref: 00725470
__fassign.LIBCMT ref: 007254EB
__fassign.LIBCMT ref: 00725506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00733CD6,00000005,00000000,00000000), ref: 0072552C
WriteFile.KERNEL32(?,00733CD6,00000000,00725BA3,00000000,?,?,?,?,?,?,?,?,?,00725BA3,?), ref: 0072554B
WriteFile.KERNEL32(?,?,00000001,00725BA3,00000000,?,?,?,?,?,?,?,?,?,00725BA3,?), ref: 00725584

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9320480439b530dc13ebd2a30c427c216a1df92c57152c3f6ea203c4c187549e
Instruction ID: f0748af104d366a9e6e36f65e85aa38fdb7a7cbbc6aa8b87503825ec96da804a
Opcode Fuzzy Hash: 9320480439b530dc13ebd2a30c427c216a1df92c57152c3f6ea203c4c187549e
Instruction Fuzzy Hash: 4B51E6709006589FDB11CFA8E885AEEBBFAEF09300F14411AF555E7291E734DA51CBA0

Function 007710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0077304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0077307A
Part of subcall function 0077304E: _wcslen.LIBCMT ref: 0077309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00771112
WSAGetLastError.WSOCK32 ref: 00771121
WSAGetLastError.WSOCK32 ref: 007711C9
closesocket.WSOCK32(00000000), ref: 007711F9

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 2585b4b633c5bc37d60476f858c5d4c6ce46c02a9ec1401547b118b389199a8a
Instruction ID: 50064738d61d7fa6d2e11a604ac5061098c0f912a9db6882017b187195683c09
Opcode Fuzzy Hash: 2585b4b633c5bc37d60476f858c5d4c6ce46c02a9ec1401547b118b389199a8a
Instruction Fuzzy Hash: 3E410531600208AFDB109F58C884BA9B7EAEF453A4F94C059FE099F291C778ED41CBE5

Function 0075CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0075CF22,?), ref: 0075DDFD

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0075CF22,?), ref: 0075DE16

lstrcmpiW.KERNEL32(?,?), ref: 0075CF45
MoveFileW.KERNEL32(?,?), ref: 0075CF7F
_wcslen.LIBCMT ref: 0075D005
_wcslen.LIBCMT ref: 0075D01B
SHFileOperationW.SHELL32(?), ref: 0075D061

Strings

\*.*, xrefs: 0075CFF3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 200798e983109d9137dd41d17ee0bd7b1a74bfc09ac8792a75e9c72aab3955af
Instruction ID: e4baa755111b02fb29f3439ccc982d1086a83ac2c2ed48232108715fca3c723e
Opcode Fuzzy Hash: 200798e983109d9137dd41d17ee0bd7b1a74bfc09ac8792a75e9c72aab3955af
Instruction Fuzzy Hash: 6E4158729452189FDF27EBA4DD85BDD77B9AF08381F1000E6E505E7181EA78AB88CB50

Function 00782DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00782E1C
GetWindowLongW.USER32(?,000000F0), ref: 00782E4F
GetWindowLongW.USER32(?,000000F0), ref: 00782E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00782EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00782EE0
GetWindowLongW.USER32(?,000000F0), ref: 00782EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00782F0B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 73f1092b80914555e03d3945e6767c7e241e0b40bb8cb0e34b9fa582462a0f01
Instruction ID: 804c07137c7e814db1ce394ad43d5093c6d5e1db9b3efabd78ce106d83d62f91
Opcode Fuzzy Hash: 73f1092b80914555e03d3945e6767c7e241e0b40bb8cb0e34b9fa582462a0f01
Instruction Fuzzy Hash: 2D312430784240AFEB21DF18DC88F6537E0FB8A711F6541A5F9008F2B2CB79A841DB18

Function 00757726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00757769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0075778F
SysAllocString.OLEAUT32(00000000), ref: 00757792
SysAllocString.OLEAUT32(?), ref: 007577B0
SysFreeString.OLEAUT32(?), ref: 007577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007577DE
SysAllocString.OLEAUT32(?), ref: 007577EC

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f5d63e35d750b375daf2d0bd60e3eecbd864e2136fa61ceb0885ff63138c47f7
Instruction ID: ff62cb7265b04c89bc506edd1b589e9c118b2050de2b3f3416c528c884021729
Opcode Fuzzy Hash: f5d63e35d750b375daf2d0bd60e3eecbd864e2136fa61ceb0885ff63138c47f7
Instruction Fuzzy Hash: EA21AE76604219AFDB14DFA8EC88CFB77ACEB09364B108425FE04DB290D6B8DC85C764

Function 007577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00757842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00757868
SysAllocString.OLEAUT32(00000000), ref: 0075786B
SysAllocString.OLEAUT32 ref: 0075788C
SysFreeString.OLEAUT32 ref: 00757895
StringFromGUID2.OLE32(?,?,00000028), ref: 007578AF
SysAllocString.OLEAUT32(?), ref: 007578BD

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 180627eed9938f1d7070e732d0c3ed1e8e334f46e8cbb61c6f48e8a471f7d4fc
Instruction ID: eb7b3d1b527b1082b8b090b2cd7bd3f25f49f6f783dc2fd8a1ea5ec2067de122
Opcode Fuzzy Hash: 180627eed9938f1d7070e732d0c3ed1e8e334f46e8cbb61c6f48e8a471f7d4fc
Instruction Fuzzy Hash: 9D21B671604214AFDB149FB8EC8CDBA77ECEB083607108125F915CB2A1D6B8EC85CB74

Function 007604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0076052E

Strings

nul, xrefs: 00760567

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: bf562c7bc8ca070ff47e0de1135247bdac2c376ebba4c2ef7c6256db116512be
Instruction ID: b3ccd2694ab8212a2ad8ffe708e7ab3d650ee2d943f15b5f691cdbb34494ca9d
Opcode Fuzzy Hash: bf562c7bc8ca070ff47e0de1135247bdac2c376ebba4c2ef7c6256db116512be
Instruction Fuzzy Hash: 88216D75500305ABDB209F29DC48E9B77A4BF45724F204A19FCA3D62E1E7749960CFA0

Function 007605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00760601

Strings

nul, xrefs: 00760639

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3ac5b9948fe64ef3964872e08ea51655523e647eb665edfa41faa2a83419fe30
Instruction ID: e1164f290825a9b661b52a09fe31ff87035fa40ea3799fa6f797f5fdcbd35497
Opcode Fuzzy Hash: 3ac5b9948fe64ef3964872e08ea51655523e647eb665edfa41faa2a83419fe30
Instruction Fuzzy Hash: AE2192755403059BDB209F69CC48E9B77F4BF95720F204A19FCA2E72E0D7B89860CBA5

Function 007840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006F604C
Part of subcall function 006F600E: GetStockObject.GDI32(00000011), ref: 006F6060
Part of subcall function 006F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00784112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0078411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0078412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00784139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00784145

Strings

Msctls_Progress32, xrefs: 007840E3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: bffd124a16a446b07b14fbbc1b6f15efa6339f895212aca077cd2682daefa7fa
Instruction ID: 098f50dcfb9805f0a8ee65a256388d9b89ab346d4ba5666e3545e3ab9157f0d4
Opcode Fuzzy Hash: bffd124a16a446b07b14fbbc1b6f15efa6339f895212aca077cd2682daefa7fa
Instruction Fuzzy Hash: 6F1190B219021EBEEF119F64CC85EE77F9DEF08798F114110BA18A2090CA769C21DBA4

Function 0072D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0072D7A3: _free.LIBCMT ref: 0072D7CC

_free.LIBCMT ref: 0072D82D

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 0072D838
_free.LIBCMT ref: 0072D843
_free.LIBCMT ref: 0072D897
_free.LIBCMT ref: 0072D8A2
_free.LIBCMT ref: 0072D8AD
_free.LIBCMT ref: 0072D8B8

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 1afe24cca967fabe254edcbf039692efef0bcaa5f2b506780b165991184ffe64
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 66111F71540B24FAD531BFB0EC4BFCB7BDC6F04700F804825B2D9A65A3DA6DB9464A50

Function 0075DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0075DA74
LoadStringW.USER32(00000000), ref: 0075DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0075DA91
LoadStringW.USER32(00000000), ref: 0075DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0075DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0075DAB9

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ad19c24180b3d3a57e553763f91df8453c3be53c9dfe566d020d0232d4d2fd0a
Instruction ID: 4373ce88f1f94738d44e13432e3bdb75e02e45de9a4a6b399f1a988944ee4f47
Opcode Fuzzy Hash: ad19c24180b3d3a57e553763f91df8453c3be53c9dfe566d020d0232d4d2fd0a
Instruction Fuzzy Hash: 240186F2940208BFF711ABA09D8DEE7336CE708701F5084A6B706E2041E6789E844F74

Function 0076096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00CBEED8,00CBEED8), ref: 0076097B
EnterCriticalSection.KERNEL32(00CBEEB8,00000000), ref: 0076098D
TerminateThread.KERNEL32(?,000001F6), ref: 0076099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007609A9
CloseHandle.KERNEL32(?), ref: 007609B8
InterlockedExchange.KERNEL32(00CBEED8,000001F6), ref: 007609C8
LeaveCriticalSection.KERNEL32(00CBEEB8), ref: 007609CF

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 2bc716a8fae4d546c190055ee3e7a5670d53fd285702ba6397198a261b76262e
Instruction ID: b8e5d453e1effccd3a14ae9616b267381f3d83c02d55cba54f66346106e98f40
Opcode Fuzzy Hash: 2bc716a8fae4d546c190055ee3e7a5670d53fd285702ba6397198a261b76262e
Instruction Fuzzy Hash: 9AF0EC32482A12BBD7525FA4EE8DBD6BB39FF05712F506025F202908E1C779A465CFA4

Function 006F5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 006F5D30
GetWindowRect.USER32(?,?), ref: 006F5D71
ScreenToClient.USER32(?,?), ref: 006F5D99
GetClientRect.USER32(?,?), ref: 006F5ED7
GetWindowRect.USER32(?,?), ref: 006F5EF8

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 52ae2b35f9646bb065a760303ec3dd565197787f2338e8d99e14890730c7c181
Instruction ID: 7d31dfb5911191ccacbccf869b06517d2d7c5efa573a63fcbaec35345e967da9
Opcode Fuzzy Hash: 52ae2b35f9646bb065a760303ec3dd565197787f2338e8d99e14890730c7c181
Instruction Fuzzy Hash: EBB16A74A0074ADBDB14CFA9C4807FAB7F2FF58310F14841AEAAAD7250DB34AA51DB54

Function 007201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007200D6
__allrem.LIBCMT ref: 007200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0072010B
__allrem.LIBCMT ref: 00720122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00720140

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 1448efe4918906e19afd48361064357949cfdd21720e7c138b423e9941ae403a
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 78811372A00716EBE7209E2CDC45BAE73E9AF41724F24413EF511D62C2E7B8D9418BA0

Function 00771D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00773149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0077101C,00000000,?,?,00000000), ref: 00773195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00771DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00771DE1
WSAGetLastError.WSOCK32 ref: 00771DF2
inet_ntoa.WSOCK32(?), ref: 00771E8C
htons.WSOCK32(?,?,?,?,?), ref: 00771EDB
_strlen.LIBCMT ref: 00771F35

Part of subcall function 007539E8: _strlen.LIBCMT ref: 007539F2

Part of subcall function 006F6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0070CF58,?,?,?), ref: 006F6DBA
Part of subcall function 006F6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0070CF58,?,?,?), ref: 006F6DED

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: ed37812d600866ab5417b57342b53e3e284f529c13ef369c61cdc8bb59a14b28
Instruction ID: 7b5955e35fbdf2e1e43f49b9b1cb9319d9a4ba603b34d3d98bf53e2309fb5dba
Opcode Fuzzy Hash: ed37812d600866ab5417b57342b53e3e284f529c13ef369c61cdc8bb59a14b28
Instruction Fuzzy Hash: 16A1DE30204340AFC724DF28C895F2A77E6AF85358F94894CF55A5B2A2CB79ED46CB91

Function 007261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007182D9,007182D9,?,?,?,0072644F,00000001,00000001,8BE85006), ref: 00726258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0072644F,00000001,00000001,8BE85006,?,?,?), ref: 007262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007263D8
__freea.LIBCMT ref: 007263E5

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

__freea.LIBCMT ref: 007263EE
__freea.LIBCMT ref: 00726413

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 62e8d611f639e44711a71492d4b91871877e20a2e00fd38300e94792d82bd946
Instruction ID: a63a65485d08a10314fd460e494bd6e3732a7d241c1f4bf11e21596a508eedfb
Opcode Fuzzy Hash: 62e8d611f639e44711a71492d4b91871877e20a2e00fd38300e94792d82bd946
Instruction Fuzzy Hash: C451E472A00266ABEB259F64EC85EBF77A9EF44710F15466AFC05D6182DB3CDC40C6A0

Function 0077BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0077BD25
RegCloseKey.ADVAPI32(00000000), ref: 0077BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0077BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0077BDF3
RegCloseKey.ADVAPI32(?), ref: 0077BDFF

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 3d44aa27d220e862a42ca8dbe8cc86a82d36d290a2a6cbed904d720310a1d134
Instruction ID: 658be8d3059b528af7ef49a7bffcf4318b9ba3d3d0e7331eaeab8021780cd77d
Opcode Fuzzy Hash: 3d44aa27d220e862a42ca8dbe8cc86a82d36d290a2a6cbed904d720310a1d134
Instruction Fuzzy Hash: C081AE70208241EFDB15DF24C885E2ABBE5FF84348F14895CF5598B2A2DB35ED45CBA2

Function 0074F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0074F7B9
SysAllocString.OLEAUT32(00000001), ref: 0074F860
VariantCopy.OLEAUT32(0074FA64,00000000), ref: 0074F889
VariantClear.OLEAUT32(0074FA64), ref: 0074F8AD
VariantCopy.OLEAUT32(0074FA64,00000000), ref: 0074F8B1
VariantClear.OLEAUT32(?), ref: 0074F8BB

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3b34bf1b8c24ee941da77df9627f8e57ddc2674c356a7c77ebdba68451090f56
Instruction ID: ec9e3d9b90591e487bce1ef6c8c32fe68fef92523c23e9f237fd379d516cdda6
Opcode Fuzzy Hash: 3b34bf1b8c24ee941da77df9627f8e57ddc2674c356a7c77ebdba68451090f56
Instruction Fuzzy Hash: A551E831A01350FACF24AF65D895B39B3E9EF45310F24946BE905DF291DB789C40CB66

Function 0076910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007694E5
_wcslen.LIBCMT ref: 00769506
_wcslen.LIBCMT ref: 0076952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00769585

Strings

X, xrefs: 00769412

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: a41500708eeef44793e1a035f3ba087cf4e6597990c092ed7482a87f24d6cf3d
Instruction ID: f230bf961fca39a3a512a14de3350054990f7e318c1751faffdbc62919021378
Opcode Fuzzy Hash: a41500708eeef44793e1a035f3ba087cf4e6597990c092ed7482a87f24d6cf3d
Instruction Fuzzy Hash: A1E1C031608350DFC764DF24C881A6AB7E5BF85310F04896DFA8A9B3A2DB34DD05CB92

