Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545827
MD5:	994b7b7dc1d504aca1c653f4aa6cedf1
SHA1:	eecae1acf353ea69cd13b0ae1c1afff8ec3272ee
SHA256:	903f44f9a703778dec90fc768274e325d10cb5b5a76adce6f21177e55d0b6ec7
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to detect sleep reduction / modifications

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 994B7B7DC1D504ACA1C653F4AA6CEDF1)

taskkill.exe (PID: 7352 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7448 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7504 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7568 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7632 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7696 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7728 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7744 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7988 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c30828f1-d7f7-491e-a174-0d50cbb3c3e7} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c089570710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7552 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4064 -parentBuildID 20230927232528 -prefsHandle 4260 -prefMapHandle 4256 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45d4d356-c33f-478b-aed1-4b6cb6bb653d} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c09b9be810 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7616 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4968 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4988 -prefMapHandle 4984 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f18a257c-3238-419d-ad26-872c475307f4} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c09a573f10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7336	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00FAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FAED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00FAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F9AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00F9AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00FC9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_47176214-a
Source: file.exe, 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c25b8aa2-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f7735f8e-4
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_172a64ba-1

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024F409942B7 NtQuerySystemInformation,		16_2_0000024F409942B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024F409B3CF2 NtQuerySystemInformation,		16_2_0000024F409B3CF2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F9D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00F9D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F9E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F38060	0_2_00F38060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA2046	0_2_00FA2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F98298	0_2_00F98298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6E4FF	0_2_00F6E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6676B	0_2_00F6676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC4873	0_2_00FC4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3CAF0	0_2_00F3CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5CAA0	0_2_00F5CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4CC39	0_2_00F4CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F66DD9	0_2_00F66DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F391C0	0_2_00F391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4B119	0_2_00F4B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F51394	0_2_00F51394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F51706	0_2_00F51706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5781B	0_2_00F5781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F519B0	0_2_00F519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4997D	0_2_00F4997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F37920	0_2_00F37920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F57A4A	0_2_00F57A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F57CA7	0_2_00F57CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F51C77	0_2_00F51C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F69EEE	0_2_00F69EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBBE44	0_2_00FBBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F51F32	0_2_00F51F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024F409942B7	16_2_0000024F409942B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024F409B3CF2	16_2_0000024F409B3CF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024F409B441C	16_2_0000024F409B441C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024F409B3D32	16_2_0000024F409B3D32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F50A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F4F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@34/36@68/13

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA37B5 GetLastError,FormatMessageW,

0_2_00FA37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F910BF AdjustTokenPrivileges,CloseHandle,		0_2_00F910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FA51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F9D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F9D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FA648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F342A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1871428037.000001C0A4C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1871428037.000001C0A4C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1871428037.000001C0A4C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1871428037.000001C0A4C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1871428037.000001C0A4C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1871428037.000001C0A4C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1871428037.000001C0A4C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1871428037.000001C0A4C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1871428037.000001C0A4C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	ReversingLabs: Detection: 47%
Source: file.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c30828f1-d7f7-491e-a174-0d50cbb3c3e7} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c089570710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4064 -parentBuildID 20230927232528 -prefsHandle 4260 -prefMapHandle 4256 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45d4d356-c33f-478b-aed1-4b6cb6bb653d} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c09b9be810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4968 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4988 -prefMapHandle 4984 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f18a257c-3238-419d-ad26-872c475307f4} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c09a573f10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c30828f1-d7f7-491e-a174-0d50cbb3c3e7} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c089570710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4064 -parentBuildID 20230927232528 -prefsHandle 4260 -prefMapHandle 4256 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45d4d356-c33f-478b-aed1-4b6cb6bb653d} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c09b9be810 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4968 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4988 -prefMapHandle 4984 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f18a257c-3238-419d-ad26-872c475307f4} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c09a573f10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1798244774.000001C0A5C01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1803303085.000001C096AA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1804255389.000001C096A94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1803303085.000001C096AA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1798244774.000001C0A5C01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1804255389.000001C096A94000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9C9FE push esi; ret	0_2_00F9CA01
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F50A76 push ecx; ret	0_2_00F50A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9CA33 push esi; ret	0_2_00F9CA36

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F4F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00FC1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F3D85A

0_2_00F3D85A

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-91309

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000024F409942B7 rdtsc

16_2_0000024F409942B7

Source: C:\Users\user\Desktop\file.exe

API coverage: 4.0 %

Source: C:\Users\user\Desktop\file.exe TID: 7340	Thread sleep count: 109 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7340	Thread sleep count: 149 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F9DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA68EE FindFirstFileW,FindClose,	0_2_00FA68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FA698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F9D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F9D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FA9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FA979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FA9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FA5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Source: firefox.exe, 00000010.00000002.2929036456.0000024F40A41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#IHE
Source: firefox.exe, 0000000F.00000002.2930696115.0000018A87A40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%D*
Source: firefox.exe, 0000000F.00000002.2921972399.0000018A870CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2920766216.0000024F401DA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2929036456.0000024F40A30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2923371248.0000024B7933A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2924446626.0000018A8741D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.2929036456.0000024F40A41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'CLC
Source: firefox.exe, 0000000F.00000002.2930696115.0000018A87A40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2929036456.0000024F40A41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000024F409942B7 rdtsc

16_2_0000024F409942B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAEAA2 BlockInput,

0_2_00FAEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F62622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F54CE8 mov eax, dword ptr fs:[00000030h]

0_2_00F54CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00F90B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F62622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F5083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F509D5 SetUnhandledExceptionFilter,	0_2_00F509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F50C21

Source: C:\Users\user\Desktop\file.exe

0_2_00F91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F72BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F72BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F9B226 SendInput,keybd_event,

0_2_00F9B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00FB22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00F90B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F91663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F91663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F50698 cpuid

0_2_00F50698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00FA8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F8D27A GetUserNameW,

0_2_00F8D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F6BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F6BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7336, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7336, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00FB1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FB1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	42%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.193	true	false		unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false		unknown
services.addons.mozilla.org	151.101.129.91	true	false		unknown
dyna.wikimedia.org	185.15.59.224	true	false		unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
youtube.com	142.250.185.142	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	142.250.186.142	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.129.140	true	false		unknown
ipv4only.arpa	192.0.0.171	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 0000000D.00000003.1750234377.000001C099D6D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.2924449408.0000024B795C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1860701096.000001C09A8B0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1750963158.000001C09AE07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854728462.000001C09B888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791660967.000001C09B888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860832828.000001C09A899000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2926601351.0000018A876E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2923250199.0000024F404E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2929675158.0000024B79705000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1731565160.000001C0A1336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808685238.000001C0A1332000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1732139790.000001C0A1332000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.2924449408.0000024B7958F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1877538292.000001C09A46E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1738636540.000001C09AF67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1874013689.000001C0A14BB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1785685390.000001C0A503B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1861790507.000001C09A5FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876885157.000001C09A5FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1703092625.000001C09915A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702627119.000001C098F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702970723.000001C09913C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702825838.000001C09911F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1703253085.000001C099177000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1864122082.000001C09ABB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875778530.000001C09ADE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875778530.000001C09AD89000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1733839662.000001C0A1237000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1874013689.000001C0A1419000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1703092625.000001C09915A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702627119.000001C098F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702970723.000001C09913C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702825838.000001C09911F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1703253085.000001C099177000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1788274471.000001C09C877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1859089505.000001C09C877000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1703092625.000001C09915A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702627119.000001C098F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702970723.000001C09913C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702825838.000001C09911F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1703253085.000001C099177000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1875317020.000001C09BC1F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1877538292.000001C09A46E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2926601351.0000018A876E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2923250199.0000024F404E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2929675158.0000024B79705000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1853120385.000001C0A1BC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1852529282.000001C0A4FCD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1831648533.000001C0A51BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878889372.000001C0A51BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1784948892.000001C0A51B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851985710.000001C0A51BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2926601351.0000018A876E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2923250199.0000024F404E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2929675158.0000024B79705000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1852529282.000001C0A4FCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2923250199.0000024F40403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2924449408.0000024B7950C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1750987064.000001C09AE53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750833552.000001C09AE50000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1853167122.000001C0A1BA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872888151.000001C0A1BBA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.2924449408.0000024B795C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1787437053.000001C0A1195000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1750234377.000001C099DA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750234377.000001C099D6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750833552.000001C09AE50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750833552.000001C09AE39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750234377.000001C099D8C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1797188500.000001C09A747000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1866810104.000001C0A4F85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1864122082.000001C09ABEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792081757.000001C09ABEA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1862040694.000001C09A5D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1851985710.000001C0A51B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878889372.000001C0A51B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831648533.000001C0A51B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1784948892.000001C0A51B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831648533.000001C0A51B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1784948892.000001C0A51B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1874013689.000001C0A14BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1787997360.000001C09CD41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2923250199.0000024F40412000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2924449408.0000024B79513000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1733839662.000001C0A1237000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1873635118.000001C0A1679000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786606204.000001C0A1677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853488758.000001C0A1677000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1733839662.000001C0A124A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1733839662.000001C0A12F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827250556.000001C09A9C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1795040036.000001C09A6B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796780717.000001C09A9AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797188500.000001C09A73B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788274471.000001C09C830000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1800175851.000001C0995ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797188500.000001C09A760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789517977.000001C09BE83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1800175851.000001C0995D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1732287941.000001C0A13B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1840571534.000001C0995FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809928824.000001C09A766000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1868002821.000001C09BCDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789783857.000001C09BCDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1809928824.000001C09A783000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1840571534.000001C0995DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1715524628.000001C0995D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866711480.000001C0A4FAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866593342.000001C0A4FB3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1788274471.000001C09C877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1859089505.000001C09C877000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000D.00000003.1787997360.000001C09CDAA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1788274471.000001C09C861000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788274471.000001C09C877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1859089505.000001C09C861000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1859089505.000001C09C877000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1733839662.000001C0A1237000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1857443329.000001C0A1238000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1787002136.000001C0A12D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1733839662.000001C0A12D7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1787002136.000001C0A12D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1733839662.000001C0A12D7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1873635118.000001C0A1679000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786606204.000001C0A1677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853488758.000001C0A1677000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1731565160.000001C0A1336000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1808685238.000001C0A1332000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1732139790.000001C0A1332000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1874013689.000001C0A1419000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1738636540.000001C09AF67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1874013689.000001C0A1423000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1787997360.000001C09CDE4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1704962786.000001C098D19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705163494.000001C098D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1704509482.000001C098D33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1750234377.000001C099D6D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1855369473.000001C09A8D9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1875198031.000001C09C87B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788274471.000001C09C877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1859089505.000001C09C877000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1750987064.000001C09AE53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750234377.000001C099DA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750833552.000001C09AE50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1751018333.000001C09AE3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750833552.000001C09AE39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750234377.000001C099D8C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1704962786.000001C098D19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1705163494.000001C098D33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1704509482.000001C098D33000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1853167122.000001C0A1BA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872888151.000001C0A1BBA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2926601351.0000018A876E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2923250199.0000024F404E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2929675158.0000024B79705000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1874013689.000001C0A144C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1859089505.000001C09C8DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1738636540.000001C09AF67000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1785685390.000001C0A503B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2923610951.0000018A871B0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2922510860.0000024F402A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2923897332.0000024B79390000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1703253085.000001C099177000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1787997360.000001C09CDE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702627119.000001C098F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702970723.000001C09913C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1702825838.000001C09911F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1703253085.000001C099177000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.114.100	unknown	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.185.142	youtube.com	United States	15169	GOOGLEUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545827
Start date and time:	2024-10-31 05:16:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@34/36@68/13
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 41 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.160.212.113, 54.185.230.140, 52.11.191.138, 2.22.61.56, 2.22.61.59, 142.250.184.238, 142.250.185.78, 216.58.206.42, 142.250.186.74
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:17:02	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
twitter.com	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	Arquivo_4593167.msi	Get hash	malicious	AteraAgent	Browse	199.232.210.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 142.250.114.100 34.120.208.123
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 142.250.114.100 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 142.250.114.100 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 142.250.114.100 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 142.250.114.100 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 142.250.114.100 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 142.250.114.100 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 142.250.114.100 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 142.250.114.100 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 142.250.114.100 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_900abc6c-abba-435f-9234-3abee6a4a246.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.180546979989338
Encrypted:	false
SSDEEP:	192:ijMXEm5cbhbVbTbfbRbObtbyEl7nkNrJA6WnSrDtTUd/SkDrN:iYhcNhnzFSJENiBnSrDhUd/z
MD5:	495815C6D63E345DDE756F6530EE9A34
SHA1:	ED504D69C7933C2DC848E83DDE3870250C784716
SHA-256:	B4AA9878FC71EA9873EEE23A38F73432EED008B4570D3A48C64CC35E02E4460A
SHA-512:	B874E53AD20B8777CBAFDCD58632E044613F8752FE1F6CBB867F3146F19720B11F6A4865E2EDAF62A3AF13A3F65F3D79C822739834D66015BFA01B0E7CC007E0
Malicious:	false
Preview:	{"type":"uninstall","id":"900abc6c-abba-435f-9234-3abee6a4a246","creationDate":"2024-10-31T05:27:37.844Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_900abc6c-abba-435f-9234-3abee6a4a246.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.180546979989338
Encrypted:	false
SSDEEP:	192:ijMXEm5cbhbVbTbfbRbObtbyEl7nkNrJA6WnSrDtTUd/SkDrN:iYhcNhnzFSJENiBnSrDhUd/z
MD5:	495815C6D63E345DDE756F6530EE9A34
SHA1:	ED504D69C7933C2DC848E83DDE3870250C784716
SHA-256:	B4AA9878FC71EA9873EEE23A38F73432EED008B4570D3A48C64CC35E02E4460A
SHA-512:	B874E53AD20B8777CBAFDCD58632E044613F8752FE1F6CBB867F3146F19720B11F6A4865E2EDAF62A3AF13A3F65F3D79C822739834D66015BFA01B0E7CC007E0
Malicious:	false
Preview:	{"type":"uninstall","id":"900abc6c-abba-435f-9234-3abee6a4a246","creationDate":"2024-10-31T05:27:37.844Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925798040269019
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNH96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLQl8P
MD5:	F0E118DA6A3AE18F76E152795F4BA9BB
SHA1:	0451BE257194A4EC06B6BCD3F2A9FEEDB93A5298
SHA-256:	385687FD1807E49D8D036DDCEBD402C824A86CF1DE016708E6B3849A0A9169A4
SHA-512:	7914C2F11B2451FB28D1290C746914CD44C57C3A68A59F6CC705DE325DBF3E44CCDDF2C091A475532B8989F2630476E6801A0823FFD38EE5FA3AF940660AFA21
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925798040269019
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNH96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLQl8P
MD5:	F0E118DA6A3AE18F76E152795F4BA9BB
SHA1:	0451BE257194A4EC06B6BCD3F2A9FEEDB93A5298
SHA-256:	385687FD1807E49D8D036DDCEBD402C824A86CF1DE016708E6B3849A0A9169A4
SHA-512:	7914C2F11B2451FB28D1290C746914CD44C57C3A68A59F6CC705DE325DBF3E44CCDDF2C091A475532B8989F2630476E6801A0823FFD38EE5FA3AF940660AFA21
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07335892763187632
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	71FDE21137B7EC82DB709C6C501EAF23
SHA1:	F233A2EDB50DF3458E0EC67582909860B8132492
SHA-256:	C6B9868D8BAB1A7E9FDA063331BC7F91FF1E4C0153B237C1FB56BA7FFDD0EB18
SHA-512:	F1F889EFABB2EBCCBD889826E371B80730C5306E228D7C920858355B012587EFAE652AF7C6B10C86165C0ACF4795B78749AFC8FD5FAFDD2519934CA4FEFA13F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035455806264726504
Encrypted:	false
SSDEEP:	3:GtlstFv8mddqGwjVoPlstFv8mddqGwjN//lT89//alEl:GtWthddnPWthdd8J89XuM
MD5:	F7C8C1581799BCA2FCB10491A6C00528
SHA1:	AADFA254DD09EF3399E2B41061A5A9E7A8F1D3B7
SHA-256:	CCC11C5F78566BEBAF8E476F6FD554B8603C7C009DCAFE6EDA207EAB7E9A07CE
SHA-512:	E3E552B92C7DD5BE538FB7733BDB94D4A746E995AA9EC358CD927F233D0E6FAA162B37CD7CEF4BC935296D4B14ADC6535AABF13E393AA97C75008859228C4609
Malicious:	false
Preview:	..-......................Z3\|N. ~8k..u.\|. ...GK5..-......................Z3\|N. ~8k..u.\|. ...GK5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03976733009585793
Encrypted:	false
SSDEEP:	3:Ol17FtvtjAydwGEfwl8rEXsxdwhml8XW3R2:KfzjAOcwl8dMhm93w
MD5:	E2A879BFFC1F62309EF173258F16EDFB
SHA1:	CF6234254E40A7D341C1DB5BAB4A8E0C522376D8
SHA-256:	5978745A79ED51EC2E08A96AF2FAA2FE29F3351E77CA291D65E67EAF7259F44F
SHA-512:	19A0F40D43E8E167260E774921FDFB8298A241105ED8E49E3B2CEB42E7D57A9861134D01680C29568DF3F34912FF3E4A9F473D8E87BEE01ECCCF536E18DD895D
Malicious:	false
Preview:	7....-..........8k..u.\|.u.nK.Ae........8k..u.\|.\|3Z.~ .N................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.49412535424445
Encrypted:	false
SSDEEP:	192:EnaRtLYbBp6rhj4qyaaXa6KVfNQo5RfGNBw8dTSl:ZeVqWWVFcwo0
MD5:	4E6008557BA365FF4EE39C203DEC0555
SHA1:	C4F7749C801F83E041B6ACD959EF81E56FA21C49
SHA-256:	8F0C83B0FCCA4EF9608F85D13563903D4B0601974ECE923DE6ECCB00FA3531F0
SHA-512:	86C53EC2B6570D85427A8DB30036F460E569B0014D4169F0A4E129B558982899101F7EFB5155F416168CFE7EC5A7598FA9995FF3FE715E55FF9F783BD56DD94F
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730352428);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730352428);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730352428);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173035