Function 0070920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

BeginPaint.USER32(?,?,?), ref: 00709241
GetWindowRect.USER32(?,?), ref: 007092A5
ScreenToClient.USER32(?,?), ref: 007092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007092D3
EndPaint.USER32(?,?,?,?,?), ref: 00709321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007471EA

Part of subcall function 00709339: BeginPath.GDI32(00000000), ref: 00709357

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 1c0862f2e33c7f3850da33c4ba0a619ef271c6851af7f86c036e767d50adb979
Instruction ID: 98a535ef260e3817fb7e410b431aee19ca7989793a3903c476e9043b61a3adc9
Opcode Fuzzy Hash: 1c0862f2e33c7f3850da33c4ba0a619ef271c6851af7f86c036e767d50adb979
Instruction Fuzzy Hash: 13419E70104240EFD721DF24CC88FBA7BF8EB86320F144229FA94872E2C779A845DB61

Function 007607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0076080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00760847
EnterCriticalSection.KERNEL32(?), ref: 00760863
LeaveCriticalSection.KERNEL32(?), ref: 007608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00760921

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c79c46aad314694332cf8d641c7061a15aa874fd8ca90d2365cd61fcdff6b009
Instruction ID: de871908a9623606b76d00d81261791eff14ea4e8a91f77fe988c82480815218
Opcode Fuzzy Hash: c79c46aad314694332cf8d641c7061a15aa874fd8ca90d2365cd61fcdff6b009
Instruction Fuzzy Hash: 7A418B71900205EBDF15EF54DC85AAA77B9FF04310F1080A9ED019B297D738EE64DBA4

Function 007881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0074F3AB,00000000,?,?,00000000,?,0074682C,00000004,00000000,00000000), ref: 0078824C
EnableWindow.USER32(?,00000000), ref: 00788272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007882D1
ShowWindow.USER32(?,00000004), ref: 007882E5
EnableWindow.USER32(?,00000001), ref: 0078830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0078832F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 551b5e476bc6bbd88d906736f0fac8d2523a485143ad5faea51135a9cbcff66c
Instruction ID: 041c31116a5dc495104308e61c343544a98483a27ed198fcd37af87f3bfe7734
Opcode Fuzzy Hash: 551b5e476bc6bbd88d906736f0fac8d2523a485143ad5faea51135a9cbcff66c
Instruction Fuzzy Hash: 9141C734641644EFDB62EF14C899FE87BE0FB06714F9841B9E5088B263CB39A841CB55

Function 00754C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00754C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00754CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00754CEA
_wcslen.LIBCMT ref: 00754D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00754D10
_wcsstr.LIBVCRUNTIME ref: 00754D1A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 0db5a4badb3efcf6b80e749b71b0d6229dd13a0f0625a46c3d6f5e52c4569ed0
Instruction ID: 80c845f5c8e5ce54eecaa5dfd64cb6d3b7ae8ded7b7e7d34d5c2c8e5528c06a9
Opcode Fuzzy Hash: 0db5a4badb3efcf6b80e749b71b0d6229dd13a0f0625a46c3d6f5e52c4569ed0
Instruction Fuzzy Hash: 20210732704200BBEB255B39DC09EBB7BA8DF45754F108079FD05CA191EAA9DC8483A0

Function 0076581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006F3A97,?,?,006F2E7F,?,?,?,00000000), ref: 006F3AC2

_wcslen.LIBCMT ref: 0076587B
CoInitialize.OLE32(00000000), ref: 00765995
CoCreateInstance.OLE32(0078FCF8,00000000,00000001,0078FB68,?), ref: 007659AE
CoUninitialize.OLE32 ref: 007659CC

Strings

.lnk, xrefs: 00765876, 007658C1, 00765985

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4a0b4e9806cb6726aed67474fe0a0bf873c836b61f2b07f73f256bcd1ffc180a
Instruction ID: d1629f60ab4d46bc41e67cbcfbe99a6500b77a915c579279c1efcd5d9cfe0f77
Opcode Fuzzy Hash: 4a0b4e9806cb6726aed67474fe0a0bf873c836b61f2b07f73f256bcd1ffc180a
Instruction Fuzzy Hash: BAD163B0608705DFC714DF24C484A2ABBE2EF89720F14895DF98A9B361DB35EC45CB92

Function 0075175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00750FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00750FCA
Part of subcall function 00750FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00750FD6
Part of subcall function 00750FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00750FE5
Part of subcall function 00750FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00750FEC
Part of subcall function 00750FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00751002

GetLengthSid.ADVAPI32(?,00000000,00751335), ref: 007517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007517BA
HeapAlloc.KERNEL32(00000000), ref: 007517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007517DA
GetProcessHeap.KERNEL32(00000000,00000000,00751335), ref: 007517EE
HeapFree.KERNEL32(00000000), ref: 007517F5

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 10f02fa8e1d947b6e70b963c8a64f910f795f1178a8e6c3f82f730ab3e37d84a
Instruction ID: a9b38d549f08852019cecabb9043fdce9a4f242589952f46a396ca45c4dc240c
Opcode Fuzzy Hash: 10f02fa8e1d947b6e70b963c8a64f910f795f1178a8e6c3f82f730ab3e37d84a
Instruction Fuzzy Hash: 8711EE71900204FFDB119FA8CC89BEE7BA8EB49357F608918F841A7210C779AD08CB64

Function 007514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00751506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00751515
CloseHandle.KERNEL32(00000004), ref: 00751520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0075154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00751563

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7a10509afb59f1379325a8d5509a8a5e5f56df12a27ddae0bb3e96466fbf2ed7
Instruction ID: e75fcf4db73e20b276d74a7b3258543dcd8e2be7e5bc16f1b0af935f104eb6b4
Opcode Fuzzy Hash: 7a10509afb59f1379325a8d5509a8a5e5f56df12a27ddae0bb3e96466fbf2ed7
Instruction Fuzzy Hash: 0E119D7210024DABDF128F94DD09FDE3BA9EF48746F148018FE05A2060D3B9CE64EB61

Function 00713382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00713379,00712FE5), ref: 00713390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0071339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007133B7
SetLastError.KERNEL32(00000000,?,00713379,00712FE5), ref: 00713409

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d1fdd39a540152c238dc3082ea7b29e05975b85e94a00e33b129413ebe32ae92
Instruction ID: 51a2c378b7f0f0745b192ae783725b8ec376fa60c7ccda76f7ea5c2530ad018a
Opcode Fuzzy Hash: d1fdd39a540152c238dc3082ea7b29e05975b85e94a00e33b129413ebe32ae92
Instruction Fuzzy Hash: 7C01D832709311FEAB163B7C7C89AE62A54EB053757208329F420891F1EF1D4E82555C

Function 00722D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00725686,00733CD6,?,00000000,?,00725B6A,?,?,?,?,?,0071E6D1,?,007B8A48), ref: 00722D78
_free.LIBCMT ref: 00722DAB
_free.LIBCMT ref: 00722DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0071E6D1,?,007B8A48,00000010,006F4F4A,?,?,00000000,00733CD6), ref: 00722DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0071E6D1,?,007B8A48,00000010,006F4F4A,?,?,00000000,00733CD6), ref: 00722DEC
_abort.LIBCMT ref: 00722DF2

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2f6445917f3f6ad09ddad1adb98e7ad45f4f77057038a84a1a37a6c7dff37b39
Instruction ID: 8f2e20fcfd7680177b93526e69c5df9602b220f54b239d21fc306b2fef6c09b7
Opcode Fuzzy Hash: 2f6445917f3f6ad09ddad1adb98e7ad45f4f77057038a84a1a37a6c7dff37b39
Instruction Fuzzy Hash: 0BF0A436744630B7C2132738BC0EE5A2699ABC27A1B348518F824A21E3EE3CD8434271

Function 00788A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00709639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00709693
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096A2
Part of subcall function 00709639: BeginPath.GDI32(?), ref: 007096B9
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00788A4E
LineTo.GDI32(?,00000003,00000000), ref: 00788A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00788A70
LineTo.GDI32(?,00000000,00000003), ref: 00788A80
EndPath.GDI32(?), ref: 00788A90
StrokePath.GDI32(?), ref: 00788AA0

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ffeebf866c53322efe65dd4445f821584b676a1fa6fcd843b3c3896cf8e1b8f7
Instruction ID: c181f26711c3f93bd8eeb671c485d6ee4f7abccfe4da059d77179bee05462b11
Opcode Fuzzy Hash: ffeebf866c53322efe65dd4445f821584b676a1fa6fcd843b3c3896cf8e1b8f7
Instruction Fuzzy Hash: 2F11097604014CFFDB129F90DC88EAA7F6DEB08390F10C022BA199A1A1C775AD55DBA5

Function 007551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00755218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00755229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00755230
ReleaseDC.USER32(00000000,00000000), ref: 00755238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0075524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00755261

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 02022d740eb6246694591aa68447d8c398ab71e7c0a2944ab95ab3ce9d99aafd
Instruction ID: 3bcfc23e3958c9843d3e68ba5671cef554421089ca8612eb8cb7e15037d33cda
Opcode Fuzzy Hash: 02022d740eb6246694591aa68447d8c398ab71e7c0a2944ab95ab3ce9d99aafd
Instruction Fuzzy Hash: 02018FB5E40708BBEB119BB59C49A4EBFB8FF48351F148065FA04E7280DA749804CBA4

Function 006F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 006F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 006F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 006F1C22

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8c936e60a9ff9f21b0eeeb87c08297ef4943b0d7cb250b50fdccf73afe202e7f
Instruction ID: dc52a45f81e59df53f09d4cb4478895fb6cb274729cd119423b2b3a544d7a0d4
Opcode Fuzzy Hash: 8c936e60a9ff9f21b0eeeb87c08297ef4943b0d7cb250b50fdccf73afe202e7f
Instruction Fuzzy Hash: ED016CB09427597DE3008F5A8C85B52FFA8FF19354F00415B915C47941C7F5A864CBE5

Function 0075EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0075EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0075EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0075EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0075EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0075EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0075EB75

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: fd8dd470a1ef6a2c04d5a99aa90b80a716631d7d1400dd653a3cc8d21542fbc9
Instruction ID: b71502eb6c1a5ae8472fe98ca8871064704503f5bace4415a16056f7298a8e31
Opcode Fuzzy Hash: fd8dd470a1ef6a2c04d5a99aa90b80a716631d7d1400dd653a3cc8d21542fbc9
Instruction Fuzzy Hash: 80F054B2680158BBE72257529C4EEEF3E7CEFCAB11F108168F601D1091E7B85A01C7B9

Function 00747439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00747452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00747469
GetWindowDC.USER32(?), ref: 00747475
GetPixel.GDI32(00000000,?,?), ref: 00747484
ReleaseDC.USER32(?,00000000), ref: 00747496
GetSysColor.USER32(00000005), ref: 007474B0

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b2c04a6b364f9ebf910a225393034433fd02af79c6198e0d3b9be5bdbf40494d
Instruction ID: 5072e42ba2c72739ca1f03e128ace99d6486bb8fe1e9d0f711dec9abbb0657c2
Opcode Fuzzy Hash: b2c04a6b364f9ebf910a225393034433fd02af79c6198e0d3b9be5bdbf40494d
Instruction Fuzzy Hash: B801AD31540205EFDB125FA4EC08BBA7BB5FF04321F708164F915A21A1CB391E51EB24

Function 00751874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0075187F
UnloadUserProfile.USERENV(?,?), ref: 0075188B
CloseHandle.KERNEL32(?), ref: 00751894
CloseHandle.KERNEL32(?), ref: 0075189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007518A5
HeapFree.KERNEL32(00000000), ref: 007518AC

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ab2892cac1b7e3f227b3f554b57302e357ca59fb2278e9e92853eedd7f3e525a
Instruction ID: 5bf06edb8c93edaf652fcf37e14bfbde19d55178d2d1d09c34f3359cf9663953
Opcode Fuzzy Hash: ab2892cac1b7e3f227b3f554b57302e357ca59fb2278e9e92853eedd7f3e525a
Instruction Fuzzy Hash: DCE0E576484105BBDB025FA1ED0CD0ABF39FF49B22B20C220F22581474CB369821EF68

Function 006FBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006FBEB3

Strings

D%|, xrefs: 006FBE9A
D%|, xrefs: 006FBDED, 006FBD91, 006FBD1B
D%|D%|, xrefs: 006FBCA5
D%|, xrefs: 006FBCA2

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%|$D%|$D%|$D%|D%|
API String ID: 1385522511-1919417341
Opcode ID: c0bb3beacb4b493bfca605f3ce42163a00baf8eac437c51b9a3155336f29d56e
Instruction ID: a6a2339168449304bc59e8c2df3c7d58a01ebad32c883df4aa44af37913edcf0
Opcode Fuzzy Hash: c0bb3beacb4b493bfca605f3ce42163a00baf8eac437c51b9a3155336f29d56e
Instruction Fuzzy Hash: F9913A75A0020ACFCB18CF58C091ABAB7F2FF58310F24916EDA55AB351D775E982CB90

Function 00777B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00710242: EnterCriticalSection.KERNEL32(007C070C,007C1884,?,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071024D
Part of subcall function 00710242: LeaveCriticalSection.KERNEL32(007C070C,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071028A

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 007100A3: __onexit.LIBCMT ref: 007100A9

__Init_thread_footer.LIBCMT ref: 00777BFB

Part of subcall function 007101F8: EnterCriticalSection.KERNEL32(007C070C,?,?,00708747,007C2514), ref: 00710202
Part of subcall function 007101F8: LeaveCriticalSection.KERNEL32(007C070C,?,00708747,007C2514), ref: 00710235

Strings

5, xrefs: 00777C78
Variable must be of type 'Object'., xrefs: 00777C3A
G, xrefs: 00777C7F
+Tt, xrefs: 00777E2E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tt$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3166622399
Opcode ID: 43f30e8a77798fe2d25e8dd08bb477f7cbd7b72081b96f6d48a49587efd84c69
Instruction ID: 4d6ec24e7cc24684db50f201b954bee1d09339f9c5f4a51c73af656a73437236
Opcode Fuzzy Hash: 43f30e8a77798fe2d25e8dd08bb477f7cbd7b72081b96f6d48a49587efd84c69
Instruction Fuzzy Hash: 9B916B70A04209EFCF19EF54D8959BDB7B6BF48340F10805DF81A9B292DB79AE41CB61

Function 0075C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0075C6EE
_wcslen.LIBCMT ref: 0075C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0075C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0075C7CA

Strings

0, xrefs: 0075C6AF

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ac028ee6846a34042ff94f3d4fb583071d22ed75c46ec39a2bdb433e5ae5370b
Instruction ID: f0bf199edd7a0dd4bdb1a58e9f22ab7deddbb8a817906bcec6f903759c4797c7
Opcode Fuzzy Hash: ac028ee6846a34042ff94f3d4fb583071d22ed75c46ec39a2bdb433e5ae5370b
Instruction Fuzzy Hash: 6E51CD716043019FD7529E28C885BAAB7E8EB49311F040A2DFD95D35E1DBB8DD088B96

Function 0077AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0077AEA3

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

GetProcessId.KERNEL32(00000000), ref: 0077AF38
CloseHandle.KERNEL32(00000000), ref: 0077AF67

Strings

<, xrefs: 0077AE6B
@, xrefs: 0077AE72

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 3ebf65c7104cea63c4a3b44134d4fd6f1eaefbae33128511c1b243ef35afb433
Instruction ID: 36fa17f7a5a338d6470c7d7a9b1f27d5701809272e3144c651d68e628d4db51b
Opcode Fuzzy Hash: 3ebf65c7104cea63c4a3b44134d4fd6f1eaefbae33128511c1b243ef35afb433
Instruction Fuzzy Hash: 70715870A00619EFDF14DF54C485AAEBBF1BF48314F048499E81AAB392CB78ED45CB95

Function 0075719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00757206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0075723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0075724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007572CF

Strings

DllGetClassObject, xrefs: 00757242

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ad068af2697cee50e3991c0fb82b1d0837fb1b0c4bc6d2ef4e32ed84e1f2bb8b
Instruction ID: 2500557ea6bfadbc8e8e555e8eaca64a45d0d9a33310d8dea1a93657f5d2fd55
Opcode Fuzzy Hash: ad068af2697cee50e3991c0fb82b1d0837fb1b0c4bc6d2ef4e32ed84e1f2bb8b
Instruction Fuzzy Hash: 15412FB1A04204EFDB19CF54D884ADA7BB9FF44311F2480A9BD059F20AD7F9D949DBA0

Function 00783D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00783E35
IsMenu.USER32(?), ref: 00783E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00783E92
DrawMenuBar.USER32 ref: 00783EA5

Strings

0, xrefs: 00783D89

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 0033662af6e438ea43784c621679c17f70cbe0642a08ca5f7442bd5c84dd9cf7
Instruction ID: 96cb4e19ce9829bfec9b42c85715fdb406e71f327e3ba72335bb807463959e34
Opcode Fuzzy Hash: 0033662af6e438ea43784c621679c17f70cbe0642a08ca5f7442bd5c84dd9cf7
Instruction Fuzzy Hash: 54416775A00209EFDF10EF69D884EAABBB9FF49750F148129E915A7250D738AE50CF60

Function 00751DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00751E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00751E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00751EA9

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Strings

ListBox, xrefs: 00751E25
ComboBox, xrefs: 00751DF0

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 1c07ab0c865b3d55526ce39feb1e0274331813518e12a96f2206e0c378fd5d4a
Instruction ID: 04d357dc859e23d447d26f1c598157ec078bf2f71f30cb606fc9ea03d6214c51
Opcode Fuzzy Hash: 1c07ab0c865b3d55526ce39feb1e0274331813518e12a96f2206e0c378fd5d4a
Instruction Fuzzy Hash: 64212371A00108AADB14AB64CC4AEFFB7B9DF42392B54452DFC21A31E0DB7C490D8630

Function 0077C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0077C9F1
_wcslen.LIBCMT ref: 0077CA68
_wcslen.LIBCMT ref: 0077CA9E
_wcslen.LIBCMT ref: 0077CAF9
_wcslen.LIBCMT ref: 0077CB2F
_wcslen.LIBCMT ref: 0077CB7F

Strings

HKLM, xrefs: 0077CA98, 0077CA9D
HKEY_LOCAL_MACHINE, xrefs: 0077CA62, 0077CA67

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 1217d363a633cf571928fc34f25221140f85627c9de3ce9eb235a4bf2632862b
Instruction ID: a18f83d54dc343ab119731122f87ca2a412394667c10d3a9cb5f07de64ab6795
Opcode Fuzzy Hash: 1217d363a633cf571928fc34f25221140f85627c9de3ce9eb235a4bf2632862b
Instruction Fuzzy Hash: 20310973A0056A8BCF22DF2C98415BE33915BA97D5B07C02DEC49AB345F678CD80C3A0

Function 00782F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00782F8D
LoadLibraryW.KERNEL32(?), ref: 00782F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00782FA9
DestroyWindow.USER32(?), ref: 00782FB1

Strings

SysAnimate32, xrefs: 00782F68

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6bab799fbdfdc5e8477529c6bae4495a1147cea30e4ee6cf22ffffccd1257618
Instruction ID: 6ac55fad217ebeb4d56f21c5679c82e5ab2b9c5db22c1e75d9400a5f3952187c
Opcode Fuzzy Hash: 6bab799fbdfdc5e8477529c6bae4495a1147cea30e4ee6cf22ffffccd1257618
Instruction Fuzzy Hash: 6921DC71244209ABEB116F64DC84EBB37B9EF59325F204628FA10D20A2D779DC52D760

Function 00714D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00714D1E,007228E9,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002), ref: 00714D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00714DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00714D1E,007228E9,?,00714CBE,007228E9,007B88B8,0000000C,00714E15,007228E9,00000002,00000000), ref: 00714DC3

Strings

CorExitProcess, xrefs: 00714D98
mscoree.dll, xrefs: 00714D86

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d79c2c11f14421247a80fe0f9c609ff4503a685a1b2fefc4b0ea11c70cf96681
Instruction ID: a60a8ddf281e321e215309b37d842430cf9265f98bafa8870bf575e69f663f40
Opcode Fuzzy Hash: d79c2c11f14421247a80fe0f9c609ff4503a685a1b2fefc4b0ea11c70cf96681
Instruction Fuzzy Hash: 50F0A430A50208BFDF115F94EC49BDDBBB5EF04712F104094F905A2190CB385A80CBD5

Function 0074D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0074D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0074D3BF
FreeLibrary.KERNEL32(00000000), ref: 0074D3E5

Strings

X64, xrefs: 0074D2A8
GetSystemWow64DirectoryW, xrefs: 0074D3B9

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 1398769871505b99b96302531416c5284ffe9f5d3739c445aaa8e42bf0f6fbbc
Instruction ID: c8ddcf0debd29f68919594a95a8c24b44f848730b5640cc1e3df3fd0def3d41b
Opcode Fuzzy Hash: 1398769871505b99b96302531416c5284ffe9f5d3739c445aaa8e42bf0f6fbbc
Instruction Fuzzy Hash: EEF055B1942620DBD3322B108C8CA693714BF02B01BA4C1A8F882E1140DBBCCC4087A3

Function 006F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006F4EAE
FreeLibrary.KERNEL32(00000000,?,?,006F4EDD,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 006F4EA8
kernel32.dll, xrefs: 006F4E94

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ebc41899d6c57628edc0fcb7bffad33162250c04a5340a5daa3dfd13d6b3d37c
Instruction ID: 73e56fe7ae25a64dd119656c15408736bece67047b2e6dc23b4b0a324607781d
Opcode Fuzzy Hash: ebc41899d6c57628edc0fcb7bffad33162250c04a5340a5daa3dfd13d6b3d37c
Instruction Fuzzy Hash: 06E08675E416265B93331B257C5CBAB6955AF81F627154115FE00D2700DF78CD0582B4

Function 006F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006F4E74
FreeLibrary.KERNEL32(00000000,?,?,00733CDE,?,007C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006F4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 006F4E6E
kernel32.dll, xrefs: 006F4E5B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: b381ffbad5e2b9d3c02faa571e5cf21ab09144d63e53e76d45bd37a27af63a78
Instruction ID: c9692e604211d32838d9acf19ece3a169ae7b5b5ff51c54b766ed49d9534d06e
Opcode Fuzzy Hash: b381ffbad5e2b9d3c02faa571e5cf21ab09144d63e53e76d45bd37a27af63a78
Instruction Fuzzy Hash: DFD0C271946A255747331B257C0CEDB2A1AAF81F113154210BA00A2210CF38CD0583F4

Function 00762947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00762C05
DeleteFileW.KERNEL32(?), ref: 00762C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00762C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00762CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00762CC0

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 85b486ae15182a644fff0aadd9a2aa2ee54337cc87f0b6b59275980c50c980e1
Instruction ID: bb091ef65f907e9c66fd6dfebf16511a9d8047dcf5dd4e6b0cff7f00e40252f8
Opcode Fuzzy Hash: 85b486ae15182a644fff0aadd9a2aa2ee54337cc87f0b6b59275980c50c980e1
Instruction Fuzzy Hash: E8B1617190051DABDF61DBA4CC89EDE77BDEF08300F1040A6FA0AE6142EA349E458F65

Function 0077A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0077A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0077A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0077A468
CloseHandle.KERNEL32(?), ref: 0077A63D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 74c232d930dbab51590e388b167ebeb776125f3ad36ea9b93aa1e337e20a91cc
Instruction ID: ae6024d21a71c04595ed09d4d8db1b07bd000ad223ea012a7e7b2b357146a774
Opcode Fuzzy Hash: 74c232d930dbab51590e388b167ebeb776125f3ad36ea9b93aa1e337e20a91cc
Instruction Fuzzy Hash: 7CA1A171604301AFEB20DF24C886F2AB7E5AF84714F14C85DF95A9B2D2D7B4EC418B96

Function 0075E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0075CF22,?), ref: 0075DDFD

Part of subcall function 0075DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0075CF22,?), ref: 0075DE16

Part of subcall function 0075E199: GetFileAttributesW.KERNEL32(?,0075CF95), ref: 0075E19A

lstrcmpiW.KERNEL32(?,?), ref: 0075E473
MoveFileW.KERNEL32(?,?), ref: 0075E4AC
_wcslen.LIBCMT ref: 0075E5EB
_wcslen.LIBCMT ref: 0075E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0075E650

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: cff009c88600eec4d955c27ed19c04b06fa06fff8678f731953015826c257eb6
Instruction ID: a7d55b635211755304065c72c264fc72cafe916f4b61d4afb53b0841c8874b6b
Opcode Fuzzy Hash: cff009c88600eec4d955c27ed19c04b06fa06fff8678f731953015826c257eb6
Instruction Fuzzy Hash: 525175B24083859BC778DB94DC859DB73ECAF84341F00491EFA89D3191EF79A68C8766

Function 0077B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 0077C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0077B6AE,?,?), ref: 0077C9B5
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077C9F1
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA68
Part of subcall function 0077C998: _wcslen.LIBCMT ref: 0077CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0077BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0077BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0077BB63
RegCloseKey.ADVAPI32(?,?), ref: 0077BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0077BBB3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: fdeefa71cbd510c9f59a1e349036704e05720a3af481b0b2ab6a3a4c4a667c53
Instruction ID: 180a319158901cc6b887201ed0a7ab246a3c7714ab4f163cba5c595d83d5b0cb
Opcode Fuzzy Hash: fdeefa71cbd510c9f59a1e349036704e05720a3af481b0b2ab6a3a4c4a667c53
Instruction Fuzzy Hash: DB617B71208245AFD714DF24C890F2ABBE5BF84348F14895CF5998B2A2DB35ED45CB92

Function 00758BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00758BCD
VariantClear.OLEAUT32 ref: 00758C3E
VariantClear.OLEAUT32 ref: 00758C9D
VariantClear.OLEAUT32(?), ref: 00758D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00758D3B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 827e5ca6c9303bc6ff938af0834c0ed8f7834f7312fe22adfbcd861f602fe01a
Instruction ID: 9ec384a3ebeb576dd78fafd3995fc531b8c8ddff02c3c5102520af8f53d90cbd
Opcode Fuzzy Hash: 827e5ca6c9303bc6ff938af0834c0ed8f7834f7312fe22adfbcd861f602fe01a
Instruction Fuzzy Hash: E1516BB5A00219DFCB10CF68C884AAAB7F4FF8D310B158559E919EB350E774E911CBA0

Function 00768AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00768BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00768BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00768C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00768C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00768C5F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d0860727d434ae9b0d06ddbf86380b5bccdb185d306ec71edae3521b32780de0
Instruction ID: bb1f000437b6d7d6a1c8e6b4ce13c8c0900fcb92550ea5b55f74cd204fe26df1
Opcode Fuzzy Hash: d0860727d434ae9b0d06ddbf86380b5bccdb185d306ec71edae3521b32780de0
Instruction Fuzzy Hash: 7C515F35A00219DFCB15DF54C880E69BBF5FF48314F088498E94AAB3A2CB35ED45CBA5

Function 00778EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00778F40
GetProcAddress.KERNEL32(00000000,?), ref: 00778FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00778FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00779032
FreeLibrary.KERNEL32(00000000), ref: 00779052

Part of subcall function 0070F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00761043,?,753CE610), ref: 0070F6E6
Part of subcall function 0070F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0074FA64,00000000,00000000,?,?,00761043,?,753CE610,?,0074FA64), ref: 0070F70D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 78c7c127ac93ef0e959e86cc62112db23503adabf75a89f856e4092445a81b50
Instruction ID: daf503ba6ce7d2a2e22cc7d281fa6dbe63fe805db4de97f9814f07323b0cfe61
Opcode Fuzzy Hash: 78c7c127ac93ef0e959e86cc62112db23503adabf75a89f856e4092445a81b50
Instruction Fuzzy Hash: 48515934605209DFCB55DF58C4948ADBBF2FF49354B08C0A8E90AAB362DB35ED85CB91

Function 00786B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00786C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00786C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00786C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0076AB79,00000000,00000000), ref: 00786C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00786CC7

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 570d964345d0e9ee78d61599833e15da5b42918fd3df31b23b2735bfcef1becf
Instruction ID: b600c1ba8ce794ed79b74f3f1d3ee1e094dc26ac68c43cdaeabf61ffe3d55bad
Opcode Fuzzy Hash: 570d964345d0e9ee78d61599833e15da5b42918fd3df31b23b2735bfcef1becf
Instruction Fuzzy Hash: 1541D275680104BFDB25EF28CC58FA97BA5EB09350F254268F895A72E0D379FD40CB60

Function 00722051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007220C3
_free.LIBCMT ref: 007220E3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c0d31bad15f9bad9e99ccaa0e6b069159d30ba9f7f092f3c6dec66b7f24f04a4
Instruction ID: 95fa276194453b7b90ec21f256ff017b3896bcc17e389a3952cc418322c71436
Opcode Fuzzy Hash: c0d31bad15f9bad9e99ccaa0e6b069159d30ba9f7f092f3c6dec66b7f24f04a4
Instruction Fuzzy Hash: 7041E432A00214EFCB20DF78D884A5DB3E5EF88310F1585A8E515EB392EB35ED02CB81

Function 0070912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00709141
ScreenToClient.USER32(00000000,?), ref: 0070915E
GetAsyncKeyState.USER32(00000001), ref: 00709183
GetAsyncKeyState.USER32(00000002), ref: 0070919D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: baedbb6c707e81f98bb3990d3258366c675dc0a190f4e33f0094e562dd9f9ccc
Instruction ID: e9213fea1769e78e6fc9cd66de0c5f2532318e194d5f80dbf54e35989c9354c5
Opcode Fuzzy Hash: baedbb6c707e81f98bb3990d3258366c675dc0a190f4e33f0094e562dd9f9ccc
Instruction Fuzzy Hash: F8415E71A0860AFBDF199F68C848BEEB7B5FF45320F208315E525A62D1D7386950CBA1

Function 00763874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00763922
TranslateMessage.USER32(?), ref: 0076394B
DispatchMessageW.USER32(?), ref: 00763955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00763966