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.49412535424445
Encrypted:	false
SSDEEP:	192:EnaRtLYbBp6rhj4qyaaXa6KVfNQo5RfGNBw8dTSl:ZeVqWWVFcwo0
MD5:	4E6008557BA365FF4EE39C203DEC0555
SHA1:	C4F7749C801F83E041B6ACD959EF81E56FA21C49
SHA-256:	8F0C83B0FCCA4EF9608F85D13563903D4B0601974ECE923DE6ECCB00FA3531F0
SHA-512:	86C53EC2B6570D85427A8DB30036F460E569B0014D4169F0A4E129B558982899101F7EFB5155F416168CFE7EC5A7598FA9995FF3FE715E55FF9F783BD56DD94F
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730352428);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730352428);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730352428);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173035

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\3895876c-8bdb-46a0-89f5-9ad1f1fd9a9a (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.972363958554701
Encrypted:	false
SSDEEP:	12:YZFgvwLpIzhIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YRIzhSlCOlZGV1AQIWZcy6Z2d
MD5:	A28F6D8C4B98B77AFB3114D410C31674
SHA1:	3437B4043FB3985E62F9803DF8B871FCD5CCDCD3
SHA-256:	45870C260F48FC15EA185D51BE4620C5C23B292C17051F7B1E3C4B14986F5FBC
SHA-512:	173BDF073AF12C4E8205A90208A4056061409C9EB0CEED1D55D85817B17CD721125B5044A58BEEA91A8A8664D69E201AEE02113359C0E5E914D5E2A605FFC6D3
Malicious:	false
Preview:	{"type":"health","id":"3895876c-8bdb-46a0-89f5-9ad1f1fd9a9a","creationDate":"2024-10-31T05:27:38.500Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\3895876c-8bdb-46a0-89f5-9ad1f1fd9a9a.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.972363958554701
Encrypted:	false
SSDEEP:	12:YZFgvwLpIzhIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YRIzhSlCOlZGV1AQIWZcy6Z2d
MD5:	A28F6D8C4B98B77AFB3114D410C31674
SHA1:	3437B4043FB3985E62F9803DF8B871FCD5CCDCD3
SHA-256:	45870C260F48FC15EA185D51BE4620C5C23B292C17051F7B1E3C4B14986F5FBC
SHA-512:	173BDF073AF12C4E8205A90208A4056061409C9EB0CEED1D55D85817B17CD721125B5044A58BEEA91A8A8664D69E201AEE02113359C0E5E914D5E2A605FFC6D3
Malicious:	false
Preview:	{"type":"health","id":"3895876c-8bdb-46a0-89f5-9ad1f1fd9a9a","creationDate":"2024-10-31T05:27:38.500Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.334654799255563
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSDVELXnIgN/pnxQwRlszT5sKtAqX3eHVQj6TRamhujJlOsIomNVr0l:GUpOxaEvnR6bX3eHTR4JlIquR4
MD5:	A361FC13E63A750309A4404ECAB6FFF1
SHA1:	9AB80B7F81D62883026122F4C8ED49F255CBFD9A
SHA-256:	BD95F4B3DC816EDC12391A41B1E471FE9DCE9DDA3CF008D46876C74885F0C3D4
SHA-512:	9AFD03B1130209B7B7BF5EBF336985AB97F758C1C6FA5929639BB42D8385E569DD8B1F38AE3453B7AC490E5D6E4436AD4156874249836A95EB3D9E8B3041CB2E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{78cf8809-1149-410e-903c-b72694c22e38}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730352433003,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..@3974...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...02313,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.334654799255563
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSDVELXnIgN/pnxQwRlszT5sKtAqX3eHVQj6TRamhujJlOsIomNVr0l:GUpOxaEvnR6bX3eHTR4JlIquR4
MD5:	A361FC13E63A750309A4404ECAB6FFF1
SHA1:	9AB80B7F81D62883026122F4C8ED49F255CBFD9A
SHA-256:	BD95F4B3DC816EDC12391A41B1E471FE9DCE9DDA3CF008D46876C74885F0C3D4
SHA-512:	9AFD03B1130209B7B7BF5EBF336985AB97F758C1C6FA5929639BB42D8385E569DD8B1F38AE3453B7AC490E5D6E4436AD4156874249836A95EB3D9E8B3041CB2E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{78cf8809-1149-410e-903c-b72694c22e38}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730352433003,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..@3974...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...02313,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	6.334654799255563
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSDVELXnIgN/pnxQwRlszT5sKtAqX3eHVQj6TRamhujJlOsIomNVr0l:GUpOxaEvnR6bX3eHTR4JlIquR4
MD5:	A361FC13E63A750309A4404ECAB6FFF1
SHA1:	9AB80B7F81D62883026122F4C8ED49F255CBFD9A
SHA-256:	BD95F4B3DC816EDC12391A41B1E471FE9DCE9DDA3CF008D46876C74885F0C3D4
SHA-512:	9AFD03B1130209B7B7BF5EBF336985AB97F758C1C6FA5929639BB42D8385E569DD8B1F38AE3453B7AC490E5D6E4436AD4156874249836A95EB3D9E8B3041CB2E
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{78cf8809-1149-410e-903c-b72694c22e38}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730352433003,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..@3974...recentCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...02313,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033322499315566
Encrypted:	false
SSDEEP:	48:YrSAYn96UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yc9yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	B5FF4681CE00A54FE723A8843C624696
SHA1:	98C14DAD074E6B8A57BF6E4F2C4FA8629C2A86A8
SHA-256:	C008168F6C7A38E5D3A238FC4640CDA3CF727A70D076AC2A7350F887D58E77A0
SHA-512:	66B3C95F2759EA827F123F28745721426D41D582DEA1A6F9543C9164844D92DC6BD8A61832DFB9BA62732EEB1762EFF7BF378C77D07E696468E29775CB5B467D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T05:26:51.192Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033322499315566
Encrypted:	false
SSDEEP:	48:YrSAYn96UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:yc9yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	B5FF4681CE00A54FE723A8843C624696
SHA1:	98C14DAD074E6B8A57BF6E4F2C4FA8629C2A86A8
SHA-256:	C008168F6C7A38E5D3A238FC4640CDA3CF727A70D076AC2A7350F887D58E77A0
SHA-512:	66B3C95F2759EA827F123F28745721426D41D582DEA1A6F9543C9164844D92DC6BD8A61832DFB9BA62732EEB1762EFF7BF378C77D07E696468E29775CB5B467D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T05:26:51.192Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5846861578065345
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	994b7b7dc1d504aca1c653f4aa6cedf1
SHA1:	eecae1acf353ea69cd13b0ae1c1afff8ec3272ee
SHA256:	903f44f9a703778dec90fc768274e325d10cb5b5a76adce6f21177e55d0b6ec7
SHA512:	4920e7d5fdcb01500ddef4760553088826a90991183ffb342f681ad3dbba2b9534c7f0e42aa2966e335e70f8b1924d4f545f460bcaea39762c95b5ca2865f287
SSDEEP:	12288:SqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Ty:SqDEvCTbMWu7rQYlBQcBiT6rprG8aby
TLSH:	25159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x672303E1 [Thu Oct 31 04:13:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F4A787F6113h
jmp 00007F4A787F5A1Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4A787F5BFDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4A787F5BCAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F4A787F87BDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F4A787F8808h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F4A787F87F1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	ded1149a266c702fe3d4abefb0d428d0	False	0.31566455696202533	data	5.374188408894285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 05:17:00.536258936 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:00.536309004 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 05:17:00.542457104 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:00.548808098 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:00.548821926 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 05:17:01.172084093 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 05:17:01.172226906 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:01.180422068 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:01.180433989 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 05:17:01.180546999 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:01.180649996 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 05:17:01.180756092 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:01.926687002 CET	49738	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:01.926726103 CET	443	49738	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:01.926937103 CET	49738	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:01.928179979 CET	49738	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:01.928199053 CET	443	49738	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.065228939 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:02.065943003 CET	49740	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.065979004 CET	443	49740	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.070184946 CET	80	49739	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:02.071805000 CET	49740	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.071844101 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:02.074373960 CET	49740	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.074390888 CET	443	49740	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.074510098 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:02.079511881 CET	80	49739	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:02.250849962 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.250885963 CET	443	49741	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:02.251684904 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.253139019 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.253151894 CET	443	49741	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:02.677462101 CET	80	49739	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:02.729094028 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:02.731163979 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.731215000 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:02.731372118 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.732692003 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.732712984 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:02.769428968 CET	49743	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:02.769443035 CET	443	49743	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:02.769548893 CET	49743	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:02.769680023 CET	49743	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:02.769695044 CET	443	49743	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:02.792824030 CET	443	49738	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.793498993 CET	443	49738	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.796663046 CET	49738	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.796681881 CET	443	49738	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.801239014 CET	49738	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.801251888 CET	443	49738	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.801353931 CET	49738	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.801408052 CET	443	49738	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.802923918 CET	49738	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.804248095 CET	49744	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:02.809525013 CET	80	49744	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:02.813810110 CET	49744	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:02.813918114 CET	49744	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:02.818937063 CET	80	49744	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:02.872086048 CET	443	49741	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:02.872441053 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.877710104 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.877728939 CET	443	49741	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:02.877849102 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.877999067 CET	443	49741	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:02.878187895 CET	49741	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.878374100 CET	49745	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.878424883 CET	443	49745	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:02.883521080 CET	49745	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.884848118 CET	49745	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:02.884862900 CET	443	49745	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:02.890940905 CET	49746	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:02.890979052 CET	443	49746	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:02.891899109 CET	49746	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:02.892177105 CET	49746	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:02.892189026 CET	443	49746	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:02.925144911 CET	443	49740	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.925848007 CET	49740	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.925915003 CET	443	49740	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.926707029 CET	49740	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.931096077 CET	49740	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.931109905 CET	443	49740	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.931194067 CET	49740	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.931278944 CET	443	49740	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.931468010 CET	49740	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.931524992 CET	49747	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.931560993 CET	443	49747	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:02.931679964 CET	49747	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.932998896 CET	49747	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:02.933017969 CET	443	49747	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:03.378441095 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:03.380458117 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:03.381961107 CET	443	49743	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:03.384403944 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:03.384421110 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:03.384524107 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:03.384565115 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:03.384881020 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:03.384907007 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:03.387342930 CET	443	49743	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:03.393343925 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:03.393379927 CET	49743	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:03.393379927 CET	49743	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:03.393457890 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:03.396080017 CET	49743	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:03.396084070 CET	443	49743	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:03.396651030 CET	443	49743	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:03.397706985 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:03.397717953 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:03.399537086 CET	49743	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:03.399607897 CET	49743	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:03.399678946 CET	443	49743	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:03.399921894 CET	49743	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:03.418870926 CET	80	49744	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:03.453133106 CET	49744	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:03.453133106 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:03.458894968 CET	80	49744	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:03.458954096 CET	49744	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:03.459582090 CET	80	49739	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:03.459664106 CET	49739	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:03.492218018 CET	443	49745	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:03.492285013 CET	49745	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:03.496228933 CET	49745	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:03.496242046 CET	443	49745	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:03.496287107 CET	49745	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:03.496377945 CET	443	49745	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:03.497577906 CET	49745	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:03.506582022 CET	443	49746	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:03.509243011 CET	49746	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:03.516268015 CET	49746	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:03.516287088 CET	443	49746	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:03.516741037 CET	443	49746	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:03.518981934 CET	49746	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:03.519093037 CET	49746	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:03.519188881 CET	443	49746	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:03.519444942 CET	49751	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:03.519483089 CET	443	49751	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:03.519499063 CET	49746	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:03.519646883 CET	49751	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:03.519762993 CET	49751	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:03.519788027 CET	443	49751	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:03.677510977 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:03.682514906 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:03.694212914 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:03.694425106 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:03.700462103 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:03.780925035 CET	443	49747	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:03.781599998 CET	443	49747	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:03.783524990 CET	49747	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:03.783540010 CET	443	49747	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:03.788552999 CET	49747	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:03.788570881 CET	443	49747	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:03.788645983 CET	49747	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:03.788795948 CET	443	49747	142.250.185.142	192.168.2.4
Oct 31, 2024 05:17:03.789421082 CET	49747	443	192.168.2.4	142.250.185.142
Oct 31, 2024 05:17:03.951994896 CET	49753	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:03.952054977 CET	443	49753	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:03.952347040 CET	49753	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:03.952505112 CET	49753	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:03.952518940 CET	443	49753	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:03.997289896 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:03.997302055 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:04.003398895 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:04.007355928 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:04.007365942 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:04.007446051 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:04.007510900 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:04.010183096 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:04.079926968 CET	49754	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:04.079973936 CET	443	49754	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:04.085186005 CET	49754	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:04.086700916 CET	49754	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:04.086716890 CET	443	49754	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:04.087090015 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:04.087126017 CET	443	49755	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:04.090431929 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:04.091779947 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:04.091795921 CET	443	49755	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:04.092221022 CET	49756	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:04.092259884 CET	443	49756	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:04.092526913 CET	49756	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:04.093929052 CET	49756	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:04.093945026 CET	443	49756	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:04.123927116 CET	443	49751	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:04.124020100 CET	49751	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:04.127274990 CET	49751	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:04.127289057 CET	443	49751	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:04.127531052 CET	443	49751	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:04.129858017 CET	49751	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:04.129858017 CET	49751	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:04.130002975 CET	443	49751	34.160.144.191	192.168.2.4
Oct 31, 2024 05:17:04.130060911 CET	49751	443	192.168.2.4	34.160.144.191
Oct 31, 2024 05:17:04.161955118 CET	49757	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:04.161988020 CET	443	49757	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:04.162975073 CET	49757	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:04.164638042 CET	49757	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:04.164654970 CET	443	49757	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:04.300935030 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:04.349339962 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:04.589216948 CET	443	49753	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:04.589323044 CET	49753	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:04.591959953 CET	49753	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:04.591972113 CET	443	49753	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:04.592191935 CET	443	49753	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:04.594588041 CET	49753	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:04.594666958 CET	49753	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:04.594708920 CET	443	49753	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:04.594801903 CET	49753	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:04.695760965 CET	443	49755	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:04.696444035 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:04.700763941 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:04.700776100 CET	443	49755	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:04.700855017 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:04.700931072 CET	443	49755	34.117.188.166	192.168.2.4
Oct 31, 2024 05:17:04.700999975 CET	49755	443	192.168.2.4	34.117.188.166
Oct 31, 2024 05:17:04.701457977 CET	443	49754	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:04.701555967 CET	49754	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:04.705385923 CET	49754	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:04.705395937 CET	443	49754	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:04.705444098 CET	49754	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:04.705651999 CET	443	49754	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:04.706754923 CET	49754	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:04.745444059 CET	443	49756	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:04.750127077 CET	49756	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:04.754173994 CET	49756	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:04.754189968 CET	443	49756	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:04.754266977 CET	49756	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:04.754415035 CET	443	49756	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:04.754465103 CET	49756	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:04.783719063 CET	443	49757	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:04.789084911 CET	49757	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:04.792620897 CET	49757	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:04.792633057 CET	443	49757	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:04.792696953 CET	49757	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:04.792783022 CET	443	49757	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:04.792953968 CET	49757	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:06.876076937 CET	49759	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:06.880934000 CET	80	49759	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:06.883193970 CET	49759	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:06.883367062 CET	49759	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:06.888216019 CET	80	49759	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:06.907283068 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:06.912211895 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:07.033802032 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:07.086615086 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:07.203742981 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.203774929 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:07.203860044 CET	49759	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:07.205636024 CET	49761	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.205672979 CET	443	49761	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:07.208859921 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.208863020 CET	49761	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.209047079 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.209064007 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:07.209316969 CET	49761	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.209328890 CET	443	49761	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:07.214871883 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.214881897 CET	443	49762	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:07.215030909 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.228282928 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.228296995 CET	443	49762	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:07.228979111 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:07.234005928 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:07.234293938 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:07.234414101 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:07.239361048 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:07.252835035 CET	80	49759	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:07.359443903 CET	80	49759	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:07.359533072 CET	49759	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:07.808361053 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:07.808464050 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.814699888 CET	443	49761	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:07.814776897 CET	49761	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.829224110 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:07.834521055 CET	443	49762	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:07.834614992 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:07.877342939 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:08.176410913 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:08.176438093 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:08.176765919 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:08.178740978 CET	49761	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:08.178767920 CET	443	49761	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:08.179107904 CET	443	49761	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:08.181922913 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:08.182131052 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:08.182151079 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:08.182166100 CET	443	49760	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:08.183449030 CET	49761	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:08.183500051 CET	49761	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:08.183614969 CET	443	49761	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:08.184103966 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:08.184123039 CET	443	49762	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:08.184169054 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:08.184349060 CET	443	49762	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:08.184412003 CET	49761	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:08.184433937 CET	49761	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:08.184448004 CET	49760	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:08.185046911 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:12.644558907 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:12.646611929 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:12.646660089 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:12.647320032 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:12.648685932 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:12.648698092 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:12.649487019 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:12.659008980 CET	49767	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:12.659028053 CET	443	49767	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:12.660726070 CET	49767	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:12.662177086 CET	49767	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:12.662187099 CET	443	49767	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:12.769529104 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:12.815371990 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:13.262849092 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:13.263272047 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:13.268733025 CET	443	49767	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:13.269232035 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:13.269247055 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:13.269345999 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:13.269382000 CET	49767	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:13.269387007 CET	443	49766	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:13.269618988 CET	49766	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:13.274220943 CET	49767	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:13.274224997 CET	443	49767	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:13.274293900 CET	49767	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:13.274409056 CET	443	49767	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:13.274498940 CET	49767	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:14.487934113 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:14.492764950 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:14.521226883 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:14.525993109 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:14.612667084 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:14.646893024 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:14.677012920 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:14.692645073 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:15.547941923 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:15.552752972 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:15.672344923 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:15.726809025 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:24.652595043 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:24.657505989 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:24.911473036 CET	49772	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:24.911525011 CET	443	49772	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:24.911845922 CET	49772	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:24.913222075 CET	49772	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:24.913248062 CET	443	49772	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:25.520081997 CET	443	49772	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:25.520255089 CET	49772	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:25.525278091 CET	49772	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:25.525291920 CET	443	49772	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:25.525367975 CET	49772	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:25.525449038 CET	443	49772	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:25.526478052 CET	49772	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:25.528969049 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:25.533852100 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:25.653934002 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:25.657716990 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:25.662642002 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:25.708797932 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:25.782018900 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:25.840317011 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:29.422230005 CET	49773	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:29.422267914 CET	443	49773	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:29.423679113 CET	49773	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:29.423821926 CET	49773	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:29.423834085 CET	443	49773	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:29.425920010 CET	49774	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:29.425941944 CET	443	49774	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:29.426110983 CET	49774	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:29.426218033 CET	49774	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:29.426229000 CET	443	49774	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:29.429337025 CET	49775	443	192.168.2.4	151.101.129.91