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b6e124582e8e73429cdc7738c4e348e68d350e54f221fc64bfb5746f4c09f09e
Instruction ID: 571e39b3d88a727d062486987327a818e76e959599fbc74a716f029654be1437
Opcode Fuzzy Hash: b6e124582e8e73429cdc7738c4e348e68d350e54f221fc64bfb5746f4c09f09e
Instruction Fuzzy Hash: EC3186705043829EEB25CB34D848FB637A8EB06308F54456DE867C21A1E7BCBA85CF25

Function 0076CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0076C21E,00000000), ref: 0076CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0076CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0076C21E,00000000), ref: 0076CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0076C21E,00000000), ref: 0076CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0076C21E,00000000), ref: 0076CFF2

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 2849b469ff2987e6a0b4a2c963c968278f48bc42885deaad42fed82d635e567a
Instruction ID: 41ceedf7a1d78b841907613ad301eeac87a939e5a20c2c3c7c40a2af6d379baa
Opcode Fuzzy Hash: 2849b469ff2987e6a0b4a2c963c968278f48bc42885deaad42fed82d635e567a
Instruction Fuzzy Hash: 49315072600205EFDB21DFA5D8889BBBBF9EB14350B10842EF957D2541D738AE41DBA0

Function 00751901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00751915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007519E2

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 40d0b1e3f0f090d47fdb9dc7fc3a058bf106a41f7e268f233033fda1744c3c12
Instruction ID: 2e12bc3336e2ac851d1299ec6147be4c5cdf95e5dc503a4e11d77a1fa1853d4c
Opcode Fuzzy Hash: 40d0b1e3f0f090d47fdb9dc7fc3a058bf106a41f7e268f233033fda1744c3c12
Instruction Fuzzy Hash: CD31A171A00259EFCB00CFA8C999BDE7BB5EB44316F108225FD21A72D1C7B4AD48CB90

Function 00785706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00785745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0078579D
_wcslen.LIBCMT ref: 007857AF
_wcslen.LIBCMT ref: 007857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00785816

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: d57dc7572de03f6cdc492adbb04bc2717514d7928b702cea6f8d9e97245efff7
Instruction ID: be1178a80e458a69cfbd90ef8ae3c400a3c55ba75e58b52c668a9cfe1e1cffac
Opcode Fuzzy Hash: d57dc7572de03f6cdc492adbb04bc2717514d7928b702cea6f8d9e97245efff7
Instruction Fuzzy Hash: 3921A571944618DADB21AF64CC84EEDB7B8FF04320F108266E929EA1D0D7789985CF50

Function 00770930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00770951
GetForegroundWindow.USER32 ref: 00770968
GetDC.USER32(00000000), ref: 007709A4
GetPixel.GDI32(00000000,?,00000003), ref: 007709B0
ReleaseDC.USER32(00000000,00000003), ref: 007709E8

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ae3f89a5f5fb987fbb4f851b9baca70e3e7e9ba77947a53773447b18a9a7a56e
Instruction ID: 46b22ed17009eace5f1c843f2247ca18665c1d62205c75fb32093d827ac457f4
Opcode Fuzzy Hash: ae3f89a5f5fb987fbb4f851b9baca70e3e7e9ba77947a53773447b18a9a7a56e
Instruction Fuzzy Hash: 40216F39600204EFD704EF65D988AAEBBE5EF44744F14C06CE94A97352DB38AC04CBA0

Function 0072CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0072CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0072CDE9

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0072CE0F
_free.LIBCMT ref: 0072CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0072CE31

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 04e736fdd48ce85d67f75971aa359adc5a80c0dda04e653d6e5e3dced8edc837
Instruction ID: 429be7a7b10b525c4b1a50f417c68443c5c004576569970513e86a45abde40de
Opcode Fuzzy Hash: 04e736fdd48ce85d67f75971aa359adc5a80c0dda04e653d6e5e3dced8edc837
Instruction Fuzzy Hash: E701D472E012357F232316B67C8CC7F696DDED6BA1326412DF905C7201EA798D0282B5

Function 00709639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00709693
SelectObject.GDI32(?,00000000), ref: 007096A2
BeginPath.GDI32(?), ref: 007096B9
SelectObject.GDI32(?,00000000), ref: 007096E2

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 319581ca85bbb853d66ec6bac3bb432b192d21fcc18ff3809be4e09fd00ea61a
Instruction ID: dbaa2de2946830646b12492c498905508abb6eeadac6bf8d07c5c0fcb0af8f4c
Opcode Fuzzy Hash: 319581ca85bbb853d66ec6bac3bb432b192d21fcc18ff3809be4e09fd00ea61a
Instruction Fuzzy Hash: 45218370801345EBDB119F24EC08BA93BB4BB41755F608329F510971F2D37DA851CF98

Function 00755711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00755726
_memcmp.LIBVCRUNTIME ref: 00755744
_memcmp.LIBVCRUNTIME ref: 00755757
_memcmp.LIBVCRUNTIME ref: 0075576F
_memcmp.LIBVCRUNTIME ref: 00755787

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: be4ec958db2b1b73afdf5dd29b6e7982a7cf521faa86df6a68f17288d42e8073
Instruction ID: 89da64c04fe0499e7c0684927d944087d75f3ebc25e17248f5450bdb8cff6cdc
Opcode Fuzzy Hash: be4ec958db2b1b73afdf5dd29b6e7982a7cf521faa86df6a68f17288d42e8073
Instruction Fuzzy Hash: 8901B5A1681A0DFBE30865259D92FFB735D9B25396F504420FE149E281F7ACEE5483B0

Function 00722DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0071F2DE,00723863,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6), ref: 00722DFD
_free.LIBCMT ref: 00722E32
_free.LIBCMT ref: 00722E59
SetLastError.KERNEL32(00000000,006F1129), ref: 00722E66
SetLastError.KERNEL32(00000000,006F1129), ref: 00722E6F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: daf8e482003bdb5b0f2135b4960636a0a711ba683b14609380f693e61a949ea3
Instruction ID: e598fa0a8ffeb089e74afe79e2b0b274e55de3ee07774f1653f7e996a701bfa8
Opcode Fuzzy Hash: daf8e482003bdb5b0f2135b4960636a0a711ba683b14609380f693e61a949ea3
Instruction Fuzzy Hash: 0F01F472A45620B7C61327387C4EE3B265DABD57A1B22812CF421A21D3EA7CCC036174

Function 0075000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?,?,0075035E), ref: 0075002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?), ref: 00750064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0074FF41,80070057,?,?), ref: 00750070

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6a71fe5a7dbd12d2449a77b5ad2e49aad6949dbb5ec19bdc2085300b2c5145ff
Instruction ID: 6d98501bedabb0951514f29a081336ffe88acee2030566fe601b0126d5205fd6
Opcode Fuzzy Hash: 6a71fe5a7dbd12d2449a77b5ad2e49aad6949dbb5ec19bdc2085300b2c5145ff
Instruction Fuzzy Hash: F201A276640204BFDB114F68DC08BEA7AEDEF44762F248124FD09D6250D7B9DD449BA0

Function 0075E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0075E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0075E9A5
Sleep.KERNEL32(00000000), ref: 0075E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0075E9B7
Sleep.KERNEL32 ref: 0075E9F3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: da69d74ec819d549aafb6adab8aa10aa576cb458c50019564a38b95bd8456e4c
Instruction ID: dbc586b762befd960b3f5954412ff26c51b9b0b9476d538485e396270321c3df
Opcode Fuzzy Hash: da69d74ec819d549aafb6adab8aa10aa576cb458c50019564a38b95bd8456e4c
Instruction Fuzzy Hash: C5018B71C0052DDBCF059BE4D8896DDBB78BB08302F004506E812B2141DB78A649C766

Function 007510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00751114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 0075112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00750B9B,?,?,?), ref: 00751136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0075114D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 027c83c30e62edc131cc52a07d036a6af1528d0267636e51374ee90d453bb078
Instruction ID: 53f35cb447c4aa76cf2f1c5857e00bb808308d134cf807bb4cd902466a7276bf
Opcode Fuzzy Hash: 027c83c30e62edc131cc52a07d036a6af1528d0267636e51374ee90d453bb078
Instruction Fuzzy Hash: 6F016D75540609BFDB124FA8EC4DAAA3B6EEF85361B214454FA41C3350DB75DC008F70

Function 00750FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00750FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00750FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00750FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00750FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00751002

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 792d86305c0a898eb348a4211e10abe19a86dbb6934e751ffc7e7e27204cbc22
Instruction ID: 9e16706a3b0b564c0d1c33dc6e54cf227664d53a55c6879e0b16a6bdc00becfd
Opcode Fuzzy Hash: 792d86305c0a898eb348a4211e10abe19a86dbb6934e751ffc7e7e27204cbc22
Instruction Fuzzy Hash: 98F04F75241315ABD7224FA4AC8DF963BADEF89762F608414F949C6291CA78DC408B70

Function 00751014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0075102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00751036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0075104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751062

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8c7ae80109870416e325e9f00719f9fab46d8f4095a1189bcd047c4bdaa9e84a
Instruction ID: a2c81df7585a0fb59d7d991e49399016db6aa6188ea636909bcb2000e7d389aa
Opcode Fuzzy Hash: 8c7ae80109870416e325e9f00719f9fab46d8f4095a1189bcd047c4bdaa9e84a
Instruction Fuzzy Hash: EFF04975240355ABDB225FA4EC89F963BADEF89762F604414FA49CA290CA78DC408B70

Function 0076030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760324
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760331
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 0076033E
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 0076034B
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760358
CloseHandle.KERNEL32(?,?,?,?,0076017D,?,007632FC,?,00000001,00732592,?), ref: 00760365

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 06aa895cf8245d74e6d10aad370a2bf67acb0d637be2b5283b4069b0381a4559
Instruction ID: 8ba5bc33c34986b5d0abb86cb76ecdad7073291687e3a187e96d3cbd4d96ac9e
Opcode Fuzzy Hash: 06aa895cf8245d74e6d10aad370a2bf67acb0d637be2b5283b4069b0381a4559
Instruction Fuzzy Hash: 7C019872800B159FCB31AF66D880813FBF9BE602163158A3ED19752A31C3B5A999DF80

Function 0072D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0072D752

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 0072D764
_free.LIBCMT ref: 0072D776
_free.LIBCMT ref: 0072D788
_free.LIBCMT ref: 0072D79A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a0089d72e3c18a34f1913cc637b259a0b371c3bcd465a2ca001a19ae5e0449a
Instruction ID: c9c0cdcc947640fd95711c479a114dbc6050bd9d8c3aec323f24e75e81960dfe
Opcode Fuzzy Hash: 1a0089d72e3c18a34f1913cc637b259a0b371c3bcd465a2ca001a19ae5e0449a
Instruction Fuzzy Hash: 49F01232544224BB9632EB64F9C5D1677DDBB48710BE58D05F088E7612C73CFCC08A64

Function 00755C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00755C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00755C6F
MessageBeep.USER32(00000000), ref: 00755C87
KillTimer.USER32(?,0000040A), ref: 00755CA3
EndDialog.USER32(?,00000001), ref: 00755CBD

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9edb934599650149ef436f4bfad229385ad0386f78e8442a8c4286737cee4634
Instruction ID: e859462549c650e0fe9757c4e1e1a20ee326ac4c77387fe88b005c06c63d858e
Opcode Fuzzy Hash: 9edb934599650149ef436f4bfad229385ad0386f78e8442a8c4286737cee4634
Instruction Fuzzy Hash: C601AE306407059BFB215B10DD5EFE577B8BF00706F005569B553614E1DBF85948CB74

Function 007222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007222BE

Part of subcall function 007229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000), ref: 007229DE
Part of subcall function 007229C8: GetLastError.KERNEL32(00000000,?,0072D7D1,00000000,00000000,00000000,00000000,?,0072D7F8,00000000,00000007,00000000,?,0072DBF5,00000000,00000000), ref: 007229F0

_free.LIBCMT ref: 007222D0
_free.LIBCMT ref: 007222E3
_free.LIBCMT ref: 007222F4
_free.LIBCMT ref: 00722305

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 34c9ccac74af82ff70d6e05c914ba80932fa77bdc7c8774150ccfa3e10fab61b
Instruction ID: 31e8528c0303bf53be00e64402bf2569d2e03908e681415acb510d7fe82c3619
Opcode Fuzzy Hash: 34c9ccac74af82ff70d6e05c914ba80932fa77bdc7c8774150ccfa3e10fab61b
Instruction Fuzzy Hash: 92F03A74900131EB8613AF54BC05D483BA4FB19761781C61EF460E22B3C73D9892AFEC

Function 007095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007095D4
StrokeAndFillPath.GDI32(?,?,007471F7,00000000,?,?,?), ref: 007095F0
SelectObject.GDI32(?,00000000), ref: 00709603
DeleteObject.GDI32 ref: 00709616
StrokePath.GDI32(?), ref: 00709631

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 2b2f7107f4f468c25147668410bce32c31e2ffaaa5da3a4237382462abf3a9f9
Instruction ID: e5cfd3d133caea795d15c878c0025346cb68520d4a087c7d6454f0e3e881d181
Opcode Fuzzy Hash: 2b2f7107f4f468c25147668410bce32c31e2ffaaa5da3a4237382462abf3a9f9
Instruction Fuzzy Hash: 26F03C30045648EBDB525F65ED1CBA43BA1AB02362F54C328F525590F2D73D99A1DF28

Function 00720F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007210F9
__freea.LIBCMT ref: 00721117

Part of subcall function 00721537: _free.LIBCMT ref: 0072154F

Strings

am/pm, xrefs: 0072117A
a/p, xrefs: 007211DE

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 3f98eb05d10c0ee0f2f7d74edb439dfe9f84215c41893436f32d3d0388f84700
Instruction ID: 88de4a0d9edb792b33ce053d2d9583a69f88ee557fb6997f50ca72320038290a
Opcode Fuzzy Hash: 3f98eb05d10c0ee0f2f7d74edb439dfe9f84215c41893436f32d3d0388f84700
Instruction Fuzzy Hash: 2ED13931E0022ADACB24DF68E855BFEB7B2FF25310FA44159E5019B652D33D9E81CB91

Function 007761D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00710242: EnterCriticalSection.KERNEL32(007C070C,007C1884,?,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071024D
Part of subcall function 00710242: LeaveCriticalSection.KERNEL32(007C070C,?,0070198B,007C2518,?,?,?,006F12F9,00000000), ref: 0071028A

Part of subcall function 007100A3: __onexit.LIBCMT ref: 007100A9

__Init_thread_footer.LIBCMT ref: 00776238

Part of subcall function 007101F8: EnterCriticalSection.KERNEL32(007C070C,?,?,00708747,007C2514), ref: 00710202
Part of subcall function 007101F8: LeaveCriticalSection.KERNEL32(007C070C,?,00708747,007C2514), ref: 00710235

Part of subcall function 0076359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007635E4
Part of subcall function 0076359C: LoadStringW.USER32(007C2390,?,00000FFF,?), ref: 0076360A

Strings

x#|, xrefs: 0077636F
x#|, xrefs: 0077633A
x#|, xrefs: 00776353

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#|$x#|$x#|
API String ID: 1072379062-278022409
Opcode ID: 137e2ff5dc91d4a20b37b081e373fe7d4b2a6c2d0997678cd769b8142a330844
Instruction ID: 1d4789f35e981a2f965baec6ed6232159f3925f56a8e03f90c6512b4a68ef645
Opcode Fuzzy Hash: 137e2ff5dc91d4a20b37b081e373fe7d4b2a6c2d0997678cd769b8142a330844
Instruction Fuzzy Hash: 1CC18D71A00509EFCF14DF58C894EBAB7B9FF48340F148069EA099B296DB78ED55CB90

Function 00725AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOo, xrefs: 00725BA8, 00725C6C

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: JOo
API String ID: 0-681639431
Opcode ID: f82180777fa3b4b7c688f586a334411cf525c6db7ed69fc619db4395136ed896
Instruction ID: ca6690c209f3f8fb4718815a0cb6a8824bd28b4ac10d0b2378ede41cd23b57bc
Opcode Fuzzy Hash: f82180777fa3b4b7c688f586a334411cf525c6db7ed69fc619db4395136ed896
Instruction Fuzzy Hash: 7451B6B1D0062ADFCB219FA8E849FEE7BB4AF45310F140159F405A7291E77D9981CB71

Function 00728A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00728B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00728B7A
__dosmaperr.LIBCMT ref: 00728B81

Strings

.q, xrefs: 00728A63

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .q
API String ID: 2434981716-2393120612
Opcode ID: 976529eed97753042a92475f639cbd420359c2e3d7c9ae46cb68cde7905703ab
Instruction ID: fe20779c9d955d720e652727cd9c08a5612696098fe7e133be87328e067ca425
Opcode Fuzzy Hash: 976529eed97753042a92475f639cbd420359c2e3d7c9ae46cb68cde7905703ab
Instruction Fuzzy Hash: 5A41AEF0605065AFD7659F24E884E7D3FA5EB45300F28C1ADF4558B642DE3ECC028795

Function 00752716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0075B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007521D0,?,?,00000034,00000800,?,00000034), ref: 0075B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00752760

Part of subcall function 0075B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0075B3F8

Part of subcall function 0075B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0075B355
Part of subcall function 0075B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00752194,00000034,?,?,00001004,00000000,00000000), ref: 0075B365
Part of subcall function 0075B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00752194,00000034,?,?,00001004,00000000,00000000), ref: 0075B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0075281A

Strings

@, xrefs: 00752832

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e7948eee2ee038e5f5f26b654bf1c46ac40f9aa439bd5473ae934e96a50e5c55
Instruction ID: ce0d9431da33d5e7de13c70b96ec9f9c9099214f863a4e887082a2f43454c5a6
Opcode Fuzzy Hash: e7948eee2ee038e5f5f26b654bf1c46ac40f9aa439bd5473ae934e96a50e5c55
Instruction Fuzzy Hash: 0F412072900218BFDB10DFA4CD85AEEBBB8EF09700F104095FA55B7181DBB56E49CB61

Function 0072172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00721769
_free.LIBCMT ref: 00721834
_free.LIBCMT ref: 0072183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00721760, 00721767, 00721796, 007217CE

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 8c0599b914c60358fc3fd3070da68e1e62826c72ba7fdbb73094c61dcf9c1860
Instruction ID: 4b527e74e2919657ee52aad59b62369151085a38d9b1ed6f157d844fdee16423
Opcode Fuzzy Hash: 8c0599b914c60358fc3fd3070da68e1e62826c72ba7fdbb73094c61dcf9c1860
Instruction Fuzzy Hash: 9F315275A00268FFDB21DF99A885D9EBBFCFBA5310F94416AF80497211D6789E40CB90

Function 0075C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0075C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0075C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007C1990,00CC62F8), ref: 0075C395

Strings

0, xrefs: 0075C2DF

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 4a4e80df45833f6dc46ebfaf8b0808ad3c760871c05b06c9b8cd4b5fda9e17a5
Instruction ID: 2cb8da557222e36dcab090aae45686bcb77b8a628e43098ef4af9d4822761157
Opcode Fuzzy Hash: 4a4e80df45833f6dc46ebfaf8b0808ad3c760871c05b06c9b8cd4b5fda9e17a5
Instruction Fuzzy Hash: 5A41A0312043059FD721DF24D885BAABBE4AF85321F10861DFDA5972D1D7B8A908CB62

Function 00784416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0078CC08,00000000,?,?,?,?), ref: 007844AA
GetWindowLongW.USER32 ref: 007844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007844D7

Strings

SysTreeView32, xrefs: 0078447C

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 269306946a2563f6d9101f9f561dd08f5ff71cc9bd61eec4e00af1a8acdfeac5
Instruction ID: 45a482801baa64e691e265f8adb48f654a95e0114970576e94007a9a080f6155
Opcode Fuzzy Hash: 269306946a2563f6d9101f9f561dd08f5ff71cc9bd61eec4e00af1a8acdfeac5
Instruction Fuzzy Hash: 0931B071250246AFDF21AE78DC45FEA77A9EB08334F204725F979921D0D7B8EC509760

Function 00756E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00756EED
VariantCopyInd.OLEAUT32(?,?), ref: 00756F08
VariantClear.OLEAUT32(?), ref: 00756F12

Strings

*ju, xrefs: 00756E8B, 00756E90, 00756EF8

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *ju
API String ID: 2173805711-1978014906
Opcode ID: a00898ec51168f60ca226b3be4beff06c03c262afcc0dadf9817fe9edfba581e
Instruction ID: c92749b3179bbcb27f7f3e26dc098ddf8970e600958b0334f45d3d0835eac328
Opcode Fuzzy Hash: a00898ec51168f60ca226b3be4beff06c03c262afcc0dadf9817fe9edfba581e
Instruction Fuzzy Hash: 5131D372A04249DFDB05AFA4E8519FD37B6FF41701B500498F9029B2E1CB789D15CBA4

Function 0077304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0077335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00773077,?,?), ref: 00773378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0077307A
_wcslen.LIBCMT ref: 0077309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00773106

Strings

255.255.255.255, xrefs: 00773095, 0077309A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 91286d521548341714790c3501999339f64f0b94e170ad3be460fa5ac05f79ec
Instruction ID: 9a8f390b125d6f6d18983749af514b8aab2454686157814772277d077dae44f6
Opcode Fuzzy Hash: 91286d521548341714790c3501999339f64f0b94e170ad3be460fa5ac05f79ec
Instruction Fuzzy Hash: C731D339204209DFCF20CF28C485EAA77E1EF14398F64C459E9198B392DB3AEE41D760

Function 00783EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00783F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00783F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00783F78

Strings

SysMonthCal32, xrefs: 00783F0B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: dd80b6f2b9e3751c3bcbd98a9d4d5bc5437c0a4ab975a0d04f3398a328ff1e41
Instruction ID: f7db6e0b90ca82f9ab6ae010ebfe571041cf66f57526e7342256ca889f08dfeb
Opcode Fuzzy Hash: dd80b6f2b9e3751c3bcbd98a9d4d5bc5437c0a4ab975a0d04f3398a328ff1e41
Instruction Fuzzy Hash: D021BF32650219BBDF159F54CC46FEA3B75EF48714F110214FE15AB1D0D6B9A950CBA0

Function 00784653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00784705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00784713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0078471A

Strings

msctls_updown32, xrefs: 00784684

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 182281b92dad498b6b7f977e5efe9a16a9882ebad2a4cbfdec53fc09b50ee180
Instruction ID: c419f383d0b7d3855560e6dcb3bc263620c59bece1b296f0e43b8feb4e36c66d
Opcode Fuzzy Hash: 182281b92dad498b6b7f977e5efe9a16a9882ebad2a4cbfdec53fc09b50ee180
Instruction Fuzzy Hash: 4C2171B5640209AFDB11EF68DCC5DB737ADEF4A398B140059FA009B251DB74EC11CB64

Function 007595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0075961D

Strings

#requireadmin, xrefs: 007595D9
#OnAutoItStartRegister, xrefs: 007595F3
#notrayicon, xrefs: 007595B7

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 231505037aaa1ed47689563f7fb9c1a730f17d54987b3b5450342f8c66a6cb7a
Instruction ID: 6972f0aa822ece39bbf303b87b2665cb3c29e22fea81b31966d0ab54505a91e3
Opcode Fuzzy Hash: 231505037aaa1ed47689563f7fb9c1a730f17d54987b3b5450342f8c66a6cb7a
Instruction Fuzzy Hash: BC213172204210E6C731AA289806EFB7398EF91311F40402AFE4996081EB98ADADC2A5

Function 007837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00783840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00783850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00783876

Strings

Listbox, xrefs: 0078380F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 5acfcc9d94b9597c29689c7c34afb0331de29fb6096ebb372fc6346a1029ef7b
Instruction ID: 4640f91be54a9d81ed2353836670d898e3cbdf8cc3864d541c0b02d288eeb425
Opcode Fuzzy Hash: 5acfcc9d94b9597c29689c7c34afb0331de29fb6096ebb372fc6346a1029ef7b
Instruction Fuzzy Hash: 0D21A472650118BBEF119F58CC85FBB376EEF89B60F118124F9049B190CA79DC5287A0

Function 007649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00764A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00764A5C
SetErrorMode.KERNEL32(00000000,?,?,0078CC08), ref: 00764AD0

Strings

%lu, xrefs: 00764A6F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4f3a8f26f3e082323744c48c7f3625b1dc8291e086aabc831b577640f21ba952
Instruction ID: bb4bc1bcae10bb13039c236c20c1580da9ef08f85b3af3ade75e621b5fc12892
Opcode Fuzzy Hash: 4f3a8f26f3e082323744c48c7f3625b1dc8291e086aabc831b577640f21ba952
Instruction Fuzzy Hash: 81316D71A00109AFDB11DF64C885EAA7BF9EF08308F1480A9F909DB252DB75EE45CB71

Function 007841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0078424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00784264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00784271

Strings

msctls_trackbar32, xrefs: 00784226

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c1984d2438aad8fd17435b332b1baac354da215e64d6d4ea8b49495506e65a96
Instruction ID: cb98fb98040ec2ffaa304b60a43d5097e0bc8fd1a38ec8d26a68db38e8754f2a
Opcode Fuzzy Hash: c1984d2438aad8fd17435b332b1baac354da215e64d6d4ea8b49495506e65a96
Instruction Fuzzy Hash: 4D11E731284209BEEF20AF24CC05FAB37ACFF95754F114124FA55E2090D6B5D8119714

Function 00752F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

Part of subcall function 00752DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00752DC5
Part of subcall function 00752DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00752DD6
Part of subcall function 00752DA7: GetCurrentThreadId.KERNEL32 ref: 00752DDD
Part of subcall function 00752DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00752DE4

GetFocus.USER32 ref: 00752F78

Part of subcall function 00752DEE: GetParent.USER32(00000000), ref: 00752DF9

GetClassNameW.USER32(?,?,00000100), ref: 00752FC3
EnumChildWindows.USER32(?,0075303B), ref: 00752FEB

Strings

%s%d, xrefs: 00752FFF

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a87579254928b406245b15e84c40358b31ba3587b91c1839053b4cf622617b4f
Instruction ID: d43e99d04cdd973f6cf3e088b893c913e021826e91f875c0ca4406fb826a5a40
Opcode Fuzzy Hash: a87579254928b406245b15e84c40358b31ba3587b91c1839053b4cf622617b4f
Instruction Fuzzy Hash: 3E1193B1700209ABCF557F64CC89EED376BAF84305F048079BD099B292DE7959498B70

Function 00785882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007858EE
DrawMenuBar.USER32(?), ref: 007858FD

Strings

0, xrefs: 0078588F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 6badb359381d39594a2f1dd8b1660d87fda4342303ef77c2ddf6a1c373d3707b
Instruction ID: 49c3e4c905777c72d1ee21f53c844e689dd2312e1a8cf853687978c26039a3e4
Opcode Fuzzy Hash: 6badb359381d39594a2f1dd8b1660d87fda4342303ef77c2ddf6a1c373d3707b
Instruction Fuzzy Hash: 09012131540218EFDB21AF11DC48BAEBBB4FB45361F108099E849D6151DB389A94DF31

Function 0075007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e6ec9040b08522eba8c5e8ddbc4a93330fc4bb72dc67bee04ff19b0b13f0bbe
Instruction ID: 431a079e46a80d73f1a9d4a408c3a6c1e3e0304ea7d081681ed7d9b116d27632
Opcode Fuzzy Hash: 6e6ec9040b08522eba8c5e8ddbc4a93330fc4bb72dc67bee04ff19b0b13f0bbe
Instruction Fuzzy Hash: 5CC18C75A0020AEFCB14CFA4C898EAEB7B5FF48315F208598E905EB251D775ED45CB90

Function 0077342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00773459
CoUninitialize.OLE32 ref: 00773463
VariantInit.OLEAUT32(?), ref: 0077346E
VariantClear.OLEAUT32(?), ref: 0077371B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 4dc2c401fd4722d89d67d88dc941df5c256fa9b860d4936b2c9733455e31459c
Instruction ID: 7839bfc3ae2651e83899ef4090b360fda1c2d3925f4362d5e4eed2160ae297b2
Opcode Fuzzy Hash: 4dc2c401fd4722d89d67d88dc941df5c256fa9b860d4936b2c9733455e31459c
Instruction Fuzzy Hash: A1A13775204204DFCB10DF28C485A2AB7E5FF88764F04885DF98A9B362DB74EE05DB96

Function 00750436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0078FC08,?), ref: 007505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0078FC08,?), ref: 00750608
CLSIDFromProgID.OLE32(?,?,00000000,0078CC40,000000FF,?,00000000,00000800,00000000,?,0078FC08,?), ref: 0075062D
_memcmp.LIBVCRUNTIME ref: 0075064E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 7cd24c2d37cd3b0922fead89ce9d3f7f91183708100d3f4e3d5031340d24d750
Instruction ID: 0c8c0bad1a983f0b0213bd27aacb8bfc6c4e968d3f56c936660cca3cccdbb1f0
Opcode Fuzzy Hash: 7cd24c2d37cd3b0922fead89ce9d3f7f91183708100d3f4e3d5031340d24d750
Instruction Fuzzy Hash: BD810F75A00109EFCB04DF94C984DEEB7B9FF89315F204558F916AB250DB75AE0ACBA0

Function 0077A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0077A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0077A6BA

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0077A79C
CloseHandle.KERNEL32(00000000), ref: 0077A7AB

Part of subcall function 0070CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00733303,?), ref: 0070CE8A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 420a0a7b92bb34642e90850180e586c1a1b3c58919d9f70fbc9d6d99d6346623
Instruction ID: 0a4e5afe323936c47d33e8e5b58b0e28b1ba3142daede14c4763f9ef1b90379e
Opcode Fuzzy Hash: 420a0a7b92bb34642e90850180e586c1a1b3c58919d9f70fbc9d6d99d6346623
Instruction Fuzzy Hash: 9C517E71508304AFD754DF24C886A6FBBE8FF89754F00892DF58997291EB34D904CBA6