Oct 31, 2024 05:17:29.429368019 CET	443	49775	151.101.129.91	192.168.2.4
Oct 31, 2024 05:17:29.429712057 CET	49775	443	192.168.2.4	151.101.129.91
Oct 31, 2024 05:17:29.429825068 CET	49775	443	192.168.2.4	151.101.129.91
Oct 31, 2024 05:17:29.429836988 CET	443	49775	151.101.129.91	192.168.2.4
Oct 31, 2024 05:17:29.444242954 CET	49776	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:29.444261074 CET	443	49776	35.190.72.216	192.168.2.4
Oct 31, 2024 05:17:29.448920965 CET	49776	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:29.459201097 CET	49776	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:29.459218025 CET	443	49776	35.190.72.216	192.168.2.4
Oct 31, 2024 05:17:29.459552050 CET	49777	443	192.168.2.4	35.201.103.21
Oct 31, 2024 05:17:29.459587097 CET	443	49777	35.201.103.21	192.168.2.4
Oct 31, 2024 05:17:29.461056948 CET	49777	443	192.168.2.4	35.201.103.21
Oct 31, 2024 05:17:29.462491035 CET	49777	443	192.168.2.4	35.201.103.21
Oct 31, 2024 05:17:29.462506056 CET	443	49777	35.201.103.21	192.168.2.4
Oct 31, 2024 05:17:30.026001930 CET	443	49774	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:30.026158094 CET	49774	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.029580116 CET	49774	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.029592991 CET	443	49774	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:30.029822111 CET	443	49774	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:30.030292988 CET	443	49773	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.030599117 CET	49773	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.033240080 CET	49773	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.033251047 CET	443	49773	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.033490896 CET	443	49773	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.034835100 CET	49774	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.034919024 CET	49774	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.034981012 CET	443	49774	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:30.036355972 CET	49773	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.036422968 CET	49773	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.036499977 CET	443	49773	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.039738894 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:30.039896965 CET	49773	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.039911985 CET	49774	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.039922953 CET	49773	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.044532061 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:30.046081066 CET	443	49775	151.101.129.91	192.168.2.4
Oct 31, 2024 05:17:30.046150923 CET	49775	443	192.168.2.4	151.101.129.91
Oct 31, 2024 05:17:30.048793077 CET	49775	443	192.168.2.4	151.101.129.91
Oct 31, 2024 05:17:30.048804998 CET	443	49775	151.101.129.91	192.168.2.4
Oct 31, 2024 05:17:30.049192905 CET	443	49775	151.101.129.91	192.168.2.4
Oct 31, 2024 05:17:30.051297903 CET	49775	443	192.168.2.4	151.101.129.91
Oct 31, 2024 05:17:30.051382065 CET	49775	443	192.168.2.4	151.101.129.91
Oct 31, 2024 05:17:30.051496983 CET	443	49775	151.101.129.91	192.168.2.4
Oct 31, 2024 05:17:30.057667017 CET	49775	443	192.168.2.4	151.101.129.91
Oct 31, 2024 05:17:30.058981895 CET	49778	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.059011936 CET	443	49778	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.059345007 CET	49778	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.059582949 CET	49778	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.059592962 CET	443	49778	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.061427116 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.061466932 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.061877012 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.061992884 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.062010050 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.063564062 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.063596010 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.063834906 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.063955069 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.063968897 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.072719097 CET	443	49776	35.190.72.216	192.168.2.4
Oct 31, 2024 05:17:30.072781086 CET	49776	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:30.075459003 CET	443	49777	35.201.103.21	192.168.2.4
Oct 31, 2024 05:17:30.075727940 CET	49777	443	192.168.2.4	35.201.103.21
Oct 31, 2024 05:17:30.077625036 CET	49776	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:30.077634096 CET	443	49776	35.190.72.216	192.168.2.4
Oct 31, 2024 05:17:30.077697992 CET	49776	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:30.077760935 CET	443	49776	35.190.72.216	192.168.2.4
Oct 31, 2024 05:17:30.078073978 CET	49776	443	192.168.2.4	35.190.72.216
Oct 31, 2024 05:17:30.079371929 CET	49777	443	192.168.2.4	35.201.103.21
Oct 31, 2024 05:17:30.079380989 CET	443	49777	35.201.103.21	192.168.2.4
Oct 31, 2024 05:17:30.079444885 CET	49777	443	192.168.2.4	35.201.103.21
Oct 31, 2024 05:17:30.079533100 CET	443	49777	35.201.103.21	192.168.2.4
Oct 31, 2024 05:17:30.079826117 CET	49777	443	192.168.2.4	35.201.103.21
Oct 31, 2024 05:17:30.089694977 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.089718103 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:30.089780092 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.089880943 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.089889050 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:30.164787054 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:30.169531107 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:30.174369097 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:30.213179111 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:30.297559977 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:30.344748974 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:30.665544033 CET	443	49778	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.665627003 CET	49778	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.667849064 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.667853117 CET	49778	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.667861938 CET	443	49778	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.668065071 CET	443	49778	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.670103073 CET	49778	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.670120955 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.670195103 CET	49778	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.673979998 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.673990965 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.674251080 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.674869061 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.675812006 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.678076029 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.678086996 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.678834915 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.679124117 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:30.680289984 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.680382013 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.680463076 CET	443	49779	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.682600021 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.682657003 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.682768106 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 05:17:30.683420897 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.683435917 CET	49779	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.683454990 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 05:17:30.683942080 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:30.694452047 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:30.694531918 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.698348045 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.698354006 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:30.698546886 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:30.701834917 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.701936007 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.701946974 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 05:17:30.702121973 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 05:17:30.803678989 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:30.806895018 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:30.811692953 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:30.846199036 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:30.931061983 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:30.984271049 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:32.311862946 CET	59707	443	192.168.2.4	142.250.114.100
Oct 31, 2024 05:17:32.311903954 CET	443	59707	142.250.114.100	192.168.2.4
Oct 31, 2024 05:17:32.313144922 CET	59707	443	192.168.2.4	142.250.114.100
Oct 31, 2024 05:17:32.313321114 CET	59707	443	192.168.2.4	142.250.114.100
Oct 31, 2024 05:17:32.313333988 CET	443	59707	142.250.114.100	192.168.2.4
Oct 31, 2024 05:17:32.907984972 CET	443	59707	142.250.114.100	192.168.2.4
Oct 31, 2024 05:17:32.908080101 CET	59707	443	192.168.2.4	142.250.114.100
Oct 31, 2024 05:17:32.908637047 CET	443	59707	142.250.114.100	192.168.2.4
Oct 31, 2024 05:17:32.908696890 CET	59707	443	192.168.2.4	142.250.114.100
Oct 31, 2024 05:17:32.911740065 CET	59707	443	192.168.2.4	142.250.114.100
Oct 31, 2024 05:17:32.911746025 CET	443	59707	142.250.114.100	192.168.2.4
Oct 31, 2024 05:17:32.911993027 CET	443	59707	142.250.114.100	192.168.2.4
Oct 31, 2024 05:17:32.914552927 CET	59707	443	192.168.2.4	142.250.114.100
Oct 31, 2024 05:17:32.914638996 CET	59707	443	192.168.2.4	142.250.114.100
Oct 31, 2024 05:17:32.920039892 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:32.924823999 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:33.045324087 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:33.048104048 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:33.052927971 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:33.090786934 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:33.173039913 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:33.222377062 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:43.050235033 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:43.055247068 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:43.181754112 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:43.186738014 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:45.583271980 CET	59708	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:45.583383083 CET	443	59708	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:45.583713055 CET	59708	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:45.585114002 CET	59708	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:45.585151911 CET	443	59708	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:46.192137957 CET	443	59708	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:46.192224026 CET	59708	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:46.196582079 CET	59708	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:46.196604013 CET	443	59708	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:46.196680069 CET	59708	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:46.196769953 CET	443	59708	34.107.243.93	192.168.2.4
Oct 31, 2024 05:17:46.197958946 CET	59708	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:17:46.199279070 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:46.204144001 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:46.324441910 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:46.327728033 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:46.332534075 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:46.375124931 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:46.452382088 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:46.506685972 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:52.263391972 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:52.271017075 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:52.392862082 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:52.395380974 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:52.401000977 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:52.444967031 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:52.519855976 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:52.576481104 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:59.308535099 CET	59741	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.308577061 CET	443	59741	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.309596062 CET	59742	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.309627056 CET	443	59742	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.310465097 CET	59741	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.310503006 CET	59742	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.310677052 CET	59741	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.310693026 CET	443	59741	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.310852051 CET	59742	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.310862064 CET	443	59742	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.314254045 CET	59744	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.314280033 CET	443	59744	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.314842939 CET	59744	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.314997911 CET	59744	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.315011024 CET	443	59744	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.915802956 CET	443	59742	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.915875912 CET	59742	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.917731047 CET	443	59744	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.917813063 CET	59744	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.919061899 CET	59742	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.919073105 CET	443	59742	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.919317007 CET	443	59742	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.921089888 CET	443	59741	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.921375990 CET	59744	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.921387911 CET	443	59744	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.921552896 CET	59741	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.921741009 CET	443	59744	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.924026966 CET	59741	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.924036026 CET	443	59741	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.924355030 CET	443	59741	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.927845955 CET	59742	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.927952051 CET	59742	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.928004026 CET	443	59742	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.928895950 CET	59744	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.928957939 CET	59744	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.929030895 CET	59741	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.929080009 CET	59741	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.929080963 CET	443	59744	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.929173946 CET	59742	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.929187059 CET	59744	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.929218054 CET	443	59741	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.930006027 CET	59741	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.989989042 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:17:59.991895914 CET	59745	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.991925001 CET	443	59745	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.994834900 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:17:59.997526884 CET	59746	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.997548103 CET	443	59746	34.120.208.123	192.168.2.4
Oct 31, 2024 05:17:59.997797966 CET	59747	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:17:59.997805119 CET	443	59747	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.002619028 CET	59745	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.002728939 CET	59746	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.002763033 CET	59747	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.002763033 CET	59745	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.002778053 CET	443	59745	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.002887011 CET	59746	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.002897978 CET	443	59746	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.002938032 CET	59747	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.002944946 CET	443	59747	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.022617102 CET	59748	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.022701979 CET	443	59748	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.023396015 CET	59748	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.024128914 CET	59748	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.024161100 CET	443	59748	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.115292072 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:00.155997038 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:00.160906076 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:00.173655987 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:00.280683041 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:00.327305079 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:00.612180948 CET	443	59746	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.612306118 CET	443	59745	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.612308025 CET	59746	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.612324953 CET	443	59745	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.612391949 CET	59745	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.615605116 CET	59746	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.615617037 CET	443	59746	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.615858078 CET	443	59746	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.617021084 CET	443	59747	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.617090940 CET	59747	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.617990971 CET	59745	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.617999077 CET	443	59745	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.618360996 CET	443	59745	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.620642900 CET	59747	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.620646000 CET	443	59747	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.621042013 CET	443	59747	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.623796940 CET	59746	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.623955965 CET	443	59746	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.624003887 CET	59746	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.624010086 CET	443	59746	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.624509096 CET	59745	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.624577045 CET	59745	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.624730110 CET	443	59745	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.625176907 CET	59747	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.625241995 CET	59747	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.625366926 CET	443	59747	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.627441883 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:00.628177881 CET	59745	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.628190994 CET	59747	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.631798983 CET	443	59748	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.631886959 CET	59748	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.632251978 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:00.634895086 CET	59748	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.634918928 CET	443	59748	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.635339022 CET	443	59748	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.637634039 CET	59748	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.637733936 CET	59748	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.637814045 CET	443	59748	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.637885094 CET	59748	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.752183914 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:00.754731894 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:00.759568930 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:00.806562901 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:00.839328051 CET	443	59746	34.120.208.123	192.168.2.4
Oct 31, 2024 05:18:00.839385033 CET	59746	443	192.168.2.4	34.120.208.123
Oct 31, 2024 05:18:00.879194975 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:00.928989887 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:10.757276058 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:10.763621092 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:10.888786077 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:10.893773079 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:20.763926029 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:20.768687963 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:20.901923895 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:20.906713009 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:26.524650097 CET	59901	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:18:26.524693012 CET	443	59901	34.107.243.93	192.168.2.4
Oct 31, 2024 05:18:26.525051117 CET	59901	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:18:26.526503086 CET	59901	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:18:26.526516914 CET	443	59901	34.107.243.93	192.168.2.4
Oct 31, 2024 05:18:27.143311024 CET	443	59901	34.107.243.93	192.168.2.4
Oct 31, 2024 05:18:27.150525093 CET	59901	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:18:27.158685923 CET	59901	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:18:27.158751965 CET	443	59901	34.107.243.93	192.168.2.4
Oct 31, 2024 05:18:27.158788919 CET	59901	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:18:27.158937931 CET	443	59901	34.107.243.93	192.168.2.4
Oct 31, 2024 05:18:27.161525965 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:27.166022062 CET	59901	443	192.168.2.4	34.107.243.93
Oct 31, 2024 05:18:27.166697025 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:27.286546946 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:27.289757013 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:27.294740915 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:27.335339069 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:27.414303064 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:27.466847897 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:37.295104980 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:37.338223934 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:37.433178902 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:37.440638065 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:47.339750051 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:47.344965935 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:47.462095022 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:47.466967106 CET	80	49763	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:57.353116035 CET	49752	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:57.358032942 CET	80	49752	34.107.221.82	192.168.2.4
Oct 31, 2024 05:18:57.469017029 CET	49763	80	192.168.2.4	34.107.221.82
Oct 31, 2024 05:18:57.599462986 CET	80	49763	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 05:17:00.536911011 CET	58809	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:00.544502020 CET	53	58809	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:00.567190886 CET	56887	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:00.575001001 CET	53	56887	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:01.914871931 CET	54605	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:01.915211916 CET	55789	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:01.922600985 CET	53	54605	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:01.923362017 CET	52881	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:01.928705931 CET	49377	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:01.930314064 CET	53	52881	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:01.930752039 CET	60319	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:01.935493946 CET	53	49377	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:01.936319113 CET	54853	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:01.937553883 CET	53	60319	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:01.943454981 CET	53	54853	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.242789984 CET	64851	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.249767065 CET	53	64851	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.251303911 CET	57741	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.258188009 CET	53	57741	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.275401115 CET	51895	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.282313108 CET	53	51895	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.722614050 CET	60809	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.730324030 CET	53	60809	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.731323957 CET	61235	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.738385916 CET	53	61235	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.738878012 CET	59958	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.745724916 CET	53	59958	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.762514114 CET	58740	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.769117117 CET	53	58740	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.769393921 CET	62935	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.770219088 CET	64187	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.775950909 CET	53	62935	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.777079105 CET	53	64187	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.791409969 CET	64913	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.803729057 CET	53088	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.811665058 CET	53	53088	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.876908064 CET	65244	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.885376930 CET	53	65244	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.891251087 CET	54300	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.898674965 CET	53	54300	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:02.899336100 CET	59550	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:02.907768011 CET	53	59550	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:03.299426079 CET	56274	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:03.323698997 CET	53	64301	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:03.841545105 CET	61995	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:03.848799944 CET	53	61995	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:03.855365992 CET	52333	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:03.862488985 CET	53	52333	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:03.863368034 CET	49371	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:03.870187044 CET	53	49371	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:04.092403889 CET	49358	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:04.099273920 CET	53	49358	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:04.099819899 CET	56249	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:04.106494904 CET	53	56249	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:04.149005890 CET	51503	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:04.156157970 CET	53	51503	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:04.162302017 CET	65172	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:04.169387102 CET	53	65172	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:04.175211906 CET	59627	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:04.181914091 CET	53	59627	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:06.866463900 CET	56978	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:06.873472929 CET	53	56978	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:06.888874054 CET	54791	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:06.922615051 CET	53	54791	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:06.923629045 CET	50821	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:06.930800915 CET	53	50821	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:12.650528908 CET	60842	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:12.650850058 CET	57806	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:12.657139063 CET	53	60842	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:12.657439947 CET	53	57806	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:12.658302069 CET	62549	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:12.665132046 CET	53	62549	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.487631083 CET	57394	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.488089085 CET	55124	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.488344908 CET	55109	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.494276047 CET	53	57394	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.494724035 CET	53	55124	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.495245934 CET	53	55109	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.495851994 CET	49676	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.496531963 CET	57326	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.497241020 CET	51274	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.502578020 CET	53	49676	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.503202915 CET	62873	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.503349066 CET	53	57326	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.503726006 CET	58448	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.504458904 CET	53	51274	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.505012035 CET	60624	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.510004997 CET	53	62873	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.510332108 CET	53	58448	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.510525942 CET	49812	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.510979891 CET	60371	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.512141943 CET	53	60624	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.517309904 CET	53	49812	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.518081903 CET	53	60371	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.518776894 CET	60819	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.521006107 CET	60411	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.525640011 CET	53	60819	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.526035070 CET	49165	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.528021097 CET	53	60411	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.528417110 CET	63518	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:14.532769918 CET	53	49165	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:14.535733938 CET	53	63518	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:24.911786079 CET	63455	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:24.918987989 CET	53	63455	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:26.904462099 CET	59404	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:26.911648035 CET	53	59404	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:29.421415091 CET	56618	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:29.422981977 CET	61137	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:29.428551912 CET	53	56618	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:29.429635048 CET	61456	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:29.429898024 CET	53	61137	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:29.436706066 CET	53	61456	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:29.437151909 CET	62166	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:29.444484949 CET	53	62166	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:29.444950104 CET	51014	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:29.448715925 CET	58765	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:29.451786995 CET	53	51014	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:29.454219103 CET	55475	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:29.455830097 CET	53	58765	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:29.456995010 CET	56672	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:29.461102962 CET	53	55475	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:29.465575933 CET	53	56672	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:29.467653990 CET	59583	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:29.474754095 CET	53	59583	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:31.693641901 CET	53	52805	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:45.575427055 CET	58980	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:45.582359076 CET	53	58980	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:45.583178043 CET	60769	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:45.589898109 CET	53	60769	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:59.306443930 CET	54474	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:17:59.313278913 CET	53	54474	1.1.1.1	192.168.2.4
Oct 31, 2024 05:17:59.990559101 CET	58573	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:18:26.524998903 CET	49362	53	192.168.2.4	1.1.1.1
Oct 31, 2024 05:18:26.532062054 CET	53	49362	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 05:17:00.536911011 CET	192.168.2.4	1.1.1.1	0x52b4	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:00.567190886 CET	192.168.2.4	1.1.1.1	0x3722	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 05:17:01.914871931 CET	192.168.2.4	1.1.1.1	0xd475	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:01.915211916 CET	192.168.2.4	1.1.1.1	0x7748	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:01.923362017 CET	192.168.2.4	1.1.1.1	0x367c	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:01.928705931 CET	192.168.2.4	1.1.1.1	0xf206	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:01.930752039 CET	192.168.2.4	1.1.1.1	0xf755	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 05:17:01.936319113 CET	192.168.2.4	1.1.1.1	0x28a0	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:02.242789984 CET	192.168.2.4	1.1.1.1	0xc3c2	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.251303911 CET	192.168.2.4	1.1.1.1	0x44bd	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.275401115 CET	192.168.2.4	1.1.1.1	0x47a7	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:02.722614050 CET	192.168.2.4	1.1.1.1	0xf2c3	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.731323957 CET	192.168.2.4	1.1.1.1	0x1ad	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.738878012 CET	192.168.2.4	1.1.1.1	0xf9dd	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 05:17:02.762514114 CET	192.168.2.4	1.1.1.1	0x336c	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.769393921 CET	192.168.2.4	1.1.1.1	0x5238	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.770219088 CET	192.168.2.4	1.1.1.1	0xeb76	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.791409969 CET	192.168.2.4	1.1.1.1	0xcd66	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.803729057 CET	192.168.2.4	1.1.1.1	0xd09e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 05:17:02.876908064 CET	192.168.2.4	1.1.1.1	0x3250	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.891251087 CET	192.168.2.4	1.1.1.1	0x58fe	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.899336100 CET	192.168.2.4	1.1.1.1	0xbc6c	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 05:17:03.299426079 CET	192.168.2.4	1.1.1.1	0x5082	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:03.841545105 CET	192.168.2.4	1.1.1.1	0x91fc	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:03.855365992 CET	192.168.2.4	1.1.1.1	0x5277	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:03.863368034 CET	192.168.2.4	1.1.1.1	0xb420	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:04.092403889 CET	192.168.2.4	1.1.1.1	0xefd7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:04.099819899 CET	192.168.2.4	1.1.1.1	0x8fb2	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:04.149005890 CET	192.168.2.4	1.1.1.1	0x3115	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:04.162302017 CET	192.168.2.4	1.1.1.1	0xfb16	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:04.175211906 CET	192.168.2.4	1.1.1.1	0x356f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 05:17:06.866463900 CET	192.168.2.4	1.1.1.1	0x9b50	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:06.888874054 CET	192.168.2.4	1.1.1.1	0x1d7f	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:06.923629045 CET	192.168.2.4	1.1.1.1	0x93ee	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 05:17:12.650528908 CET	192.168.2.4	1.1.1.1	0xad6c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:12.650850058 CET	192.168.2.4	1.1.1.1	0x75d3	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:12.658302069 CET	192.168.2.4	1.1.1.1	0x5997	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:14.487631083 CET	192.168.2.4	1.1.1.1	0x2988	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.488089085 CET	192.168.2.4	1.1.1.1	0xeba9	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.488344908 CET	192.168.2.4	1.1.1.1	0x6e47	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.495851994 CET	192.168.2.4	1.1.1.1	0xe3f4	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.496531963 CET	192.168.2.4	1.1.1.1	0x3ac8	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.497241020 CET	192.168.2.4	1.1.1.1	0x78fe	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.503202915 CET	192.168.2.4	1.1.1.1	0x8566	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:14.503726006 CET	192.168.2.4	1.1.1.1	0x9c41	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:14.505012035 CET	192.168.2.4	1.1.1.1	0xb7fe	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 31, 2024 05:17:14.510525942 CET	192.168.2.4	1.1.1.1	0xa246	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.510979891 CET	192.168.2.4	1.1.1.1	0xee0	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.518776894 CET	192.168.2.4	1.1.1.1	0xe036	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.521006107 CET	192.168.2.4	1.1.1.1	0x692d	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.526035070 CET	192.168.2.4	1.1.1.1	0xdaea	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:14.528417110 CET	192.168.2.4	1.1.1.1	0x21a8	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 31, 2024 05:17:24.911786079 CET	192.168.2.4	1.1.1.1	0xdd7d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:26.904462099 CET	192.168.2.4	1.1.1.1	0x367e	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.421415091 CET	192.168.2.4	1.1.1.1	0x87a5	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.422981977 CET	192.168.2.4	1.1.1.1	0xbe09	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 05:17:29.429635048 CET	192.168.2.4	1.1.1.1	0xa632	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.437151909 CET	192.168.2.4	1.1.1.1	0xdc85	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 31, 2024 05:17:29.444950104 CET	192.168.2.4	1.1.1.1	0xbfb1	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.448715925 CET	192.168.2.4	1.1.1.1	0x679d	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.454219103 CET	192.168.2.4	1.1.1.1	0x8f51	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 05:17:29.456995010 CET	192.168.2.4	1.1.1.1	0xbe8e	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.467653990 CET	192.168.2.4	1.1.1.1	0x41a	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:45.575427055 CET	192.168.2.4	1.1.1.1	0x562d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:45.583178043 CET	192.168.2.4	1.1.1.1	0x1a6b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:59.306443930 CET	192.168.2.4	1.1.1.1	0x3781	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 05:17:59.990559101 CET	192.168.2.4	1.1.1.1	0x8a28	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:18:26.524998903 CET	192.168.2.4	1.1.1.1	0xf234	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 05:17:00.529295921 CET	1.1.1.1	192.168.2.4	0x66cd	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:00.544502020 CET	1.1.1.1	192.168.2.4	0x52b4	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:01.922179937 CET	1.1.1.1	192.168.2.4	0x7748	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:01.922179937 CET	1.1.1.1	192.168.2.4	0x7748	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:01.922600985 CET	1.1.1.1	192.168.2.4	0xd475	No error (0)	youtube.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:01.930314064 CET	1.1.1.1	192.168.2.4	0x367c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:01.935493946 CET	1.1.1.1	192.168.2.4	0xf206	No error (0)	youtube.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:01.937553883 CET	1.1.1.1	192.168.2.4	0xf755	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 05:17:01.943454981 CET	1.1.1.1	192.168.2.4	0x28a0	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 31, 2024 05:17:02.249767065 CET	1.1.1.1	192.168.2.4	0xc3c2	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.258188009 CET	1.1.1.1	192.168.2.4	0x44bd	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.730324030 CET	1.1.1.1	192.168.2.4	0xf2c3	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:02.730324030 CET	1.1.1.1	192.168.2.4	0xf2c3	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.738385916 CET	1.1.1.1	192.168.2.4	0x1ad	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.768779039 CET	1.1.1.1	192.168.2.4	0xbb6d	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:02.768779039 CET	1.1.1.1	192.168.2.4	0xbb6d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.769117117 CET	1.1.1.1	192.168.2.4	0x336c	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.775950909 CET	1.1.1.1	192.168.2.4	0x5238	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.775950909 CET	1.1.1.1	192.168.2.4	0x5238	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.777079105 CET	1.1.1.1	192.168.2.4	0xeb76	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.798083067 CET	1.1.1.1	192.168.2.4	0xcd66	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:02.798083067 CET	1.1.1.1	192.168.2.4	0xcd66	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.885376930 CET	1.1.1.1	192.168.2.4	0x3250	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:02.885376930 CET	1.1.1.1	192.168.2.4	0x3250	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:02.885376930 CET	1.1.1.1	192.168.2.4	0x3250	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.898674965 CET	1.1.1.1	192.168.2.4	0x58fe	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:02.907768011 CET	1.1.1.1	192.168.2.4	0xbc6c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 05:17:03.306519032 CET	1.1.1.1	192.168.2.4	0x5082	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:03.848799944 CET	1.1.1.1	192.168.2.4	0x91fc	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:03.862488985 CET	1.1.1.1	192.168.2.4	0x5277	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:03.948121071 CET	1.1.1.1	192.168.2.4	0x8948	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:03.948121071 CET	1.1.1.1	192.168.2.4	0x8948	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:04.084341049 CET	1.1.1.1	192.168.2.4	0xf8bc	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:04.099273920 CET	1.1.1.1	192.168.2.4	0xefd7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:04.156157970 CET	1.1.1.1	192.168.2.4	0x3115	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:04.156157970 CET	1.1.1.1	192.168.2.4	0x3115	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:04.169387102 CET	1.1.1.1	192.168.2.4	0xfb16	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:06.873472929 CET	1.1.1.1	192.168.2.4	0x9b50	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:06.873472929 CET	1.1.1.1	192.168.2.4	0x9b50	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:06.873472929 CET	1.1.1.1	192.168.2.4	0x9b50	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:06.922615051 CET	1.1.1.1	192.168.2.4	0x1d7f	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:07.210304022 CET	1.1.1.1	192.168.2.4	0x5436	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:12.657139063 CET	1.1.1.1	192.168.2.4	0xad6c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494276047 CET	1.1.1.1	192.168.2.4	0x2988	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494724035 CET	1.1.1.1	192.168.2.4	0xeba9	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:14.494724035 CET	1.1.1.1	192.168.2.4	0xeba9	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.495245934 CET	1.1.1.1	192.168.2.4	0x6e47	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:14.495245934 CET	1.1.1.1	192.168.2.4	0x6e47	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.502578020 CET	1.1.1.1	192.168.2.4	0xe3f4	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.503349066 CET	1.1.1.1	192.168.2.4	0x3ac8	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.504458904 CET	1.1.1.1	192.168.2.4	0x78fe	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.510004997 CET	1.1.1.1	192.168.2.4	0x8566	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 05:17:14.510004997 CET	1.1.1.1	192.168.2.4	0x8566	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 05:17:14.510004997 CET	1.1.1.1	192.168.2.4	0x8566	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 05:17:14.510004997 CET	1.1.1.1	192.168.2.4	0x8566	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 05:17:14.510332108 CET	1.1.1.1	192.168.2.4	0x9c41	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 31, 2024 05:17:14.512141943 CET	1.1.1.1	192.168.2.4	0xb7fe	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 31, 2024 05:17:14.517309904 CET	1.1.1.1	192.168.2.4	0xa246	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:14.517309904 CET	1.1.1.1	192.168.2.4	0xa246	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.517309904 CET	1.1.1.1	192.168.2.4	0xa246	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.517309904 CET	1.1.1.1	192.168.2.4	0xa246	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.517309904 CET	1.1.1.1	192.168.2.4	0xa246	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.518081903 CET	1.1.1.1	192.168.2.4	0xee0	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.525640011 CET	1.1.1.1	192.168.2.4	0xe036	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.528021097 CET	1.1.1.1	192.168.2.4	0x692d	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.528021097 CET	1.1.1.1	192.168.2.4	0x692d	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.528021097 CET	1.1.1.1	192.168.2.4	0x692d	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:14.528021097 CET	1.1.1.1	192.168.2.4	0x692d	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:26.911648035 CET	1.1.1.1	192.168.2.4	0x367e	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:26.911648035 CET	1.1.1.1	192.168.2.4	0x367e	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:26.911648035 CET	1.1.1.1	192.168.2.4	0x367e	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:26.911648035 CET	1.1.1.1	192.168.2.4	0x367e	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.428551912 CET	1.1.1.1	192.168.2.4	0x87a5	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.428551912 CET	1.1.1.1	192.168.2.4	0x87a5	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.428551912 CET	1.1.1.1	192.168.2.4	0x87a5	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.428551912 CET	1.1.1.1	192.168.2.4	0x87a5	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.436706066 CET	1.1.1.1	192.168.2.4	0xa632	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.436706066 CET	1.1.1.1	192.168.2.4	0xa632	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.436706066 CET	1.1.1.1	192.168.2.4	0xa632	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.436706066 CET	1.1.1.1	192.168.2.4	0xa632	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.444484949 CET	1.1.1.1	192.168.2.4	0xdc85	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 05:17:29.444484949 CET	1.1.1.1	192.168.2.4	0xdc85	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 05:17:29.444484949 CET	1.1.1.1	192.168.2.4	0xdc85	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 05:17:29.444484949 CET	1.1.1.1	192.168.2.4	0xdc85	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 05:17:29.451236010 CET	1.1.1.1	192.168.2.4	0xe771	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.451786995 CET	1.1.1.1	192.168.2.4	0xbfb1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.455830097 CET	1.1.1.1	192.168.2.4	0x679d	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:29.455830097 CET	1.1.1.1	192.168.2.4	0x679d	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:29.465575933 CET	1.1.1.1	192.168.2.4	0xbe8e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:30.695027113 CET	1.1.1.1	192.168.2.4	0x87b9	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:30.695027113 CET	1.1.1.1	192.168.2.4	0x87b9	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:45.582359076 CET	1.1.1.1	192.168.2.4	0x562d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:59.300518990 CET	1.1.1.1	192.168.2.4	0xe144	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 05:17:59.997495890 CET	1.1.1.1	192.168.2.4	0x8a28	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 05:17:59.997495890 CET	1.1.1.1	192.168.2.4	0x8a28	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	7744	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 05:17:02.074510098 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:17:02.677462101 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85549 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	34.107.221.82	80	7744	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 05:17:02.813918114 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:17:03.418870926 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85572 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49752	34.107.221.82	80	7744	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 05:17:03.694425106 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:17:04.300935030 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85551 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:17:06.907283068 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:17:07.033802032 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85553 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:17:12.644558907 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:17:12.769529104 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85559 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:17:14.521226883 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:17:14.646893024 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85561 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:17:24.652595043 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 05:17:25.528969049 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:17:25.653934002 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85572 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:17:30.039738894 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:17:30.164787054 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85577 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:17:30.679124117 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:17:30.803678989 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85577 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:17:32.920039892 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:17:33.045324087 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85579 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:17:43.050235033 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 05:17:46.199279070 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:17:46.324441910 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85593 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:17:52.263391972 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:17:52.392862082 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85599 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:17:59.989989042 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:18:00.115292072 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85607 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:18:00.627441883 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:18:00.752183914 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85607 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:18:10.757276058 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 05:18:20.763926029 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 05:18:27.161525965 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 05:18:27.286546946 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 85634 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 05:18:37.295104980 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 05:18:47.339750051 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 05:18:57.353116035 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49759	34.107.221.82	80	7744	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 05:17:06.883367062 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49763	34.107.221.82	80	7744	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 05:17:07.234414101 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:17:07.829224110 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85576 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:17:14.487934113 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:17:14.612667084 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85583 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:17:15.547941923 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:17:15.672344923 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85584 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:17:25.657716990 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:17:25.782018900 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85594 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:17:30.169531107 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:17:30.297559977 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85599 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:17:30.806895018 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:17:30.931061983 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85599 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:17:33.048104048 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:17:33.173039913 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85602 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:17:43.181754112 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 05:17:46.327728033 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:17:46.452382088 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85615 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:17:52.395380974 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:17:52.519855976 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85621 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:18:00.155997038 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:18:00.280683041 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85629 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:18:00.754731894 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:18:00.879194975 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85629 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:18:10.888786077 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 05:18:20.901923895 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 05:18:27.289757013 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 05:18:27.414303064 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 85656 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 05:18:37.433178902 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 05:18:47.462095022 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 05:18:57.469017029 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	00:16:53
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf30000
File size:	919'552 bytes
MD5 hash:	994B7B7DC1D504ACA1C653F4AA6CEDF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:16:53
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:16:53
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:16:56
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:16:56
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:16:56
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:16:56
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:16:56
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:16:56
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:16:56
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:16:56
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:16:56
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:16:57
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:16:57
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	00:16:57
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c30828f1-d7f7-491e-a174-0d50cbb3c3e7} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c089570710 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	00:16:59
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4064 -parentBuildID 20230927232528 -prefsHandle 4260 -prefMapHandle 4256 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45d4d356-c33f-478b-aed1-4b6cb6bb653d} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c09b9be810 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	00:17:03
Start date:	31/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4968 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4988 -prefMapHandle 4984 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f18a257c-3238-419d-ad26-872c475307f4} 7744 "\\.\pipe\gecko-crash-server-pipe.7744" 1c09a573f10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1611
Total number of Limit Nodes:	58