Function 00731391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007314C0

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a0f3a31e8570ad493d8935ac77406a1ffe1bb7143fa4c773ebfaa6eff42c5b12
Instruction ID: 8f414d17bcd0175247f649ef1d8fd032a5eba0e3db79f2e780d0ca9cf81c8019
Opcode Fuzzy Hash: a0f3a31e8570ad493d8935ac77406a1ffe1bb7143fa4c773ebfaa6eff42c5b12
Instruction Fuzzy Hash: EE410B32A00550EBFB217BBD9C4AAEE3BA5FF41370F544225F419D61D3E63C88815761

Function 00786278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007862E2
ScreenToClient.USER32(?,?), ref: 00786315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00786382

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7bca6a6e8f80011a57f45f3997bd4c2953fd2874bc131a1980e7236731785dc8
Instruction ID: 87dc0b852e28d56d271e801730911f9c4ca36857c98732ef059cadfd8cbbb7c5
Opcode Fuzzy Hash: 7bca6a6e8f80011a57f45f3997bd4c2953fd2874bc131a1980e7236731785dc8
Instruction Fuzzy Hash: 5D515D75A40249EFDF10EF68D880AAE7BB6FF45360F208169F9159B6A0D734ED81CB50

Function 00771AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00771AFD
WSAGetLastError.WSOCK32 ref: 00771B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00771B8A
WSAGetLastError.WSOCK32 ref: 00771B94

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 6f730f023631e9c9da43f3243a0c296ca14e11a17447717bfc420f70a67976c8
Instruction ID: 0ec666044a26d78160548ca81de3fb847b4c03903057d021d62e3130fa91b486
Opcode Fuzzy Hash: 6f730f023631e9c9da43f3243a0c296ca14e11a17447717bfc420f70a67976c8
Instruction Fuzzy Hash: 43419F74640200AFEB20AF24C886F3977E5AB45718F54C54CFA1A9F2D3D776DD418B94

Function 0072B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9958f815267fdd8253084730f23cceff9ee29f9e653cbe25d79b5be22a9aa195
Instruction ID: 1b5179fd2918e3e4d5b7dd6381921ab687a94490e85bd180172198250a1fadde
Opcode Fuzzy Hash: 9958f815267fdd8253084730f23cceff9ee29f9e653cbe25d79b5be22a9aa195
Instruction Fuzzy Hash: 6F411972A00764FFD724AF38DC45BAABBE9EB88710F10452EF541DB282D779A9418780

Function 007656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00765783
GetLastError.KERNEL32(?,00000000), ref: 007657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007657FA

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 12813c70534475150bb93372330311b0adb51db8612a7451a41e8cd0828c40de
Instruction ID: f7a8f14ff1771a03a4b04f031de0565da1aada420834d0be48fca3c4cfaeedeb
Opcode Fuzzy Hash: 12813c70534475150bb93372330311b0adb51db8612a7451a41e8cd0828c40de
Instruction Fuzzy Hash: 93413D35600615DFCB11DF15C544A6EBBE2EF89320B18C488ED4AAB362CB78FD04DB95

Function 0072D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00716D71,00000000,00000000,007182D9,?,007182D9,?,00000001,00716D71,?,00000001,007182D9,007182D9), ref: 0072D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0072D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0072D9AB
__freea.LIBCMT ref: 0072D9B4

Part of subcall function 00723820: RtlAllocateHeap.NTDLL(00000000,?,007C1444,?,0070FDF5,?,?,006FA976,00000010,007C1440,006F13FC,?,006F13C6,?,006F1129), ref: 00723852

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f3e53d62f5053dee805ae30722829f664be73d72866e7324918ef98dec5d1420
Instruction ID: 5eb8125fc9ec0252ca648dba69a9e7127912a83b4274c4bc5df6cdeb2726a070
Opcode Fuzzy Hash: f3e53d62f5053dee805ae30722829f664be73d72866e7324918ef98dec5d1420
Instruction Fuzzy Hash: E431D272A0022AABDF25DF64EC85EAE7BA5EB40310F154168FC44D7251E739DD90CBA0

Function 007852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00785352
GetWindowLongW.USER32(?,000000F0), ref: 00785375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00785382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007853A8

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 3545b93e875afb8efbfbbfd293a7c22f00dcc3ba0a177da2f935eb39f502263a
Instruction ID: 5ff7c37a3361df2b3ea55eed432de1ee0310043cd5a6f2b01151785e35ab83d9
Opcode Fuzzy Hash: 3545b93e875afb8efbfbbfd293a7c22f00dcc3ba0a177da2f935eb39f502263a
Instruction Fuzzy Hash: 2331E230AD5A08FFEB31AA14CC05FE83762AB05399F984111FA10969E1C7BCAE40DB51

Function 0075AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0075ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0075AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0075AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0075ACC6

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 309841f5b7e108ec087205e7b4da54b30e3487caa2611a249a8b71e438991525
Instruction ID: 86d1e761ac69f01c5d49fe0aa9fec1c772cad49324bd372209d35ee0349d7ff2
Opcode Fuzzy Hash: 309841f5b7e108ec087205e7b4da54b30e3487caa2611a249a8b71e438991525
Instruction Fuzzy Hash: 9E312830A40258BFFF35CB648C09BFA7BA5AB45312F14433AE885561D0D3BD89898772

Function 00787674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0078769A
GetWindowRect.USER32(?,?), ref: 00787710
PtInRect.USER32(?,?,00788B89), ref: 00787720
MessageBeep.USER32(00000000), ref: 0078778C

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 61c364a29707985c7d32e5788469a1d3a5fc50d65ef1743a07585604a733412f
Instruction ID: d91ca01fc6d240100f911c4362f14800cbbfa14ae2fea32c1faa27abe77a1a26
Opcode Fuzzy Hash: 61c364a29707985c7d32e5788469a1d3a5fc50d65ef1743a07585604a733412f
Instruction Fuzzy Hash: 4641BD34A45254DFCB09EF58C894EA9B7F4FF4A310F6980A8E816DB261D338E941CF90

Function 007816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007816EB

Part of subcall function 00753A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00753A57
Part of subcall function 00753A3D: GetCurrentThreadId.KERNEL32 ref: 00753A5E
Part of subcall function 00753A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007525B3), ref: 00753A65

GetCaretPos.USER32(?), ref: 007816FF
ClientToScreen.USER32(00000000,?), ref: 0078174C
GetForegroundWindow.USER32 ref: 00781752

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7b2fd5ae4ded9da36dc0b362641f06f776533ad81a691cd8f49558cb75e00636
Instruction ID: 00ad1d572a144d61433844798911821e88520df2afb897644a656559f45c07ac
Opcode Fuzzy Hash: 7b2fd5ae4ded9da36dc0b362641f06f776533ad81a691cd8f49558cb75e00636
Instruction Fuzzy Hash: 86312F75D00149AFCB00EFA9C985CAEBBFDEF88304B5480ADE515E7211DB359E45CBA4

Function 0075DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

_wcslen.LIBCMT ref: 0075DFCB
_wcslen.LIBCMT ref: 0075DFE2
_wcslen.LIBCMT ref: 0075E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0075E018

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 670dba1840bf304fda5e8cdda97d76e778e2a45478a4ff0f91886d774b06442e
Instruction ID: 6cffd93ac030a3d2e424da86ec2d991ce13648245b0b3dd41e8ce043aaecef6a
Opcode Fuzzy Hash: 670dba1840bf304fda5e8cdda97d76e778e2a45478a4ff0f91886d774b06442e
Instruction Fuzzy Hash: 9F21A671900214EFCB20EF68D981BAE77F8EF45750F144065E905BB2C1D6B89E41CBA1

Function 00788FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

GetCursorPos.USER32(?), ref: 00789001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00747711,?,?,?,?,?), ref: 00789016
GetCursorPos.USER32(?), ref: 0078905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00747711,?,?,?), ref: 00789094

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e43b81fcfbf480eb0b3bfe085a53fed04a6ec2c88b37ea6a4bd7853dc901825e
Instruction ID: 3e083a3d84baa744aa380cf1ce58de19a66d2436346eef735bed078f716347d5
Opcode Fuzzy Hash: e43b81fcfbf480eb0b3bfe085a53fed04a6ec2c88b37ea6a4bd7853dc901825e
Instruction Fuzzy Hash: 2421B535640018EFCB169F94CC58EFA7BB9EF4A360F284169FA0657161D339AD50DB60

Function 0075D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0078CB68), ref: 0075D2FB
GetLastError.KERNEL32 ref: 0075D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0075D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0078CB68), ref: 0075D376

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: acb0f251e594dd0949d1b357dedf75f4d2899d403254ae5cc5a4ab70794fff3a
Instruction ID: 44cb0ba6a8f67ec93c3de6bb1f8b923378372b743e779906ab1757e889dcc886
Opcode Fuzzy Hash: acb0f251e594dd0949d1b357dedf75f4d2899d403254ae5cc5a4ab70794fff3a
Instruction Fuzzy Hash: 58219170509201DF8720DF24C8818AAB7E4AE55365F104A1DF899C72A1E775DD49CBA7

Function 00751571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00751014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0075102A
Part of subcall function 00751014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00751036
Part of subcall function 00751014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751045
Part of subcall function 00751014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0075104C
Part of subcall function 00751014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00751062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007515BE
_memcmp.LIBVCRUNTIME ref: 007515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00751617
HeapFree.KERNEL32(00000000), ref: 0075161E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: b1723950eb9573ae058ed65e78720f77251a3b9e8f852fb7b2952994cb309738
Instruction ID: 03e27e1cc36eeedd6de6fadb2cc625aa3b5cc8ac41d85c5dffc7705440baccbb
Opcode Fuzzy Hash: b1723950eb9573ae058ed65e78720f77251a3b9e8f852fb7b2952994cb309738
Instruction Fuzzy Hash: A421B671D40108EFDF00DFA4C949BEEB7B4EF44346F598459E851A7241E778AE09CBA0

Function 00782782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0078280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00782824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00782832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00782840

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a55fe8e7d1322c9b14bf6eab27133712bc04ae4fd2d741d0bcd73b809a029a4a
Instruction ID: 87e31613947ced55257bb62719568c56d29bc7fc757c4f16cb487eb582c16901
Opcode Fuzzy Hash: a55fe8e7d1322c9b14bf6eab27133712bc04ae4fd2d741d0bcd73b809a029a4a
Instruction Fuzzy Hash: 0B210331244111AFDB14AB24C844FAA7B96EF85325F248158F9268B6E3CB79FC42C790

Function 007578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00758D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0075790A,?,000000FF,?,00758754,00000000,?,0000001C,?,?), ref: 00758D8C
Part of subcall function 00758D7D: lstrcpyW.KERNEL32(00000000,?,?,0075790A,?,000000FF,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00758DB2
Part of subcall function 00758D7D: lstrcmpiW.KERNEL32(00000000,?,0075790A,?,000000FF,?,00758754,00000000,?,0000001C,?,?), ref: 00758DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00757923
lstrcpyW.KERNEL32(00000000,?,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00757949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00758754,00000000,?,0000001C,?,?,00000000), ref: 00757984

Strings

cdecl, xrefs: 0075797B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9778758e1eaed6fcec097882482b58e157f1593a8a66fea8e6b672953c35edcb
Instruction ID: 5ff49e2dbab2aa342a3d6fef28945c2bbba55a32c379b0adc74225efa94d658b
Opcode Fuzzy Hash: 9778758e1eaed6fcec097882482b58e157f1593a8a66fea8e6b672953c35edcb
Instruction Fuzzy Hash: 9011067A200341ABCB159F35D848EBA77E9FF85351B10802AFD42C72A4EF799805C761

Function 00787CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00787D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00787D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00787D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0076B7AD,00000000), ref: 00787D6B

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 2c3ba8409381a1cf1ad9027184b6b3bd962460b1fc35db3d598597fc823232f2
Instruction ID: 43a8f396fd760dccfafccad827f87ec50173415a6d7a77cf638fdde4472bc817
Opcode Fuzzy Hash: 2c3ba8409381a1cf1ad9027184b6b3bd962460b1fc35db3d598597fc823232f2
Instruction Fuzzy Hash: 3611D5312446149FCB15AF28CC04E663BA4AF463A0B358728F836DB1F0E738D910DB60

Function 00785660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007856BB
_wcslen.LIBCMT ref: 007856CD
_wcslen.LIBCMT ref: 007856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00785816

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b6627942f31b925df62d3d5446ff353e830e843c7ff6a2b32436a60ddd34f0e1
Instruction ID: 2be81b405a793be1b70784bf413d459981ad9ee484a43968fe8b832c6829c129
Opcode Fuzzy Hash: b6627942f31b925df62d3d5446ff353e830e843c7ff6a2b32436a60ddd34f0e1
Instruction Fuzzy Hash: 9211D375680608E6DF20AF65CC85EEE77ACEF11760B50806AF919D6081EB7CDA84CB64

Function 00721D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1071ff4c861b28aacd2d7c9fe9374c387e54125d25bf6568b192a507ac6ac5
Instruction ID: 8c6f4d8a2747fb520198841afdae24d57720cec023d1e33c1938f09d729afb71
Opcode Fuzzy Hash: da1071ff4c861b28aacd2d7c9fe9374c387e54125d25bf6568b192a507ac6ac5
Instruction Fuzzy Hash: A301ADB270962ABEF62126787CC4F27661CEF613B8F750329F521A11D2DB789C414270

Function 00751A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00751A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00751A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00751A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00751A8A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ef05b518b8867575bb346e6c294ad4ec1972ebaed688cc29f6d0486c73c28d89
Instruction ID: af5a2c52cc8e159807f09e9245f4ad2b86f27c246c79a99381aafa01e2ccca38
Opcode Fuzzy Hash: ef05b518b8867575bb346e6c294ad4ec1972ebaed688cc29f6d0486c73c28d89
Instruction Fuzzy Hash: 7C11393AD01219FFEB11DBA4CD85FEDBB78EB08751F2040A1EA00B7290D6B16E50DB94

Function 0075E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0075E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0075E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0075E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0075E24D

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 8776b3630f413d5b09ca3d2777935fb93d46cae1737e16e9848e853ed4691001
Instruction ID: 304f99212652fcc4ea62f516679d06d014ceee0f83f8ef4cc2a5a3403ce978cb
Opcode Fuzzy Hash: 8776b3630f413d5b09ca3d2777935fb93d46cae1737e16e9848e853ed4691001
Instruction Fuzzy Hash: A2112B72D04258BBC7069FA8AC09EDE7FACEB45315F108269F824D3291D6BCCE0487B4

Function 0071D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0071CFF9,00000000,00000004,00000000), ref: 0071D218
GetLastError.KERNEL32 ref: 0071D224
__dosmaperr.LIBCMT ref: 0071D22B
ResumeThread.KERNEL32(00000000), ref: 0071D249

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5189e154abd4f66573b33ebb79c8bcb8721f10cfc2117d27e2ba749fd0186123
Instruction ID: ccaf17442de9a497717cac03095dc00cb490307e6eb8505ae2efb2dcf3cf0f29
Opcode Fuzzy Hash: 5189e154abd4f66573b33ebb79c8bcb8721f10cfc2117d27e2ba749fd0186123
Instruction Fuzzy Hash: 6D01C476805108BBC7225BA9DC09AEE7A69EF85730F204219F925921D0DB79CD818BA1

Function 00789EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00709BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00709BB2