Executed Functions

Function 00F342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F3430D

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

GetCurrentProcess.KERNEL32(?,00FCCB64,00000000,?,?), ref: 00F34422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F34429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F34454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F34466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F34474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F3447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00F344A0

Strings

GetNativeSystemInfo, xrefs: 00F34460
|O, xrefs: 00F736F8
kernel32.dll, xrefs: 00F3444F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 0a5a52d796d63c77a1e206cec95601a674d7ab1e1deb44d5a01dfb9f425ef548
Instruction ID: add7625ddb78165541183081c440a07b09569081b8cbdc3b62eb43e7702d08f5
Opcode Fuzzy Hash: 0a5a52d796d63c77a1e206cec95601a674d7ab1e1deb44d5a01dfb9f425ef548
Instruction Fuzzy Hash: 3DA1B772D0E2C0DFC737C769B4816957FA47B26314F08D4A9E4C5A3A0AD23AD505FBA2

Function 00F3D85A Relevance: 12.5, APIs: 8, Instructions: 481
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

timeGetTime.WINMM ref: 00F3DA07

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Timetime
String ID:
API String ID: 17336451-0
Opcode ID: 15b44f9f96efdfc92af45fddf84bc66bb25ddebb89a66ed1b596724bca08e767
Instruction ID: b066f13a4a93ec3373144604c9c9b4ac38eb601dc258d123c45ae1a7019c6795
Opcode Fuzzy Hash: 15b44f9f96efdfc92af45fddf84bc66bb25ddebb89a66ed1b596724bca08e767
Instruction Fuzzy Hash: 7A12EF71A08201DFD728DF24D884BAAB7E1FF85324F148559F89687291D779F844FB82

Function 00F342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F350AA,?,?,00000000,00000000), ref: 00F342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F350AA,?,?,00000000,00000000), ref: 00F342C9
LoadResource.KERNEL32(?,00000000,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20), ref: 00F735BE
SizeofResource.KERNEL32(?,00000000,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20), ref: 00F735D3
LockResource.KERNEL32(00F350AA,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20,?), ref: 00F735E6

Strings

SCRIPT, xrefs: 00F342BF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a0aadf03291d813e491f98e1fee12d2a54ac37171b742750b0b338bd98b5822a
Instruction ID: b320c983f3fdf10c8e5d0c333f4145b5b0024f30103527a569e19fde8130fe7f
Opcode Fuzzy Hash: a0aadf03291d813e491f98e1fee12d2a54ac37171b742750b0b338bd98b5822a
Instruction Fuzzy Hash: 4811AC70600305BFD7218BA6DD49F677BBDEBC6B61F148169F41696290DB71EC00AA70

Function 00F72BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00F32B6B

Part of subcall function 00F33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01001418,?,00F32E7F,?,?,?,00000000), ref: 00F33A78

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00FF2224), ref: 00F72C10
ShellExecuteW.SHELL32(00000000,?,?,00FF2224), ref: 00F72C17

Strings

runas, xrefs: 00F72C0B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c55015ada0b7aef8c3be1c3b813d9b8196ce7ed713e0cd613c27b191e4493e20
Instruction ID: 06dc227dbbce5af65847008605180aeaa04927a10a6eac253831f96ecb3b425c
Opcode Fuzzy Hash: c55015ada0b7aef8c3be1c3b813d9b8196ce7ed713e0cd613c27b191e4493e20
Instruction Fuzzy Hash: 8511EE316083456AC719FF60DC429BEBBA4AFD1370F44542DF286030A2CFB98A0AF712

Function 00F9D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F9D501
Process32FirstW.KERNEL32(00000000,?), ref: 00F9D50F
Process32NextW.KERNEL32(00000000,?), ref: 00F9D52F
CloseHandle.KERNELBASE(00000000), ref: 00F9D5DC

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2ebc3bda44476cb4995eaabe391839b9d0b2850b133ccec874c7adc05233b6f6
Instruction ID: b480a7dcbcd31ad065d48cf73f78da5fd6c4033d5d583559a1c02ec4f9b1769d
Opcode Fuzzy Hash: 2ebc3bda44476cb4995eaabe391839b9d0b2850b133ccec874c7adc05233b6f6
Instruction Fuzzy Hash: C53193711083009FD700EF54CC81AAFBBE8EFD9364F54092DF585871A1EBB19949EB92

Function 00F9DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00F75222), ref: 00F9DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00F9DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00F9DBEE
FindClose.KERNEL32(00000000), ref: 00F9DBFA

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 75fffdaff9b0ad083fba0081a6501b32186d731eaa8d14ec11aadfb397bc611d
Instruction ID: 8d47973c52c62b1c523973df89bb50420c6e60a374bc1d33ebbc8db4de432834
Opcode Fuzzy Hash: 75fffdaff9b0ad083fba0081a6501b32186d731eaa8d14ec11aadfb397bc611d
Instruction Fuzzy Hash: 2BF0E531810918579B206F7CEE0ECAA776C9E01334B244702F83AC30F0EBB05D55EAD5

Function 00F54CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00F628E9,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002,00000000,?,00F628E9), ref: 00F54D09
TerminateProcess.KERNEL32(00000000,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002,00000000,?,00F628E9), ref: 00F54D10
ExitProcess.KERNEL32 ref: 00F54D22

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 570357bd04352184225b5c1956ea6cc634ad48091d85f4c342d496ede00e59a4
Instruction ID: 8eed791bf6e56a8e43d58c724d6483611a38a1c6b5fa293ec39c1b3ceaf7f569
Opcode Fuzzy Hash: 570357bd04352184225b5c1956ea6cc634ad48091d85f4c342d496ede00e59a4
Instruction Fuzzy Hash: EFE0B631800148ABCF11AF54EE0AE583B79FB41796B144018FD098B122CB3AED86EA90

Function 00FBAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00FBB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB1D4
_wcslen.LIBCMT ref: 00FBB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB236
_wcslen.LIBCMT ref: 00FBB332

Part of subcall function 00FA05A7: GetStdHandle.KERNEL32(000000F6), ref: 00FA05C6

_wcslen.LIBCMT ref: 00FBB34B
_wcslen.LIBCMT ref: 00FBB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FBB3B6
GetLastError.KERNEL32(00000000), ref: 00FBB407
CloseHandle.KERNEL32(?), ref: 00FBB439
CloseHandle.KERNEL32(00000000), ref: 00FBB44A
CloseHandle.KERNEL32(00000000), ref: 00FBB45C
CloseHandle.KERNEL32(00000000), ref: 00FBB46E
CloseHandle.KERNEL32(?), ref: 00FBB4E3

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: f3feba8fe2e2c6bfa473c9412dcff44ecdfa40cc0d0d157ccd9a3321699ed205
Instruction ID: 6ab12c387c357484ad5410bcbe329366d93a58aa8c4e0962813b340e5e65857e
Opcode Fuzzy Hash: f3feba8fe2e2c6bfa473c9412dcff44ecdfa40cc0d0d157ccd9a3321699ed205
Instruction Fuzzy Hash: 10F19F719083409FC714EF25C891B6EBBE1AF85324F18855DF8998B2A2CB75EC44EF52

Function 00F32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F32D07
RegisterClassExW.USER32(00000030), ref: 00F32D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F32D42
InitCommonControlsEx.COMCTL32(?), ref: 00F32D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F32D6F
LoadIconW.USER32(000000A9), ref: 00F32D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F32D94

Strings

+, xrefs: 00F32CF0
TaskbarCreated, xrefs: 00F32D37
0, xrefs: 00F32CE9
AutoIt v3 GUI, xrefs: 00F32D23

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 802c25cefd9cdd853e79b0c48f254e529e5763393423b15a69e23185a39db160
Instruction ID: bc9cf779ac6d22711aeb623701922bf92e7c203ce22372a7fcb07c0e9c706fdd
Opcode Fuzzy Hash: 802c25cefd9cdd853e79b0c48f254e529e5763393423b15a69e23185a39db160
Instruction Fuzzy Hash: DB21EFB1D41308AFDB11DFA4E98AB9DBBB4FB08700F00811AFA55A7290D7BA85449F91

Function 00F7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F7039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F70704,?,?,00000000,?,00F70704,00000000,0000000C), ref: 00F703B7

GetLastError.KERNEL32 ref: 00F7076F
__dosmaperr.LIBCMT ref: 00F70776
GetFileType.KERNELBASE(00000000), ref: 00F70782
GetLastError.KERNEL32 ref: 00F7078C
__dosmaperr.LIBCMT ref: 00F70795
CloseHandle.KERNEL32(00000000), ref: 00F707B5
CloseHandle.KERNEL32(?), ref: 00F708FF
GetLastError.KERNEL32 ref: 00F70931
__dosmaperr.LIBCMT ref: 00F70938

Strings

H, xrefs: 00F708BD

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fcc1eeb2a9753278cf998d619bf9290162a5f14c621780bbcee1e98cde91ff4b
Instruction ID: 4aec7dbcd386d61b678fe6049ff4b85c65e0f7bdc02ccffec7d745c14f64a1d0
Opcode Fuzzy Hash: fcc1eeb2a9753278cf998d619bf9290162a5f14c621780bbcee1e98cde91ff4b
Instruction Fuzzy Hash: 15A12732A101488FDF19AF68DC51BAD3BA0AF46320F14815EF8599B391DB359C17EB92

Function 00F3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01001418,?,00F32E7F,?,?,?,00000000), ref: 00F33A78

Part of subcall function 00F33357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F33379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F3356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F7318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F731CE
RegCloseKey.ADVAPI32(?), ref: 00F73210
_wcslen.LIBCMT ref: 00F73277
_wcslen.LIBCMT ref: 00F73286

Strings

\Include\, xrefs: 00F33527
Software\AutoIt v3\AutoIt, xrefs: 00F33560
\, xrefs: 00F7328C
Include, xrefs: 00F73184, 00F731C5

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 8bfef7c9b5198361fe55e2aedf94d06a74034dbc92a096bab302fa5cc87bfca3
Instruction ID: 815a572f4d887de613ad4c38b979fc2d12872018d7f32451026ac883e5606527
Opcode Fuzzy Hash: 8bfef7c9b5198361fe55e2aedf94d06a74034dbc92a096bab302fa5cc87bfca3
Instruction Fuzzy Hash: 3171E3714083019EC315EF25DC86D5BBBE8FF84350F40882EF589D31A5EB799A48EB52

Function 00F32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F32B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00F32B9D
LoadIconW.USER32(00000063), ref: 00F32BB3
LoadIconW.USER32(000000A4), ref: 00F32BC5
LoadIconW.USER32(000000A2), ref: 00F32BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F32BEF
RegisterClassExW.USER32(?), ref: 00F32C40

Part of subcall function 00F32CD4: GetSysColorBrush.USER32(0000000F), ref: 00F32D07
Part of subcall function 00F32CD4: RegisterClassExW.USER32(00000030), ref: 00F32D31
Part of subcall function 00F32CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F32D42
Part of subcall function 00F32CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F32D5F
Part of subcall function 00F32CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F32D6F
Part of subcall function 00F32CD4: LoadIconW.USER32(000000A9), ref: 00F32D85
Part of subcall function 00F32CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F32D94

Strings

#, xrefs: 00F32C16
AutoIt v3, xrefs: 00F32C2F
0, xrefs: 00F32C0F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 81bfc708a1ed330c6bf990dc081238a5c50aa820fac619a40720dbfe4399ca15
Instruction ID: 01c68936d0e0e64f103438c93bb2f37c41aa85e246aa7d053951dd92085c4737
Opcode Fuzzy Hash: 81bfc708a1ed330c6bf990dc081238a5c50aa820fac619a40720dbfe4399ca15
Instruction Fuzzy Hash: 75214970E00318ABDB229FA5ED49BA97FF5FB48B50F04801AF644A7694D7BA8540DF90

Function 00F33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F3316A,?,?), ref: 00F331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00F3316A,?,?), ref: 00F33204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F33227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F3316A,?,?), ref: 00F33232
CreatePopupMenu.USER32 ref: 00F33246
PostQuitMessage.USER32(00000000), ref: 00F33267

Strings

TaskbarCreated, xrefs: 00F3322D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c2427596567a8ea4b010e6ed8bc190b683e7e2764f113a03dfee431247d47b85
Instruction ID: c5f0ff3d44bf6a227ba1601ebb7119335279ea7b3fd5110b2a4c083569cbd2c5
Opcode Fuzzy Hash: c2427596567a8ea4b010e6ed8bc190b683e7e2764f113a03dfee431247d47b85
Instruction Fuzzy Hash: 48412C32E44204ABEB25AB78DD0EB7A3755FB05370F044119F54AC62D1CB79CE40B7A1

Function 00F31410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F31459
CoUninitialize.COMBASE ref: 00F314F8
UnregisterHotKey.USER32(?), ref: 00F316DD
DestroyWindow.USER32(?), ref: 00F724B9
FreeLibrary.KERNEL32(?), ref: 00F7251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F7254B

Strings

close all, xrefs: 00F31454

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 127c7782b989a570d266d4b9ac1df99b905a2c0a3475c08ae6a5b1817ac27903
Instruction ID: 98cc149dda759772c176dfb8e06b24e6958e4f2fda640995b777aea3469ffa16
Opcode Fuzzy Hash: 127c7782b989a570d266d4b9ac1df99b905a2c0a3475c08ae6a5b1817ac27903
Instruction Fuzzy Hash: F4D15D31B01212CFCB19EF15C995B29F7A4BF05720F1482AEE44E6B252DB31AD16EF91

Function 00F32C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F32C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F32CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F31CAD,?), ref: 00F32CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F31CAD,?), ref: 00F32CCF

Strings

AutoIt v3, xrefs: 00F32C89, 00F32C8E, 00F32C8F
edit, xrefs: 00F32CAC

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 743494b336d9ed288f5c775bc16d447da13ae7af1139d9014825c01b9ba89c9a
Instruction ID: b58460a7cbc9aef68230e081788b9d6b156555e26e332d7a2c44d0d173499371
Opcode Fuzzy Hash: 743494b336d9ed288f5c775bc16d447da13ae7af1139d9014825c01b9ba89c9a
Instruction Fuzzy Hash: 6BF0F4755403947AEB320713AC09E673FBDD7C6F50F00801AF904A3594C67A8840EAB0

Function 00F33B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F33B0F,SwapMouseButtons,00000004,?), ref: 00F33B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F33B0F,SwapMouseButtons,00000004,?), ref: 00F33B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F33B0F,SwapMouseButtons,00000004,?), ref: 00F33B83

Strings

Control Panel\Mouse, xrefs: 00F33B3E

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: dbfccbd7bb190fe72e55d26ab593666458a59fcfaa1b1fac2a756e657481d8aa
Instruction ID: 47edc4b4aca99d0688dca13a0d45693a358ac06bd91461119ad2a9b55d091165
Opcode Fuzzy Hash: dbfccbd7bb190fe72e55d26ab593666458a59fcfaa1b1fac2a756e657481d8aa
Instruction Fuzzy Hash: 94112AB5910208FFDB20CFA5DC45EAEBBB8EF44764F104459E805D7110D2319E40A7A0

Function 00F3DB37 Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00F3DB7B
DispatchMessageW.USER32(?), ref: 00F3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F3DB9F
TranslateAcceleratorW.USER32(?,?,?), ref: 00F81CC9

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeek
String ID:
API String ID: 234387968-0
Opcode ID: fa906bdf31ed56a46539d5c1293e4cc478c670b4cdf0e388b754cd76dc180205
Instruction ID: 237f4a812b2b4c643042d1fbf935e2a7bd16b46ba5d0f46289a524b9b99eb855
Opcode Fuzzy Hash: fa906bdf31ed56a46539d5c1293e4cc478c670b4cdf0e388b754cd76dc180205
Instruction Fuzzy Hash: 8331BC30605385DFE735CB24EC49FEA7BB8BB46320F044259E09987281C779E588EF22

Function 00F33923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F733A2

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F33A04

Strings

Line: , xrefs: 00F733EB

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 1ac8390a6698dec6265255a42e1ff47877caca072b484782768c1fad61b2c61a
Instruction ID: e58e82c0a93e1d15113e30aaebaba8316aac6513067529aec5390da507c601bb
Opcode Fuzzy Hash: 1ac8390a6698dec6265255a42e1ff47877caca072b484782768c1fad61b2c61a
Instruction Fuzzy Hash: 0631A171809304AAD725EB20DC46BEBB7D8AB40734F00852EF5D993195EF789A49E7C2

Function 00F4FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F50668

Part of subcall function 00F532A4: RaiseException.KERNEL32(?,?,?,00F5068A,?,01001444,?,?,?,?,?,?,00F5068A,00F31129,00FF8738,00F31129), ref: 00F53304

__CxxThrowException@8.LIBVCRUNTIME ref: 00F50685

Strings

Unknown exception, xrefs: 00F50692

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b460fe843c28f755bc4798e1ba8fa40348233c80bace7a4afc39bf6b3cb8f7a9
Instruction ID: d9fb1766352749563eaaffeda941ace99746cba2c94947fb9640f5312614cc91
Opcode Fuzzy Hash: b460fe843c28f755bc4798e1ba8fa40348233c80bace7a4afc39bf6b3cb8f7a9
Instruction Fuzzy Hash: 07F0FF20D0020D738B00BAA8DC46D9E7B6C5E00361B604430BE18924A2EF75EA6EE991

Function 00F310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F31BF4
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F31BFC
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F31C07
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F31C12
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F31C1A
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F31C22

Part of subcall function 00F31B4A: RegisterWindowMessageW.USER32(00000004,?,00F312C4), ref: 00F31BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F3136A
OleInitialize.OLE32 ref: 00F31388
CloseHandle.KERNEL32(00000000,00000000), ref: 00F724AB

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3dc149384d17bf620085ccf7039fdef0f371f66758d1ed4d5c99b495565b45b4
Instruction ID: 81a72c640c90879aec6effd2fd86dccd6b513776203e2938ce6acf4b1a36e93c
Opcode Fuzzy Hash: 3dc149384d17bf620085ccf7039fdef0f371f66758d1ed4d5c99b495565b45b4
Instruction Fuzzy Hash: 5071BDB4905201CFD3A6DF79E9456553AE0BB48352F58822EE0CADB299EB3BC601DF41

Function 00F9C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F33A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F9C259
KillTimer.USER32(?,00000001,?,?), ref: 00F9C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F9C270

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 67660d976181a47bbb4b6814d84d60b334618420d92e5f33747a27ac084b69be
Instruction ID: c3196a8fa1dc1d2094baca33cb9b2cbf763911a9584cd0ecff6c69912aab492d
Opcode Fuzzy Hash: 67660d976181a47bbb4b6814d84d60b334618420d92e5f33747a27ac084b69be
Instruction Fuzzy Hash: BB31B171904384AFFF32CF648855BE6BBEC9F06708F00449AD6DE93241C3745A84DB91

Function 00F686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00F685CC,?,00FF8CC8,0000000C), ref: 00F68704
GetLastError.KERNEL32(?,00F685CC,?,00FF8CC8,0000000C), ref: 00F6870E
__dosmaperr.LIBCMT ref: 00F68739

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: ae6c34b2ab1d96a6af72425d3ae1c45e694899c2026521aa74062b41aac3b9ec
Instruction ID: 8e632763ae69413c292c10be25699593f16ae07c272cf332e6a3810d8ed8946a
Opcode Fuzzy Hash: ae6c34b2ab1d96a6af72425d3ae1c45e694899c2026521aa74062b41aac3b9ec
Instruction Fuzzy Hash: 17012B33E0566016D6356234EC46B7E775A4B81FF4F39031DF9589B1D2DEA68C83B290

Function 00F41310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F417F6

Strings

CALL, xrefs: 00F417C6

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 3936289dd7f592b680c336a467eb577a13f8afc301d63f361612ede91c2d7324
Instruction ID: 80d2b4b44797fbb8d0bcedbd3c31efa181f4132a16dd3bf9a4ab7ef42954fc0b
Opcode Fuzzy Hash: 3936289dd7f592b680c336a467eb577a13f8afc301d63f361612ede91c2d7324
Instruction Fuzzy Hash: A5229D70A083019FC714DF14C894B6ABBF1BF85314F18891DF89A8B3A1D775E885EB92

Function 00F32DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F72C8C

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

Part of subcall function 00F32DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F32DC4

Strings

X, xrefs: 00F72C5A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 863cb8aaea7b5bf0f6d10b248a8bb5d159ddda94a66d77e3397f2e01e58f8844
Instruction ID: f463f45a483bca0cf551e467205d2ee05d116a16dc0aabe6437f73c1fe522bfb
Opcode Fuzzy Hash: 863cb8aaea7b5bf0f6d10b248a8bb5d159ddda94a66d77e3397f2e01e58f8844
Instruction Fuzzy Hash: F2219671A0025C9BCB41EF94CC45BEE7BF8AF49324F00805AE505E7241DBB855899FA1

Function 00F33837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F33908

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 94f9ae23708f68211df26f09975abe23c9fc523eddfcd5c97098700491d5b570
Instruction ID: e8bd2233c130f8bd63353a330dd5aad0015a9c5f13a37dc633a250dd8d97b386
Opcode Fuzzy Hash: 94f9ae23708f68211df26f09975abe23c9fc523eddfcd5c97098700491d5b570
Instruction Fuzzy Hash: A331D271904300DFD721DF24D88579BBBE8FB49329F00092EF5D983280E775AA44DB92

Function 00F4F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F4F661
Sleep.KERNEL32(00000000), ref: 00F8F2DE

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: abf55cbf258de86edfcb3a4826eba89e87d2a0166e59ade728f030927c76275c
Instruction ID: 486d441f7cbffee5a2a903d14b0c267356eb6a8ffccddc99f4477b95fef9fcba
Opcode Fuzzy Hash: abf55cbf258de86edfcb3a4826eba89e87d2a0166e59ade728f030927c76275c
Instruction Fuzzy Hash: EAF08C312402099FD350EF69D95AF6ABBE8EF45760F000029E95DC7261DB70A800EB90

Function 00F3B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F3BB4E

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: ce5b815e80daf09ce806075aaca37e419ce68b67fa406846759a3eb3e497f5b4
Instruction ID: 48ae8c3da0003a9da02a363342660632a55d129c0add9a41fbb4353a09707a3c
Opcode Fuzzy Hash: ce5b815e80daf09ce806075aaca37e419ce68b67fa406846759a3eb3e497f5b4
Instruction Fuzzy Hash: D532FD31E00209DFDB24DF54C8A8BBEB7B5EF44320F548059EA45AB251CB78ED45EB90

Function 00F34ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F34E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E9C
Part of subcall function 00F34E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F34EAE
Part of subcall function 00F34E90: FreeLibrary.KERNEL32(00000000,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34EFD

Part of subcall function 00F34E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E62
Part of subcall function 00F34E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F34E74
Part of subcall function 00F34E59: FreeLibrary.KERNEL32(00000000,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E87

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 4dc47cfc9dfb025ca06bad3d9a1aa29f5d62b23b873076de0ef040d45e8df871
Instruction ID: 68660fb62f2bf9f7d39708997c0d09d5d1ff3b1832b52bb15a7fc5746620a706
Opcode Fuzzy Hash: 4dc47cfc9dfb025ca06bad3d9a1aa29f5d62b23b873076de0ef040d45e8df871
Instruction Fuzzy Hash: 7A11E732600205AACB14BB74DD12FAD77A59F40B21F14842EF546AB1C1EE78FA45BB50

Function 00F68402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00F68440

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f9bc575c94c84168df9a0bd83cccc896ef699e35affb92aece2257d3fb434347
Instruction ID: 5c0fea0aca42c7e61c827e34b9f0990598741de2daf00f78a963b6f8c5584909
Opcode Fuzzy Hash: f9bc575c94c84168df9a0bd83cccc896ef699e35affb92aece2257d3fb434347
Instruction Fuzzy Hash: A311487190410AAFCB05DF58E940ADA7BF4EF48310F104199F808AB302DA31DA22DBA5

Function 00F65000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F64C7D: RtlAllocateHeap.NTDLL(00000008,00F31129,00000000,?,00F62E29,00000001,00000364,?,?,?,00F5F2DE,00F63863,01001444,?,00F4FDF5,?), ref: 00F64CBE

_free.LIBCMT ref: 00F6506C

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 04d33c3adbb5d6006091d65ce312ddcb2a3ab86f8bf3ae03c7dd3bbcc804fca6
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 520126726047056BE3218F69DC81A5AFBE8FB89370F25051DE18493280EA30A805D6B4

Function 00F5E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 718d14819423378520daf09ab3ee4d0d422975cd17a89ab21a341648368bc2e1
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 21F02D32921E149AC7353A69CC05B5A37999F523B3F100715FE21931D1CB78D90AB9A5

Function 00F64C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00F31129,00000000,?,00F62E29,00000001,00000364,?,?,?,00F5F2DE,00F63863,01001444,?,00F4FDF5,?), ref: 00F64CBE

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1e9a81fc45117cf31e5a9ce07e9a4e22a2a0e623ca2af1dda1ec4006fdc17fe8
Instruction ID: b90b32f8c55102fe128cbab768761ead743bfc05cfcab3cedee7cb8e336cab72
Opcode Fuzzy Hash: 1e9a81fc45117cf31e5a9ce07e9a4e22a2a0e623ca2af1dda1ec4006fdc17fe8
Instruction Fuzzy Hash: D2F0B432A0222467DB217F669C09B5A3798AF817B1B144111BD19E7781CA34F801B6E0

Function 00F63820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 24842ec7ea6a4e9afa30148df44c0524b4cd87d4be9698ba5e3d336ec35b58aa
Instruction ID: dc6557735bf64e6eb3b4105e41d3d008fa7eb09b7bd8ec4a657f5b3868883ed3
Opcode Fuzzy Hash: 24842ec7ea6a4e9afa30148df44c0524b4cd87d4be9698ba5e3d336ec35b58aa
Instruction Fuzzy Hash: 7FE0653390122456E63126779D05BDA3749AB427B1F190121BD5597581DB25ED01B3E1

Function 00F34F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34F6D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 33a25b4b502a7275b2753ffae7623dec6568a4dc57d40ac17a102c82aba33ecc
Instruction ID: 3b33e3b2d7e9857f41b6cdf2e404f08509f960df77ed4508c4183fc80664881e
Opcode Fuzzy Hash: 33a25b4b502a7275b2753ffae7623dec6568a4dc57d40ac17a102c82aba33ecc
Instruction Fuzzy Hash: DDF01C71505751CFDB349F75D490912B7E4AF1433971889AEE1EA83611C731B844EF50

Function 00FC2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FC2A66

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: d55a18783e5ab1b5e9e9519c159f259366b6f3be4e26b31b1b6054b16ab42b6d
Instruction ID: 3a520af7125baa2871b9879eaa9a16a2a6bdb8999a267821f7deeb08a3cacda0
Opcode Fuzzy Hash: d55a18783e5ab1b5e9e9519c159f259366b6f3be4e26b31b1b6054b16ab42b6d
Instruction Fuzzy Hash: E5E0DF32750116AADB54EB34DD81EFA735CEB10390B00403AEC1AC2100DF389981B2E0

Function 00F330F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F3314E

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: dc332e4bfa8b864fd79869db6d66787df4547169fc69de51f5894696f5f7a59e
Instruction ID: b9e287af4f4bc4addac580b94d4748875d051ed9dfc28d8b4357ba15163a1916
Opcode Fuzzy Hash: dc332e4bfa8b864fd79869db6d66787df4547169fc69de51f5894696f5f7a59e
Instruction Fuzzy Hash: 6CF037709143189FE763DB24DC4A7D57BBCA701708F0041E5A68897185DB759788CF91

Function 00F32DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F32DC4

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1160767055506a78d41c8c47cadf9a53feee97ca3879741c0aa2bdbc8cb5e7f1
Instruction ID: 0bb9ea6d82c86d7bfa876251b671c2465bbcfd7f0818c69e262a37bd64e93781
Opcode Fuzzy Hash: 1160767055506a78d41c8c47cadf9a53feee97ca3879741c0aa2bdbc8cb5e7f1
Instruction Fuzzy Hash: 8CE0CD72A001245BC71092589C06FDA77DDDFC8790F054071FD0DD7248D964AD849691

Function 00F32B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F33837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F33908

SetCurrentDirectoryW.KERNEL32(?), ref: 00F32B6B

Part of subcall function 00F330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F3314E

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectory
String ID:
API String ID: 2619246295-0
Opcode ID: 9ce87d6a41c2e19cfefb18a27b9fff64756535b86563395e7ec453b2e617ba88
Instruction ID: 7cba9fef76d9419a4c8eab5d41ce282b3e859ba8708b8b23bb77ac5f91907e7d
Opcode Fuzzy Hash: 9ce87d6a41c2e19cfefb18a27b9fff64756535b86563395e7ec453b2e617ba88
Instruction Fuzzy Hash: 54E0C23270824807CA09FB74AC529BDF7599BD5375F40153EF286831A3CF7D8A49A352

Function 00F7039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00F70704,?,?,00000000,?,00F70704,00000000,0000000C), ref: 00F703B7

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7066e603521015cc981bc968a756a9999dd613e4e7d51e9b01758365827cb4c8
Instruction ID: db1040b6e8ae096eb3fe68a5d86efb09314944d89bf253344ea7627a283d06ff
Opcode Fuzzy Hash: 7066e603521015cc981bc968a756a9999dd613e4e7d51e9b01758365827cb4c8
Instruction Fuzzy Hash: EDD06C3204010DBBDF028F85DD06EDA3BAAFB48714F014000FE1856020C732E821AB90

Function 00F31CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F31CBC

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 767ddd735556f1ac4fefac3ff07a24db44879abf47c7fa3025a9c78a82407216
Instruction ID: 2c2704f0bd9474643d1bd0323a23434cc4b21109299ad972a0468de871746e72
Opcode Fuzzy Hash: 767ddd735556f1ac4fefac3ff07a24db44879abf47c7fa3025a9c78a82407216
Instruction Fuzzy Hash: D2C09236280308EFF3268B80BD4FF107765A348B01F088401F68EAA5D7C7B76861EB94

Non-executed Functions

Function 00FC9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FC961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FC965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FC969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FC96C9
SendMessageW.USER32 ref: 00FC96F2
GetKeyState.USER32(00000011), ref: 00FC978B
GetKeyState.USER32(00000009), ref: 00FC9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FC97AE
GetKeyState.USER32(00000010), ref: 00FC97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FC97E9
SendMessageW.USER32 ref: 00FC9810
SendMessageW.USER32(?,00001030,?,00FC7E95), ref: 00FC9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FC992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FC9941
SetCapture.USER32(?), ref: 00FC994A
ClientToScreen.USER32(?,?), ref: 00FC99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FC99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FC99D6
ReleaseCapture.USER32 ref: 00FC99E1
GetCursorPos.USER32(?), ref: 00FC9A19
ScreenToClient.USER32(?,?), ref: 00FC9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FC9A80
SendMessageW.USER32 ref: 00FC9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FC9AEB
SendMessageW.USER32 ref: 00FC9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FC9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FC9B4A
GetCursorPos.USER32(?), ref: 00FC9B68
ScreenToClient.USER32(?,?), ref: 00FC9B75
GetParent.USER32(?), ref: 00FC9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FC9BFA
SendMessageW.USER32 ref: 00FC9C2B
ClientToScreen.USER32(?,?), ref: 00FC9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FC9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FC9CDE
SendMessageW.USER32 ref: 00FC9D01
ClientToScreen.USER32(?,?), ref: 00FC9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FC9D82

Part of subcall function 00F49944: GetWindowLongW.USER32(?,000000EB), ref: 00F49952

GetWindowLongW.USER32(?,000000F0), ref: 00FC9E05

Strings

@GUI_DRAGID, xrefs: 00FC997D
F, xrefs: 00FC9D07

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 569893073e6c0fda8e2cafa74a96301abfa8b215389fbe9f03484840085997dc
Instruction ID: 03699eae7e643aabda349c6524a332903ed8f156269aaa4dd5dd64aa9a1c6343
Opcode Fuzzy Hash: 569893073e6c0fda8e2cafa74a96301abfa8b215389fbe9f03484840085997dc
Instruction Fuzzy Hash: 32428D31608206AFD725CF24CE4AFAABBE5FF48320F14061DF599872A1D7B1D950EB91