GetClientRect.USER32(?,?), ref: 00789F31
GetCursorPos.USER32(?), ref: 00789F3B
ScreenToClient.USER32(?,?), ref: 00789F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00789F7A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 304a169a470ff309b5ec3631301b09fde8074b9da684a7f4fd240e678c886ecd
Instruction ID: 7d734d11a873d61fa75190eb1570077520c78b08ee7418eff9f88581a5db30f8
Opcode Fuzzy Hash: 304a169a470ff309b5ec3631301b09fde8074b9da684a7f4fd240e678c886ecd
Instruction Fuzzy Hash: CA11663294011AEBDB06EFA8C8499FE77B8EB05311F244465FA02E3041D338BA81CBA5

Function 006F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006F604C
GetStockObject.GDI32(00000011), ref: 006F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 006F606A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 44608ea8bd92b73afaea6dc24602e9b4141a004e35fbcfced2e8ff29ed5d0b6b
Instruction ID: b6c85bf739246e5d067f71194d81bf259657181f035cb94cc9481683f89f61bb
Opcode Fuzzy Hash: 44608ea8bd92b73afaea6dc24602e9b4141a004e35fbcfced2e8ff29ed5d0b6b
Instruction Fuzzy Hash: 24116D7250154CBFEF124FA4DD44EFABB6AEF093A4F244215FB1552120DB36AC60DBA4

Function 00713B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00713B56

Part of subcall function 00713AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00713AD2
Part of subcall function 00713AA3: ___AdjustPointer.LIBCMT ref: 00713AED

_UnwindNestedFrames.LIBCMT ref: 00713B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00713B7C
CallCatchBlock.LIBVCRUNTIME ref: 00713BA4

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: e330a0ce04d16a86dde7fc47603fdfc785dda7154b2c0e26658552db3fd92dd4
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: D3012972100148BBDF125E99CC46EEB3B7AEF48754F044014FE4856161D73AE9A1DBA0

Function 00723073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006F13C6,00000000,00000000,?,0072301A,006F13C6,00000000,00000000,00000000,?,0072328B,00000006,FlsSetValue), ref: 007230A5
GetLastError.KERNEL32(?,0072301A,006F13C6,00000000,00000000,00000000,?,0072328B,00000006,FlsSetValue,00792290,FlsSetValue,00000000,00000364,?,00722E46), ref: 007230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0072301A,006F13C6,00000000,00000000,00000000,?,0072328B,00000006,FlsSetValue,00792290,FlsSetValue,00000000), ref: 007230BF

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5b9fc3981b6cabdb5e86aadd45fdefb6c95c500d6a8146406cc2ed8285de2ee0
Instruction ID: 6b59bb926341b039240141048fb239854f2a39b912506118a589008b3630b35a
Opcode Fuzzy Hash: 5b9fc3981b6cabdb5e86aadd45fdefb6c95c500d6a8146406cc2ed8285de2ee0
Instruction Fuzzy Hash: 2401F732741236ABCB314B78BC44A577B9AAF05B61B204724F905E3180C73DD901C7F4

Function 00757464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0075747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00757497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007574CA

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e1e81a9f9a63251125aea3a759be7b5b5955b3ecea3fa7a533d51ca5f7d7d603
Instruction ID: ea7ba2e04fdcba9ed86b73dd06867fc315951752134a6979e9dc5b8ba65f1438
Opcode Fuzzy Hash: e1e81a9f9a63251125aea3a759be7b5b5955b3ecea3fa7a533d51ca5f7d7d603
Instruction Fuzzy Hash: CC11ADB1245354ABE7208F64EC08FD27FFCEB00B11F20856DAE1AD6191D7B8E948DB61

Function 0075B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0075ACD3,?,00008000), ref: 0075B126

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b027597f82e9a64ec3c7f6c0088e78ecb1585437c4e97bb2b7986eeedbae20b4
Instruction ID: 5d2045d5d5d4a3266daaac6ba9d2f20cc8129f921701c0efc372af23108ba61a
Opcode Fuzzy Hash: b027597f82e9a64ec3c7f6c0088e78ecb1585437c4e97bb2b7986eeedbae20b4
Instruction Fuzzy Hash: 5F115E71C0191CD7CF00AFE5D9996FEFB78FF09712F108485D941B2185CB7859548B65

Function 00787E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00787E33
ScreenToClient.USER32(?,?), ref: 00787E4B
ScreenToClient.USER32(?,?), ref: 00787E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00787E8A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 273b1a41405d2dc12d11bd39cd0512bbaaa05d995fa4b61d01eabc71b9df9387
Instruction ID: e5064b12436316ac91fe12d8d39b7cef09e4715eca08047c72d455afb0bcee6b
Opcode Fuzzy Hash: 273b1a41405d2dc12d11bd39cd0512bbaaa05d995fa4b61d01eabc71b9df9387
Instruction Fuzzy Hash: 9B1156B9D4020AAFDB41DF98C884AEEBBF5FF08310F509066E925E3210D735AA54CF64

Function 00752DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00752DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00752DD6
GetCurrentThreadId.KERNEL32 ref: 00752DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00752DE4

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3b25bfb77ac10cdd46b5295eb4a09ed51b4f85a20b665f19002c13f18db81901
Instruction ID: 69f8fb2c72b36ec55fd624ea9a50d7efff5b1cfb79804acfe02a7ce8aa57fcc6
Opcode Fuzzy Hash: 3b25bfb77ac10cdd46b5295eb4a09ed51b4f85a20b665f19002c13f18db81901
Instruction Fuzzy Hash: FAE06D717412247AD7211B62AC0EEEB3E6CEB43BA2F104129B905D1081AAA88845C7B0

Function 00788863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00709639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00709693
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096A2
Part of subcall function 00709639: BeginPath.GDI32(?), ref: 007096B9
Part of subcall function 00709639: SelectObject.GDI32(?,00000000), ref: 007096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00788887
LineTo.GDI32(?,?,?), ref: 00788894
EndPath.GDI32(?), ref: 007888A4
StrokePath.GDI32(?), ref: 007888B2

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: cf4b0c09a2ee47a0a9aa2d25f423ad98db07257fa899a5ec2a49d707814d3c48
Instruction ID: d4a57d03e518349938dab92611434c85751988583d17f85b15c00e0988fc838e
Opcode Fuzzy Hash: cf4b0c09a2ee47a0a9aa2d25f423ad98db07257fa899a5ec2a49d707814d3c48
Instruction Fuzzy Hash: 8DF03A36081258FADB136F94AC0DFCA3B59AF06310F54C100FA11651E2C7BD5511CBAA

Function 007098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007098CC
SetTextColor.GDI32(?,?), ref: 007098D6
SetBkMode.GDI32(?,00000001), ref: 007098E9
GetStockObject.GDI32(00000005), ref: 007098F1

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: dcf42aa885ce6f6e31261f4dbc348c8345ccaa9cde90f9ba86a7f5719530cdc8
Instruction ID: 2d44e467c294ca82ff32dce8ccd5c6483c2c7bc153ed6dafed0c869fa10476d9
Opcode Fuzzy Hash: dcf42aa885ce6f6e31261f4dbc348c8345ccaa9cde90f9ba86a7f5719530cdc8
Instruction Fuzzy Hash: 73E06531684284AEDB225B74BC0DBE83F50AB51335F24C21AF6F5580E1C3795650DB20

Function 0075162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00751634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007511D9), ref: 0075163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007511D9), ref: 00751648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007511D9), ref: 0075164F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d30c35ce191b1d8c4d15bd5001bc5868e14d8048c938605e71d14d9140120230
Instruction ID: d5c745ec970576229feb63880fa658f9395888e111579d40669378b632b0fe26
Opcode Fuzzy Hash: d30c35ce191b1d8c4d15bd5001bc5868e14d8048c938605e71d14d9140120230
Instruction Fuzzy Hash: 50E04632682211ABD7201BB0AE0DB863B68EF45792F258808F645C9080EA7C84458B68

Function 0074D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0074D858
GetDC.USER32(00000000), ref: 0074D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0074D882
ReleaseDC.USER32(?), ref: 0074D8A3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3255e7e443eea519cb39a1cc242ea1e7bd93a1b7068f4d644cdcb34db8883c10
Instruction ID: 56f5a30472aae1272f1ebe147607e402c867ded5498c3124b3651fe35ca56779
Opcode Fuzzy Hash: 3255e7e443eea519cb39a1cc242ea1e7bd93a1b7068f4d644cdcb34db8883c10
Instruction Fuzzy Hash: 39E0E5B4940205DFCB529FA0990866DBBB6AB48310B208019E946E7250D73C8941AF64

Function 0074D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0074D86C
GetDC.USER32(00000000), ref: 0074D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0074D882
ReleaseDC.USER32(?), ref: 0074D8A3

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ea56c4c0e4aeedb9c11374d5b412bd79ad65010534a3ee79a146edc52259039f
Instruction ID: 4643a37c0bc07ca13512a55016dd2464aa990dc81c05aecdfe1cfc970f13e1ac
Opcode Fuzzy Hash: ea56c4c0e4aeedb9c11374d5b412bd79ad65010534a3ee79a146edc52259039f
Instruction Fuzzy Hash: 9CE01A74940204DFCB529FB0D80C66DBBB1BF48310B208018E90AE7250D73C5901AF64

Function 00764D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006F7620: _wcslen.LIBCMT ref: 006F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00764ED4

Strings

LPT, xrefs: 00764DFB
*, xrefs: 00764E10

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 6afd0626367a7bdd9afb75c9b8655bfb820df9e4ba5edecaaced76b535d55cfa
Instruction ID: d383e2fe538a24a4c1d5d2249b273548a26fc82ae679d0f33c6229738d650efb
Opcode Fuzzy Hash: 6afd0626367a7bdd9afb75c9b8655bfb820df9e4ba5edecaaced76b535d55cfa
Instruction Fuzzy Hash: A4915F75A00204EFCB15DF58C484EAABBF1BF44304F198099E80A9F7A2D779ED85CB91

Function 0071E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0071E30D

Strings

pow, xrefs: 0071E2E5, 0071E302

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b42a4ecd2aabf9cea015c29ddee2e7de089606cd43d7e6c48305691733360a1c
Instruction ID: 91167cbfd3a463042467c8fda818d589fb533292bd455fc2292a0536138d58fb
Opcode Fuzzy Hash: b42a4ecd2aabf9cea015c29ddee2e7de089606cd43d7e6c48305691733360a1c
Instruction Fuzzy Hash: 75518E71E0C11296CB19772CDE453FA3BA4AB40740F348999F8E5422E9DB3C8CD6DA46

Function 00777771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0074569E,00000000,?,0078CC08,?,00000000,00000000), ref: 007778DD

Part of subcall function 006F6B57: _wcslen.LIBCMT ref: 006F6B6A

CharUpperBuffW.USER32(0074569E,00000000,?,0078CC08,00000000,?,00000000,00000000), ref: 0077783B

Strings

<s{, xrefs: 007777C8

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s{
API String ID: 3544283678-301287271
Opcode ID: 6719f870636f53a3c6e272fc7290de26718f972dd7d508b2d20b451f2b5753d9
Instruction ID: e483a468d747201b1b3baae5540988588b72a628f9d4dd3fdebdc62204fce7b4
Opcode Fuzzy Hash: 6719f870636f53a3c6e272fc7290de26718f972dd7d508b2d20b451f2b5753d9
Instruction Fuzzy Hash: 7F618E7291412DEACF49EBE4CC91DFDB3B9BF14340B448129F646A3191EF786A05CBA4

Function 0070E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0070E1B1

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 49d3492254f016313b93ce9be4060c8f30d83c519899b90b617336ac0c4c50b6
Instruction ID: 0410a97a82fd05092d3171cff1e694c284727fd56b00374382e8dc45164c8898
Opcode Fuzzy Hash: 49d3492254f016313b93ce9be4060c8f30d83c519899b90b617336ac0c4c50b6
Instruction Fuzzy Hash: AC513435504246DFDB16DF28C481ABA7BA9FF56330F248569E8919B2D0D7389D42CBA0

Function 0070F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0070F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0070F2BB

Strings

@, xrefs: 0070F2AF

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c883d120f5e57437ac7df5c652845beb63cc2d7d0311a0155d5c734de9acddc5
Instruction ID: 66ef7ae9b329c51ea612c22491c379b0f4d6b99de9102c6666f20d956c379886
Opcode Fuzzy Hash: c883d120f5e57437ac7df5c652845beb63cc2d7d0311a0155d5c734de9acddc5
Instruction Fuzzy Hash: 2B5159724087499BD360AF14D886BABB7F9FFC5310F81884CF29941195EB309929CB6B

Function 00775745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007757E0
_wcslen.LIBCMT ref: 007757EC

Strings

CALLARGARRAY, xrefs: 007757E6, 007757EB

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: f466e521098605444882b0e24f3187a3a9a9182c764a5ea57d894417e30870dd
Instruction ID: 7ff0f57b164704633ed4e64aa35c8140ef7df73f00a9e0bd4d1d21ca5377a551
Opcode Fuzzy Hash: f466e521098605444882b0e24f3187a3a9a9182c764a5ea57d894417e30870dd
Instruction Fuzzy Hash: 3D41AE31A00109DFCF04DFA9C8859BEBBF5EF59360F10812DE509A7291E7B89D81CBA1

Function 0076D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0076D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0076D13A

Strings

|, xrefs: 0076D10B

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d3080ff34bcb481abb6b84613b94076541950a783c3dcfbc6f757b85f1b8356a
Instruction ID: 8d6c4078c6ef35019dc2f122fa3f68e527fa4f782b3de6a61e6082c658812a0c
Opcode Fuzzy Hash: d3080ff34bcb481abb6b84613b94076541950a783c3dcfbc6f757b85f1b8356a
Instruction Fuzzy Hash: 7C315D71D0020DABCF15EFA4CC85AEEBFBAFF05304F000019F915A6166E775AA46CB64

Function 0078356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00783621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0078365C

Strings

static, xrefs: 007835BC

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3000d3abfd8dc933d8738bfdca3f671478744cf060035bd1347ed2764f3b988b
Instruction ID: c3976b93149dc125e4aee49a041253abcf105fc0cdb2454945df15241d77a5f7
Opcode Fuzzy Hash: 3000d3abfd8dc933d8738bfdca3f671478744cf060035bd1347ed2764f3b988b
Instruction Fuzzy Hash: ED319071250604AEDB10EF38DC40EFB73A9FF88B24F10961DF9A597280DA38AD91C764

Function 00784537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0078461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00784634

Strings

', xrefs: 0078458E

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 658b9ff75a239a4643c11bdfc031616327a25b5d21ecd856e520122db5712c20
Instruction ID: 2dcbd0c393df0b1bfc2597b2ef4031e9df6af9f24593fc3373ed96ac4dd1660c
Opcode Fuzzy Hash: 658b9ff75a239a4643c11bdfc031616327a25b5d21ecd856e520122db5712c20
Instruction Fuzzy Hash: EC312774A4030A9FDB14DFA9C980BDE7BB5FF09300F10406AE904AB341E7B4A951CF90

Function 007831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0078327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00783287