Function 00FC4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00FC48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00FC4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00FC4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00FC494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00FC495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00FC497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00FC49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00FC49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00FC4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FC4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FC4A7E
IsMenu.USER32(?), ref: 00FC4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FC4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FC4B20
GetWindowLongW.USER32(?,000000F0), ref: 00FC4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00FC4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00FC4C82
wsprintfW.USER32 ref: 00FC4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FC4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FC4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FC4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FC4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FC4D5A

Strings

%d/%02d/%02d, xrefs: 00FC4CA8

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 8fcbfae5898ad19caf6ba2ca5aca5849159fd93b9b498c1be06b8e6758300ae3
Instruction ID: 569443d7e3f5b33a97ad315d7ecbf2645168d6d58de6cf60d25f3de2bf60de2f
Opcode Fuzzy Hash: 8fcbfae5898ad19caf6ba2ca5aca5849159fd93b9b498c1be06b8e6758300ae3
Instruction Fuzzy Hash: A512257190021AABEB248F24CE5AFAE7BF8EF45720F10411DF51ADB2E1D774A940EB50

Function 00F4F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00000000), ref: 00F4F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F8F474
IsIconic.USER32(00000000), ref: 00F8F47D
ShowWindow.USER32(00000000,00000009), ref: 00F8F48A
SetForegroundWindow.USER32(00000000), ref: 00F8F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F8F4AA
GetCurrentThreadId.KERNEL32 ref: 00F8F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F8F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F8F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F8F4D6
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F8F4DE
SetForegroundWindow.USER32(00000000), ref: 00F8F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F4F6
keybd_event.USER32(00000012,00000000), ref: 00F8F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F50B
keybd_event.USER32(00000012,00000000), ref: 00F8F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F519
keybd_event.USER32(00000012,00000000), ref: 00F8F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F528
keybd_event.USER32(00000012,00000000), ref: 00F8F52D
SetForegroundWindow.USER32(00000000), ref: 00F8F530
AttachThreadInput.USER32(?,?,00000000), ref: 00F8F557

Strings

Shell_TrayWnd, xrefs: 00F8F46F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 913ed849ed511c916dcac2ccfa4d350b5baa2547c7d3b5e7240978a1439ad566
Instruction ID: 66b94b354b41e1a1a33ae42bf411182ef4e4d23600a58afc0fbb8b98ad124024
Opcode Fuzzy Hash: 913ed849ed511c916dcac2ccfa4d350b5baa2547c7d3b5e7240978a1439ad566
Instruction Fuzzy Hash: B8315071A4021CBEEB206BB55D4AFBF7E6CEB44B50F140426FA09EB1D1C6B15900BBA0

Function 00F91201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00F916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9170D
Part of subcall function 00F916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9173A
Part of subcall function 00F916C3: GetLastError.KERNEL32 ref: 00F9174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F91286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F912A8
CloseHandle.KERNEL32(?), ref: 00F912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F912D1
GetProcessWindowStation.USER32 ref: 00F912EA
SetProcessWindowStation.USER32(00000000), ref: 00F912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F91310

Part of subcall function 00F910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F911FC), ref: 00F910D4
Part of subcall function 00F910BF: CloseHandle.KERNEL32(?,?,00F911FC), ref: 00F910E9

Strings

default, xrefs: 00F9130B
winsta0, xrefs: 00F912CC
, xrefs: 00F9125A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 4222017f6036cfef394ef11638f36229fa113edba412923d036ed5bf3006293b
Instruction ID: 534511dd67dbfaed8130fe2ad68ad1bc4081947cfdb4c9fe9fcdc7bfa6173b78
Opcode Fuzzy Hash: 4222017f6036cfef394ef11638f36229fa113edba412923d036ed5bf3006293b
Instruction Fuzzy Hash: 98819E71D0020AABEF10DFA8DD49FEE7BB9FF09714F044129FA14A61A0C7358954EB60

Function 00F90B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F91114
Part of subcall function 00F910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91120
Part of subcall function 00F910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F9112F
Part of subcall function 00F910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91136
Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F90BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F90C00
GetLengthSid.ADVAPI32(?), ref: 00F90C17
GetAce.ADVAPI32(?,00000000,?), ref: 00F90C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F90C6D
GetLengthSid.ADVAPI32(?), ref: 00F90C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F90C8C
HeapAlloc.KERNEL32(00000000), ref: 00F90C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F90CB4
CopySid.ADVAPI32(00000000), ref: 00F90CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F90CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F90D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F90D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90D45
HeapFree.KERNEL32(00000000), ref: 00F90D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90D55
HeapFree.KERNEL32(00000000), ref: 00F90D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90D65
HeapFree.KERNEL32(00000000), ref: 00F90D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F90D78
HeapFree.KERNEL32(00000000), ref: 00F90D7F

Part of subcall function 00F91193: GetProcessHeap.KERNEL32(00000008,00F90BB1,?,00000000,?,00F90BB1,?), ref: 00F911A1
Part of subcall function 00F91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F90BB1,?), ref: 00F911A8
Part of subcall function 00F91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F90BB1,?), ref: 00F911B7

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: fdc5efa5f37bb8cbe081b1409070b53ebbfce131e8420d66f424ef408294f2b0
Instruction ID: 2c5628d3e8a78c255399cba5f805be21554b4a02120895d2eb56ef3fe84ed4ca
Opcode Fuzzy Hash: fdc5efa5f37bb8cbe081b1409070b53ebbfce131e8420d66f424ef408294f2b0
Instruction Fuzzy Hash: 96715972D0020AAFEF109FA5DD45FAEBBBCBF04314F044515E918E7291DB75A905EBA0

Function 00FAEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00FCCC08), ref: 00FAEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FAEB37
GetClipboardData.USER32(0000000D), ref: 00FAEB43
CloseClipboard.USER32 ref: 00FAEB4F
GlobalLock.KERNEL32(00000000), ref: 00FAEB87
CloseClipboard.USER32 ref: 00FAEB91
GlobalUnlock.KERNEL32(00000000), ref: 00FAEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00FAEBC9
GetClipboardData.USER32(00000001), ref: 00FAEBD1
GlobalLock.KERNEL32(00000000), ref: 00FAEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00FAEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00FAEC38
GetClipboardData.USER32(0000000F), ref: 00FAEC44
GlobalLock.KERNEL32(00000000), ref: 00FAEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FAEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FAEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FAECD2
GlobalUnlock.KERNEL32(00000000), ref: 00FAECF3
CountClipboardFormats.USER32 ref: 00FAED14
CloseClipboard.USER32 ref: 00FAED59

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 7ad2b238354473658119414eda9b9f1fbcc78891afb35a3d2ef01ef6013c0353
Instruction ID: 401867b89ef2be3a35334e9ce4f8fbcb2032bcdd99ec595356ace42521f577a0
Opcode Fuzzy Hash: 7ad2b238354473658119414eda9b9f1fbcc78891afb35a3d2ef01ef6013c0353
Instruction Fuzzy Hash: 50610175204306AFD300EF20CD89F6AB7A4AF85764F14441DF85A872A2CB71DD06EBA2

Function 00FA698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FA69BE
FindClose.KERNEL32(00000000), ref: 00FA6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FA6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FA6A75

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00FA6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FA6ADF

Strings

%4d, xrefs: 00FA6BB1
%03d, xrefs: 00FA6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00FA6B32
%4d%02d%02d%02d%02d%02d, xrefs: 00FA6B6A
%02d, xrefs: 00FA6C00, 00FA6C0A, 00FA6C5A, 00FA6CAA, 00FA6CFA, 00FA6D4A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 108612fb7c021735c0400c8c0b04df359be105cbc1a2cb29f6fbbf66184f9aad
Instruction ID: a4512fbb2d151209966a2b84d20d6ab7dc2a81c7b0999f1288b4cb6ef4112b2d
Opcode Fuzzy Hash: 108612fb7c021735c0400c8c0b04df359be105cbc1a2cb29f6fbbf66184f9aad
Instruction Fuzzy Hash: FFD185B2508304AFC314EBA0CD85EABB7ECAF89714F44491DF589D7151EB78DA04DB62

Function 00FA9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FA9663
GetFileAttributesW.KERNEL32(?), ref: 00FA96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00FA96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00FA96D3
FindClose.KERNEL32(00000000), ref: 00FA96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00FA96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA974A
SetCurrentDirectoryW.KERNEL32(00FF6B7C), ref: 00FA9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FA9772
FindClose.KERNEL32(00000000), ref: 00FA977F
FindClose.KERNEL32(00000000), ref: 00FA978F

Strings

*.*, xrefs: 00FA96F5

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fddc28b1b18f32b89e12057ec3f86f788145ae9278b4ee576d12a2d21aea8d3a
Instruction ID: 3e724c934f26e5c69ba7210438ba08ebd6a2ff2254e9da7aaadeaf3062dc6fe3
Opcode Fuzzy Hash: fddc28b1b18f32b89e12057ec3f86f788145ae9278b4ee576d12a2d21aea8d3a
Instruction Fuzzy Hash: 7E31E27290420D6ADF10EFB4ED09EEE77AC9F4A320F1040A5FA18E31A0DB74D944AE60

Function 00FA979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FA97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00FA9819
FindClose.KERNEL32(00000000), ref: 00FA9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00FA9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA9890
SetCurrentDirectoryW.KERNEL32(00FF6B7C), ref: 00FA98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FA98B8
FindClose.KERNEL32(00000000), ref: 00FA98C5
FindClose.KERNEL32(00000000), ref: 00FA98D5

Part of subcall function 00F9DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F9DB00

Strings

*.*, xrefs: 00FA983B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b729705b0e19e12b443814714582942f4bc860658ee7b18565003aafd9071aed
Instruction ID: 683f03b214e84b412490dfbb79b6152c1d8145e5db5689572f755bff1fff1463
Opcode Fuzzy Hash: b729705b0e19e12b443814714582942f4bc860658ee7b18565003aafd9071aed
Instruction Fuzzy Hash: 2F31C37290421D6ADB10EFB4EC49EEE77AC9F47330F5041A5E914E30A0DBB8D945EB60

Function 00FBBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00FBBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00FBBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FBC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FBC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FBC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FBC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00FBC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FBC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FBC382
RegCloseKey.ADVAPI32(00000000), ref: 00FBC38F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: b06a69e02f247a90c3ff39048dd64cd91525a2301741f5c00501639540fe3ec1
Instruction ID: caeb6d2617d56eca89b4920ffa1d8d5e41bc986afe137168bd7eac8f28405e05
Opcode Fuzzy Hash: b06a69e02f247a90c3ff39048dd64cd91525a2301741f5c00501639540fe3ec1
Instruction Fuzzy Hash: D5025B71604200AFC714DF29C891E6ABBE5AF89318F58849DF84ADB2A2D731EC45DF91

Function 00FA8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FA8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FA8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FA8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FA8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FA838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8395

Strings

*.*, xrefs: 00FA839B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 37825269ef1e855fba01f60e208668ee6d289bf34000b041fbaee4c4ec31ebad
Instruction ID: bf71991163eede01e58258ccf49e5ef5aa8fc3107ad5d29bcac5c57266d25b20
Opcode Fuzzy Hash: 37825269ef1e855fba01f60e208668ee6d289bf34000b041fbaee4c4ec31ebad
Instruction Fuzzy Hash: BD618DB25083059FCB10EF60C841AAEB3E8FF89360F04491EF989D7251DB75E946DB92

Function 00F9D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

Part of subcall function 00F9E199: GetFileAttributesW.KERNEL32(?,00F9CF95), ref: 00F9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F9D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F9D1DD
MoveFileW.KERNEL32(?,?), ref: 00F9D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F9D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F9D237

Part of subcall function 00F9D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F9D21C,?,?), ref: 00F9D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00F9D253
FindClose.KERNEL32(00000000), ref: 00F9D264

Strings

\*.*, xrefs: 00F9D0CD, 00F9D0D6, 00F9D0EB

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 93cedabef000a39a38fe3a00d352f22c9982e6571aec1978d63f8750e059673a
Instruction ID: 895fff2caea2a56d673fd1de845b39729cbbdb5c94e15afb2e793249bd0fd341
Opcode Fuzzy Hash: 93cedabef000a39a38fe3a00d352f22c9982e6571aec1978d63f8750e059673a
Instruction Fuzzy Hash: AB617C31C0510DAADF05EBE0CE929EDB7B5AF54320F704065E442B71A1EB78AF09EB60

Function 00FAED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FAED91
EmptyClipboard.USER32 ref: 00FAED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00FAEDAC
CloseClipboard.USER32 ref: 00FAEEA3

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f936661ce0d9d7d87428582a5f07f749d5c323930f3530bacf1f55a2be0a2600
Instruction ID: 6b87a5878e411813d747dbac8365415b5949abe794322030a38a804b69c15d87
Opcode Fuzzy Hash: f936661ce0d9d7d87428582a5f07f749d5c323930f3530bacf1f55a2be0a2600
Instruction Fuzzy Hash: 2941EC75604211AFE320CF25D989F19BBE0EF05329F05C09DE4198B662C735EC42EBD0

Function 00F9E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9170D
Part of subcall function 00F916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9173A
Part of subcall function 00F916C3: GetLastError.KERNEL32 ref: 00F9174A

ExitWindowsEx.USER32(?,00000000), ref: 00F9E932

Strings

, xrefs: 00F9E95C
SeShutdownPrivilege, xrefs: 00F9E902
@, xrefs: 00F9E925
, xrefs: 00F9E920

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8b2c127e45420fd496b25820c647ee7f388b6e2327181da1bf35342dbd00b877
Instruction ID: b1410a36289ed5971e17b6e3aee559f1343b4637550da814c13f20a0bf600ccb
Opcode Fuzzy Hash: 8b2c127e45420fd496b25820c647ee7f388b6e2327181da1bf35342dbd00b877
Instruction Fuzzy Hash: 6101D673E10215ABFF64A6B49D86FBB726CAB14760F150821FD03E31D1D9A55C40B1D0

Function 00FB1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FB1276
WSAGetLastError.WSOCK32 ref: 00FB1283
bind.WSOCK32(00000000,?,00000010), ref: 00FB12BA
WSAGetLastError.WSOCK32 ref: 00FB12C5
closesocket.WSOCK32(00000000), ref: 00FB12F4
listen.WSOCK32(00000000,00000005), ref: 00FB1303
WSAGetLastError.WSOCK32 ref: 00FB130D
closesocket.WSOCK32(00000000), ref: 00FB133C

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 69b3b0daaa46edfc03d0bbd8a1bf990f09bb794ba62f828967c76ad39a539a54
Instruction ID: 8edb029f9820aa30f8cadd1204946c8129908ad36132d78382e1f93b45b9d465
Opcode Fuzzy Hash: 69b3b0daaa46edfc03d0bbd8a1bf990f09bb794ba62f828967c76ad39a539a54
Instruction Fuzzy Hash: 8641D131A001009FD710DF25C999B6ABBE5BF46328F588088E85A8F2D2C731EC81DFE0

Function 00F9D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

Part of subcall function 00F9E199: GetFileAttributesW.KERNEL32(?,00F9CF95), ref: 00F9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F9D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F9D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F9D481
FindClose.KERNEL32(00000000), ref: 00F9D498
FindClose.KERNEL32(00000000), ref: 00F9D4A1

Strings

\*.*, xrefs: 00F9D3F2

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 16e5b4b157de8dd438049e9870f68b1f3f672f519cb3ae38a8c2e48c2a9a8f59
Instruction ID: 4684b7dbbdf799868627d98a0aab3a09d11fa2b9e2a0d0ee3be0098cea873a51
Opcode Fuzzy Hash: 16e5b4b157de8dd438049e9870f68b1f3f672f519cb3ae38a8c2e48c2a9a8f59
Instruction Fuzzy Hash: 5331AE3140C3459BC704EF64DD929AFB7A8AE91324F504A1DF4D5931A1EB34EA09EBA3

Function 00F6E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00F6E645

Strings

1#INF, xrefs: 00F6F852
1#SNAN, xrefs: 00F6F844
1#IND, xrefs: 00F6F83D
1#QNAN, xrefs: 00F6F84B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fc7635dacc55c666b1f99923e768132e3c4a565d0d225f4c840f9764bec82cb6
Instruction ID: 6e9f9d183786c1314d3eefc0c32bea864f6d68523aef12fb186d5ec723408137
Opcode Fuzzy Hash: fc7635dacc55c666b1f99923e768132e3c4a565d0d225f4c840f9764bec82cb6
Instruction Fuzzy Hash: 60C25D72E046288FDB25CF28DD407EAB7B5EB45315F1441EAD80EE7241E778AE85AF40

Function 00FA648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA64DC
CoInitialize.OLE32(00000000), ref: 00FA6639
CoCreateInstance.OLE32(00FCFCF8,00000000,00000001,00FCFB68,?), ref: 00FA6650
CoUninitialize.OLE32 ref: 00FA68D4

Strings

.lnk, xrefs: 00FA64BA, 00FA6524, 00FA65E0

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: a807a3e25635b64fe1b65b468b9535fb546300655e68038722060574964c9747
Instruction ID: 260c9c6e996505db9fbd9bde3f07dab6cb9d67b1c0d06f697b0399aaa6066e53
Opcode Fuzzy Hash: a807a3e25635b64fe1b65b468b9535fb546300655e68038722060574964c9747
Instruction Fuzzy Hash: A8D149B1508301AFC314EF24C881A6BB7E8FF99714F04496DF595CB2A1EB74E909DB92

Function 00FB22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00FB22E8

Part of subcall function 00FAE4EC: GetWindowRect.USER32(?,?), ref: 00FAE504

GetDesktopWindow.USER32 ref: 00FB2312
GetWindowRect.USER32(00000000), ref: 00FB2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FB2355
GetCursorPos.USER32(?), ref: 00FB2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FB23DF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 04585feceee80c063956bbdcad973534db269b35056c5f27c130b63949e155bb
Instruction ID: d313c1f98dbfdf9dcb920968b91fd3a18ff19216bc8e56dbaaba6f8340e1f867
Opcode Fuzzy Hash: 04585feceee80c063956bbdcad973534db269b35056c5f27c130b63949e155bb
Instruction Fuzzy Hash: 6531BE72504319ABDB20DF55CC49F9BB7E9FF88310F040919F98997191DB34E909DB92

Function 00FA9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FA9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FA9C8B

Part of subcall function 00FA3874: GetInputState.USER32 ref: 00FA38CB
Part of subcall function 00FA3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FA9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FA9C75

Strings

*.*, xrefs: 00FA9B5D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 9dd74fb6eae7ee452db06a2875d77958681f175b8d1732b0ac1d5901921ca754
Instruction ID: 2bf99127ac93f0e4897ea5a521d6af9ba03f46a13c2d1ff7eeb493589ee77eb2
Opcode Fuzzy Hash: 9dd74fb6eae7ee452db06a2875d77958681f175b8d1732b0ac1d5901921ca754
Instruction Fuzzy Hash: 1641B3B1D0860A9FCF14DFA4CD45AEE7BB4EF46320F104065E915A3191DB709E44EF60

Function 00F4997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F49A4E
GetSysColor.USER32(0000000F), ref: 00F49B23
SetBkColor.GDI32(?,00000000), ref: 00F49B36

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: db31dd9fc1accd064f11d40895757f1db21b6ef810f5592c50597c01dbad6590
Instruction ID: 339451f0320c5facff4b5e6b4148a86d8d17b4cee7d2b723625e697445a7cd91
Opcode Fuzzy Hash: db31dd9fc1accd064f11d40895757f1db21b6ef810f5592c50597c01dbad6590
Instruction Fuzzy Hash: 99A1D67170C554AEE725BA288C49FBF3E9DDB82360F240209F902C6595CAADDE41F371

Function 00FB1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FB307A
Part of subcall function 00FB304E: _wcslen.LIBCMT ref: 00FB309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FB185D
WSAGetLastError.WSOCK32 ref: 00FB1884
bind.WSOCK32(00000000,?,00000010), ref: 00FB18DB
WSAGetLastError.WSOCK32 ref: 00FB18E6
closesocket.WSOCK32(00000000), ref: 00FB1915

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: fcc3d2ae6d6b87370b0ba4f01ea0bc22a9fedf2ee5207b2adc48c8d90dfe25c1
Instruction ID: 24c6fd9b955d982b44c1d9fbaa13e3269262d48b75391c13e7f73230532a0965
Opcode Fuzzy Hash: fcc3d2ae6d6b87370b0ba4f01ea0bc22a9fedf2ee5207b2adc48c8d90dfe25c1
Instruction Fuzzy Hash: F351A375A00200AFDB10EF24C896F6A77E5AB44728F488458FA09AF3D3D775ED419BE1

Function 00FC1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FC1CC0
IsWindowEnabled.USER32 ref: 00FC1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00FC1CDB
IsIconic.USER32 ref: 00FC1CE9
IsZoomed.USER32 ref: 00FC1CF7

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 895c9e3bdcfdbea1a645644624f5e280842434bec937025d8586cffebc55cb6e
Instruction ID: 1640b8f4fd94a481fbd33643fd6fc65a1982e3c68eb92eb268071997955093bf
Opcode Fuzzy Hash: 895c9e3bdcfdbea1a645644624f5e280842434bec937025d8586cffebc55cb6e
Instruction Fuzzy Hash: AB219131B402125FD720CF2AC986F667BA5FF86325F19805CE84A8B252C775D852EB90

Function 00F38060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00F3813C
VUUU, xrefs: 00F3843C
VUUU, xrefs: 00F75DF0
VUUU, xrefs: 00F383E8
VUUU, xrefs: 00F383FA

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ee52fa150b0d321bfdb7a40187e847aa1df6fa56cd09dbe25d69c2a65509f32b
Instruction ID: ccb206e368d3a2de535de7a2017c52432a152b50cb44cab20740162e0ee78aa5
Opcode Fuzzy Hash: ee52fa150b0d321bfdb7a40187e847aa1df6fa56cd09dbe25d69c2a65509f32b
Instruction Fuzzy Hash: 2BA29371E0061ACBDF24CF58C8417ADB7B1BF44760F2481AAE819A7385DB749D82EF91

Function 00F9AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F9AAAC
SetKeyboardState.USER32(00000080), ref: 00F9AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F9AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F9AB88

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f5d18c84b19043642d570f376c1c0d9fa022b954b63eff00ee03375952a034cf
Instruction ID: 84b26512794eea4bbef3bfcd3afc16b8fcbea11d98860e4f2d26e1f7e0b090a1
Opcode Fuzzy Hash: f5d18c84b19043642d570f376c1c0d9fa022b954b63eff00ee03375952a034cf
Instruction Fuzzy Hash: 59312430E40608AFFF358F698C05BFA7BA6AB84324F04421AF185921D1D7798981F7E2

Function 00F6BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F6BB7F

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

GetTimeZoneInformation.KERNEL32 ref: 00F6BB91
WideCharToMultiByte.KERNEL32(00000000,?,0100121C,000000FF,?,0000003F,?,?), ref: 00F6BC09
WideCharToMultiByte.KERNEL32(00000000,?,01001270,000000FF,?,0000003F,?,?,?,0100121C,000000FF,?,0000003F,?,?), ref: 00F6BC36

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 3a3393a00e8615118f91c5e83397b1771ac243358cd2ee72d5b2f8c92ceaee43
Instruction ID: a760362af1c38ac17ff297b0b86d7cf4ed79384dc4f4143c063475f2ad4df88d
Opcode Fuzzy Hash: 3a3393a00e8615118f91c5e83397b1771ac243358cd2ee72d5b2f8c92ceaee43
Instruction Fuzzy Hash: 743125B1D04205EFCB22DF69CC8193DBBB8FF45360B14426AE090DB2A1C7319E90EB50

Function 00FACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00FACE89
GetLastError.KERNEL32(?,00000000), ref: 00FACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00FACEFE

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4fdcdeada9c955c20d6ce8d5213ac447a6dc19ecd271715da858741cb98082b5
Instruction ID: b600487fd7936f17155f0743db1ac62cf8d19f33793b144bb68377d82d91f49a
Opcode Fuzzy Hash: 4fdcdeada9c955c20d6ce8d5213ac447a6dc19ecd271715da858741cb98082b5
Instruction Fuzzy Hash: 43219DB1900305AFEB20DF65C989BA677F8EF41364F10442EE646D2151EB74EE08EBE0

Function 00F98298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F982AA

Strings

(, xrefs: 00F982F0
|, xrefs: 00F982DA

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: e9ee6857bbe015c168f50e14176efd9e8e8f92945930c0cb5d331d670ca8979a
Instruction ID: 0cdc97bb4d5d29443912151404a34bf28db9f072396bfb275a3c25cc152b1610
Opcode Fuzzy Hash: e9ee6857bbe015c168f50e14176efd9e8e8f92945930c0cb5d331d670ca8979a
Instruction Fuzzy Hash: E6324575A007059FDB28CF59C480A6AB7F0FF48760B15C46EE49ADB3A1EB70E942DB40

Function 00FA5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FA5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00FA5D17
FindClose.KERNEL32(?), ref: 00FA5D5F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ecb704bafbf10ad635824e8f082d231a8a333c6e577a9ceadff19d42659c8934
Instruction ID: f02920a7837386bc3212e0bf5300015ba264873835c4f688e01561c97bd87b0b
Opcode Fuzzy Hash: ecb704bafbf10ad635824e8f082d231a8a333c6e577a9ceadff19d42659c8934
Instruction Fuzzy Hash: A6519AB5A046019FC714CF28C894E96B7E4FF4A324F14855DE99A8B3A2CB30ED05DF91

Function 00F62622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00F6271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F62724
UnhandledExceptionFilter.KERNEL32(?), ref: 00F62731

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cdf737d026b92135263f75efab4f4f6bcc9c507a7eb3e68a87698a4ad58b6377
Instruction ID: aa50f0e8ea0ae37ae49c27ff518e97c8f8771975117eb63e6f47ee331c601a5f
Opcode Fuzzy Hash: cdf737d026b92135263f75efab4f4f6bcc9c507a7eb3e68a87698a4ad58b6377
Instruction Fuzzy Hash: A131C474D0121C9BCB61DF64DD89BD8B7B8AF08310F5041EAE80CA7260EB349F859F84

Function 00FA51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FA5238
SetErrorMode.KERNEL32(00000000), ref: 00FA52A1

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6359fc18905a1f505a57147ead1fffdae33d494a7169f398c26ac87118af7034
Instruction ID: 25308d00f9d389e5db33958872251870396adf2caadd8542dde3d59c72c643cc
Opcode Fuzzy Hash: 6359fc18905a1f505a57147ead1fffdae33d494a7169f398c26ac87118af7034
Instruction Fuzzy Hash: E5313A75A00518DFDB00DF55D884EADBBB4FF49318F088099E809AB362DB35E856DBA0

Function 00F916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F50668
Part of subcall function 00F4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F50685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9173A
GetLastError.KERNEL32 ref: 00F9174A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 68c88d44bd8c519b8a6c4dd5d41d3ac4a6631e6c9c07142a9019b492131f5a83
Instruction ID: 1d73f5e0a609695443ed52554b5a6938f32c067dc32830fb674ef069f4d237cc
Opcode Fuzzy Hash: 68c88d44bd8c519b8a6c4dd5d41d3ac4a6631e6c9c07142a9019b492131f5a83
Instruction Fuzzy Hash: 4011C4B2800309AFE7189F54DC86D6ABBB9FF44714B24852EE45A53241EB70BC419A60

Function 00F9D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F9D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00F9D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F9D650

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 1fa91a21925db4634610c38ed7c7f2d9a9150e5d9e9e3b1ef4d52b183993a902
Instruction ID: 82710b4f6cba75c2fae74ca30833235fc0d938af2c221553868c2f7bda83094f
Opcode Fuzzy Hash: 1fa91a21925db4634610c38ed7c7f2d9a9150e5d9e9e3b1ef4d52b183993a902
Instruction Fuzzy Hash: 66115E75E05228BFEB108F95ED45FAFBBBCEB45B60F108115F908E7290D6704A059BE1

Function 00F91663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F9168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F916A1
FreeSid.ADVAPI32(?), ref: 00F916B1

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0529607bfb9d72f8595a7e4e500431417560792c2ffd438632801ec39053edff
Instruction ID: 203dfa4fc99da7a89ff49698e5287be191b9e1af6ca1893c29c269716ebed428
Opcode Fuzzy Hash: 0529607bfb9d72f8595a7e4e500431417560792c2ffd438632801ec39053edff
Instruction Fuzzy Hash: 19F0F471D9030DFBEF00DFE49D8AEAEBBBCFB08604F504565E901E2181E774AA449A94

Function 00F8D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F8D28C

Strings

X64, xrefs: 00F8D2A8

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 3fa63bfafea569ae8f68cd65697c7dec05111c013a0c5c4c7c9d7ecfd28ccd59
Instruction ID: 8affc8792f5aa33faeba8ff73963a464c8ab88c62b45b373dcb90dfedea52fe6
Opcode Fuzzy Hash: 3fa63bfafea569ae8f68cd65697c7dec05111c013a0c5c4c7c9d7ecfd28ccd59
Instruction Fuzzy Hash: 36D0CAB680112DEACB94DBA0EC89EDAB7BCBB04305F100292F50AE2040DB309648AF20

Function 00F5CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 53e11532cc5bffaa92608796a89bfb0d3eefd482cd5f151d3e5ad8e2eeb07810
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 92022D71E002199FDF14CFA9C8806ADBBF1EF48325F25816AD91AE7380D731AA45DBD0

Function 00FA68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FA6918
FindClose.KERNEL32(00000000), ref: 00FA6961

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6e5a2ea2020aa0e1fa7b3ca92c6fd3114713f3c41d38b0dbf2c762599cf29d6f
Instruction ID: b440da97c987798acfe0d4217469125397ef1408ad72631ca1f5205f208f438f
Opcode Fuzzy Hash: 6e5a2ea2020aa0e1fa7b3ca92c6fd3114713f3c41d38b0dbf2c762599cf29d6f
Instruction Fuzzy Hash: 391190756042009FC710DF29D889A16BBE5FF89328F19C699E4698F6A2CB34EC05DBD1

Function 00FA37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FB4891,?,?,00000035,?), ref: 00FA37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FB4891,?,?,00000035,?), ref: 00FA37F4

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e6fb443bbc6874027ea47ee164e6835f36383902ed750b087bc5e83f9d6b0f50
Instruction ID: 186bd173f8de30a037d8943a0a617b0de1436a2dbe76103e62f59a3658dbee96
Opcode Fuzzy Hash: e6fb443bbc6874027ea47ee164e6835f36383902ed750b087bc5e83f9d6b0f50
Instruction Fuzzy Hash: 2AF0E5B16083292AE72057669C4DFEB3AAEEFC5771F000165F50DD3281D9A09904D6F0

Function 00F9B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F9B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00F9B270

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: f70912de191e22726b971de77cc032a313982c01ba9d507813fc5c2cb273f007
Instruction ID: 095445b84ff9a808050496ba57074bbc00f0a1a0cbfd93a5eada5d0fa99c56fa
Opcode Fuzzy Hash: f70912de191e22726b971de77cc032a313982c01ba9d507813fc5c2cb273f007
Instruction Fuzzy Hash: 6FF06D7180424DABEF058FA0C806BAE7BB0FF04305F00800AF955A6191C3798201AF94

Function 00F910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F911FC), ref: 00F910D4
CloseHandle.KERNEL32(?,?,00F911FC), ref: 00F910E9

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: fe6682a209c7f25f4dbb178da2c5c12effa89fe2aaccdd6f4a351bf218c011bf
Instruction ID: 94ef9995e96c1322fdc4169d3f848e2dc2477998fda235c94d9ee14a8570df20
Opcode Fuzzy Hash: fe6682a209c7f25f4dbb178da2c5c12effa89fe2aaccdd6f4a351bf218c011bf
Instruction Fuzzy Hash: 3FE04F32404600AEF7252B11FD06E737BA9FB04320B14882DF8AA814B1DB626C90FB50

Function 00F3CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00F80C40

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: f2af5f673f3ae9fe4f1e1148bf485cf1e2ab5f8d1e8d284eadda00553fc02a92
Instruction ID: 085123a96a1dbe96973f7ed86b3b036869eb82dbd4223379f0519aae45861312
Opcode Fuzzy Hash: f2af5f673f3ae9fe4f1e1148bf485cf1e2ab5f8d1e8d284eadda00553fc02a92
Instruction Fuzzy Hash: B832BE35D00218DBCF14EF94C885BEDB7B5BF05324F548059E806BB292DB79AD49EBA0

Function 00F6676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F66766,?,?,00000008,?,?,00F6FEFE,00000000), ref: 00F66998

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 59df2218c0b081d387816f73ea2a629e1059bff8c75c314c7d54a755f44f353c
Instruction ID: 00b12ad79de2b50be961b6d601fee8a84e142033f36bbb95643e2300e9ddfcd6
Opcode Fuzzy Hash: 59df2218c0b081d387816f73ea2a629e1059bff8c75c314c7d54a755f44f353c
Instruction Fuzzy Hash: 14B12B32A10609DFD719CF28C48AB657BE0FF45364F298658E899CF2A2C735E991DB40

Function 00F4B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00F8851F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 270566680d017628e8b518a002b3efb9227ba676a96b725a6ba5dfd5d088e012
Instruction ID: fb80c71abb233f13bcbf9e7b15aaaec826656c41d927b7e4368a4d5a816650f7
Opcode Fuzzy Hash: 270566680d017628e8b518a002b3efb9227ba676a96b725a6ba5dfd5d088e012
Instruction Fuzzy Hash: B8126071D002299BDB14DF58C8817EEBBB5FF48710F54819AE849EB252DB349E81EB90

Function 00FAEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FAEABD

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fef0bc0a11e18e4d4922d2d1ba156fe79f57e3f94747abed20775f4fcd4e0406
Instruction ID: a11397f7d31d0ebb43f08428c9c3635026f12abedef3f44a0f0e21c70bb6e7b2
Opcode Fuzzy Hash: fef0bc0a11e18e4d4922d2d1ba156fe79f57e3f94747abed20775f4fcd4e0406
Instruction Fuzzy Hash: 59E04F762002049FC710EF69D805E9AF7E9AF99770F00841AFD49DB351DB74EC40ABA0

Function 00F509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F503EE), ref: 00F509DA

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5157a7beacb02eb715061046f38e2089e4fe336aa7a375b2a62594e3bcb19a7e
Instruction ID: fada75bd749f0a14cee2ba4346b6865cfc1e244b74d9559c94e70a1662f1b379
Opcode Fuzzy Hash: 5157a7beacb02eb715061046f38e2089e4fe336aa7a375b2a62594e