Strings

Combobox, xrefs: 00783249

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6b87a1649fd9727f1afe3267e7f016c29647d5c9c6967b29feecc4de6c7512b5
Instruction ID: 99a8914bad8c50bad32b98e5f18d604d2b14637ca974e9c2777e7c1b926749b8
Opcode Fuzzy Hash: 6b87a1649fd9727f1afe3267e7f016c29647d5c9c6967b29feecc4de6c7512b5
Instruction Fuzzy Hash: 8D11B271340208BFEF25AE58DC84EBB376AFB94764F104128F91897291D6799D518760

Function 00783710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006F604C
Part of subcall function 006F600E: GetStockObject.GDI32(00000011), ref: 006F6060
Part of subcall function 006F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006F606A

GetWindowRect.USER32(00000000,?), ref: 0078377A
GetSysColor.USER32(00000012), ref: 00783794

Strings

static, xrefs: 00783757

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 06e2fdaa1422d8d5c2b205f930648e98db9f1ab19e17d82af2c65c8c7be4f162
Instruction ID: 9f5357150616abc03d2e5765ec316f314ab26ffd469303633ce635ec71e54dae
Opcode Fuzzy Hash: 06e2fdaa1422d8d5c2b205f930648e98db9f1ab19e17d82af2c65c8c7be4f162
Instruction Fuzzy Hash: 3E1129B2650209AFDF01EFA8CC45EEA7BB8EB08714F104529FD55E2250E739E8619B60

Function 0076CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0076CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0076CDA6

Strings

<local>, xrefs: 0076CD66

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 0b55d7701ecca1ef2914678d3a075c5bc2cd2822ae712453bd9e7b50944e9205
Instruction ID: 67bd6136b752a70edd36401d3e80f8dd6a237814fef0f416e742a7c067b4d473
Opcode Fuzzy Hash: 0b55d7701ecca1ef2914678d3a075c5bc2cd2822ae712453bd9e7b50944e9205
Instruction Fuzzy Hash: 1D11C6713456317AD7365B66CC45FF7BE6CEF127A4F104226B98A83180D7789844D6F0

Function 00783429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007834BA

Strings

edit, xrefs: 0078348F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e389512837dd767b1b972fd0149bba8ff70a9b1046c65f68a1e25d8e21065130
Instruction ID: 7141d69cf47c511868b448d363e23210d397a8bd89dedb18fe758bbfc44c46e4
Opcode Fuzzy Hash: e389512837dd767b1b972fd0149bba8ff70a9b1046c65f68a1e25d8e21065130
Instruction Fuzzy Hash: 0D11BF71140148ABEF12AE68DC44EBB376AEF05B74F604324F969931D0C779DC519764

Function 00756C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00756CB6
_wcslen.LIBCMT ref: 00756CC2

Strings

STOP, xrefs: 00756CBC, 00756CC1

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 1e48383b53c833ce5f19963ab48e2fe49b2cb56ded1fdc9ed15b55c0ef4e27e0
Instruction ID: 13b603b1187050a0d659314a4e1452284de9a49996a55b8cde78962689b384e4
Opcode Fuzzy Hash: 1e48383b53c833ce5f19963ab48e2fe49b2cb56ded1fdc9ed15b55c0ef4e27e0
Instruction Fuzzy Hash: 2A01C8327005268ACB11AFBDDC909FF77B5EA617117900938ED5297190FA79E948C660

Function 00751CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00751D4C

Strings

ListBox, xrefs: 00751D16
ComboBox, xrefs: 00751CEB

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ef4c1721e1cc7ba1fecf84831474a3139decb0f6acdf048ec6a6c1ad627bc7a2
Instruction ID: 1243e8a75853b7085b90d1d093c14b6b50bc85f5642c5feba2ff5ee4c0bce514
Opcode Fuzzy Hash: ef4c1721e1cc7ba1fecf84831474a3139decb0f6acdf048ec6a6c1ad627bc7a2
Instruction Fuzzy Hash: E501F571700218AB8B08EFA0CC15EFE7379EB02391B440919EC32572D1EAB9590C8770

Function 00751BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00751C46

Strings

ListBox, xrefs: 00751C10
ComboBox, xrefs: 00751BE5

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b0c0dd4e83c6db74a1ea21d513fe1bc5eb5bfb3f538197c51ede744f20e1dcf7
Instruction ID: 7c88677a5f12c0ff4e2275a8397d32a60535798ed7eae981bf3976d84561d2c8
Opcode Fuzzy Hash: b0c0dd4e83c6db74a1ea21d513fe1bc5eb5bfb3f538197c51ede744f20e1dcf7
Instruction Fuzzy Hash: 3F01F7B178010866CB08EB90C951FFF77A99F11381F540419ED16632C1EA699E0CC7B5

Function 00751C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00751CC8

Strings

ListBox, xrefs: 00751C94
ComboBox, xrefs: 00751C69

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 99f99da586f160a5e9acda3c5638dca7fee63a28026bdbc6e87258bf2e85adc3
Instruction ID: dece8c5489ca8dfcae47e106f26f7934f48cdfda77a362464623f77ef50a452a
Opcode Fuzzy Hash: 99f99da586f160a5e9acda3c5638dca7fee63a28026bdbc6e87258bf2e85adc3
Instruction Fuzzy Hash: FE01D6B178011867CB04EBA0CA01FFF77A99B11382F540419BD12B3281EAAA9F0CC675

Function 0070A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0070A529

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Strings

,%|, xrefs: 0070A509
3yt, xrefs: 0070A545, 0070A54D, 0070A552

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%|$3yt
API String ID: 2551934079-1591345639
Opcode ID: 789fba31d43808a9438e07c0edcc13d8bfdf659a3c6ab62208efb23251899907
Instruction ID: 3768b4f49599296e34803b94261fc9612887b597df9df3b82a02bc598b678fa0
Opcode Fuzzy Hash: 789fba31d43808a9438e07c0edcc13d8bfdf659a3c6ab62208efb23251899907
Instruction Fuzzy Hash: 4401F731600714EBC604F76CAC1BFAD3394AB05710F40416CF601971C3EE9C5D5286EB

Function 00751D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006F9CB3: _wcslen.LIBCMT ref: 006F9CBD

Part of subcall function 00753CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00753CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00751DD3

Strings

ListBox, xrefs: 00751DA0
ComboBox, xrefs: 00751D75

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e8a45ec233144292f552c917e4b77eb8697a254143ad8cfed4d41f88c8c80e21
Instruction ID: 61924066aaa9245fc29dd5f40e6b493fe6e64aa6756ec28eb61dd4537eba5568
Opcode Fuzzy Hash: e8a45ec233144292f552c917e4b77eb8697a254143ad8cfed4d41f88c8c80e21
Instruction Fuzzy Hash: 46F081B1B4121866DB08ABA4CC56BFF7779AB01391F440D19B922A32C1EAB8590C8274

Function 00788172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007C3018,007C305C), ref: 007881BF
CloseHandle.KERNEL32 ref: 007881D1

Strings

\0|, xrefs: 0078818A

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0|
API String ID: 3712363035-470943010
Opcode ID: 6ab5b54c3bec86a7619f093e2609d8ac4c67657ac015ef7f8e9169ed884786b4
Instruction ID: aa65a3927f2667dcc8ac90ecc3e8b8751875e79f2d03ecdc48b44725a8acb87f
Opcode Fuzzy Hash: 6ab5b54c3bec86a7619f093e2609d8ac4c67657ac015ef7f8e9169ed884786b4
Instruction Fuzzy Hash: 0CF05EB2680304BAF3206765AC49FB77B5DEB04750F00C42ABB08D51A2D67D8A9193BD

Function 0077747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00777493
_wcslen.LIBCMT ref: 007774B9

Strings

3, 3, 16, 1, xrefs: 00777483

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 7fa269c251b996290601bfb87b49826693274def5a30accb7a2248093b5115ec
Instruction ID: 0cb12d338ba3f6a1fa8e00480540d7c9835fb195bce548dead3605ffb9bd5292
Opcode Fuzzy Hash: 7fa269c251b996290601bfb87b49826693274def5a30accb7a2248093b5115ec
Instruction Fuzzy Hash: C7E02B422043A060D739127E9CC5ABF56C9DFC67D0714182BF989C22B6EA9C9DD1D3A0

Function 00750B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00750B23

Strings

Error allocating memory., xrefs: 00750B1C
AutoIt, xrefs: 00750B17

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: e39579df5ea4f31d1f02afe949e7233433680ba68d16c58dbcc5d0240dab4a01
Instruction ID: 6b6871812618797b7cb7562406240b5568663a3c2b0ae4c831d3c1843fcaf6c4
Opcode Fuzzy Hash: e39579df5ea4f31d1f02afe949e7233433680ba68d16c58dbcc5d0240dab4a01
Instruction Fuzzy Hash: 87E0D831284308A6D2213754BC07FC97AC48F05B11F10046AFB58555C38AF9349007FD

Function 00710D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0070F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00710D71,?,?,?,006F100A), ref: 0070F7CE

IsDebuggerPresent.KERNEL32(?,?,?,006F100A), ref: 00710D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006F100A), ref: 00710D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00710D7F

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 5d35166e9283a77e5ec1727a5f97d12b23f8f7ac17581a158b6cb4a3e6e9e35a
Instruction ID: 4f13f48cd4a90567d8cdb55e92d644a0565f38c9e48c4aff408d1d0292f2742b
Opcode Fuzzy Hash: 5d35166e9283a77e5ec1727a5f97d12b23f8f7ac17581a158b6cb4a3e6e9e35a
Instruction Fuzzy Hash: 64E0ED742407518BD371AFBCE8087967BE4BB04754F40893DE486C6696DBFDE4848BE1

Function 0070E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0070E3D5

Strings

0%|, xrefs: 0070E3B5
8%|, xrefs: 0070E3CA

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%|$8%|
API String ID: 1385522511-3928261334
Opcode ID: 55bff640fe5a1e6e9e1e694bf3e3efe16dd808021726ad50c557c75a1ce1f7c8
Instruction ID: c6d4a37fa0425a0ebfae5eaeafbd3433dbde2f85a7451e4d7de3cea8fc2f6aa1
Opcode Fuzzy Hash: 55bff640fe5a1e6e9e1e694bf3e3efe16dd808021726ad50c557c75a1ce1f7c8
Instruction Fuzzy Hash: 51E0863141CD24CBC704971CB859E8AB795AB05320B5056FDE5128B1D3DF7C68939699

Function 00763017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0076302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00763044

Strings

aut, xrefs: 00763038

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 388c00feb5ca1c5320decb6d079f9dc6da30c6788a9d15babce374b143e695b1
Instruction ID: 33bacde795180c024392a8a37cd13a8db337cd1044f3cd63bfb9c697224baad4
Opcode Fuzzy Hash: 388c00feb5ca1c5320decb6d079f9dc6da30c6788a9d15babce374b143e695b1
Instruction Fuzzy Hash: 40D05EB254032867DA20A7A4AC0EFCB3A6CEB04750F0042A1B655E60D1DAB89984CBE4

Function 0074D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0074D220

Strings

%.3d, xrefs: 0074D22B
X64, xrefs: 0074D2A8

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 6a231facb3843b8d589d8ce19a057fb9ffe84698279d9c04f7db43dc8f84c914
Instruction ID: 0de362657688f016c366f9bc15a50280d84dd782c9030731a775ac7e45e68a87
Opcode Fuzzy Hash: 6a231facb3843b8d589d8ce19a057fb9ffe84698279d9c04f7db43dc8f84c914
Instruction Fuzzy Hash: 5ED012B1848109EACBB096E0CC499B9B3BCBB08301F608452F946D2080D77CCD08AB61

Function 00782356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0078236C
PostMessageW.USER32(00000000), ref: 00782373

Part of subcall function 0075E97B: Sleep.KERNEL32 ref: 0075E9F3

Strings

Shell_TrayWnd, xrefs: 00782365

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7918eddf8ddc1e6ae2bdfd5101d47f23381fb99fe38c727f1c64d7dbf0ba3112
Instruction ID: 71eaa579474b2401ca21985e2e4f73b2df15fa84576313957bbb72439ff76ea2
Opcode Fuzzy Hash: 7918eddf8ddc1e6ae2bdfd5101d47f23381fb99fe38c727f1c64d7dbf0ba3112
Instruction Fuzzy Hash: E6D0C9723C1310BAE669A7709C0FFC666159B05B11F2089667745AA1D1D9F8B8058B68

Function 00782322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0078232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0078233F

Part of subcall function 0075E97B: Sleep.KERNEL32 ref: 0075E9F3

Strings

Shell_TrayWnd, xrefs: 00782325

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fed24e6dfb4d65d3aa564f062a5950afeefe86a92e971ea8ed4851eb7069e19f
Instruction ID: 84f4b904db9a54796ee05e59dc96ccaa7df417918b0bd68d6baef7b94ab387a9
Opcode Fuzzy Hash: fed24e6dfb4d65d3aa564f062a5950afeefe86a92e971ea8ed4851eb7069e19f
Instruction Fuzzy Hash: 1DD012763D4310B7E668B770DC1FFC67A159B00B11F2089667745AA1D1D9FCB805CB68

Function 0072BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0072BE93
GetLastError.KERNEL32 ref: 0072BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0072BEFC

Memory Dump Source

Source File: 00000000.00000002.1740196676.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000000.00000002.1740169976.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.000000000078C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740270073.00000000007B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740320766.00000000007BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740345922.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 23620dc3265a691af2eaa83414b5d0a6ed95ffcde37288324160b8dadb05b186
Instruction ID: f1e991aa2af569d0ee693de2440ef7f69c78bbac431be9bf4b8ac43f20e10afe
Opcode Fuzzy Hash: 23620dc3265a691af2eaa83414b5d0a6ed95ffcde37288324160b8dadb05b186
Instruction Fuzzy Hash: 60412D35A00226EFCF218F64ED88AFA7BA5EF41320F25416DF959571E1DB388D01CB61

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1803610625.0000016B1E49F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1914839483.0000016B2001D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1853519138.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900831098.0000016B1CAC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775015617.0000016B1C77D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1853519138.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900831098.0000016B1CAC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775015617.0000016B1C77D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1779885088.0000016B150B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779885088.0000016B150B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1914839483.0000016B2001D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1852315250.0000016B16F35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917592756.0000016B16F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1852315250.0000016B16F35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917592756.0000016B16F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1853519138.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900831098.0000016B1CAC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775015617.0000016B1C77D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1853519138.0000016B15DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900831098.0000016B1CAC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775015617.0000016B1C77D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1849925597.0000016B1806E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3539617043.000002534650A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3540397650.00000121A600C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849925597.0000016B1806E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3539617043.000002534650A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3540397650.00000121A600C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1849925597.0000016B1806E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3539617043.000002534650A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3540397650.00000121A600C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1924102859.0000016B20006000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1779885088.0000016B150B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914839483.0000016B2001D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779885088.0000016B150B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1914839483.0000016B2001D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1914839483.0000016B2001D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1779885088.0000016B150B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900831098.0000016B1CA5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779885088.0000016B150AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49837 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49836 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_31431ecc-1a1d-49a2-823b-6acc110d75d9.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_31431ecc-1a1d-49a2-823b-6acc110d75d9.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8N40XT4FMLGQVNLGUYSU.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TPI3F41MDA88A4TN5N33.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre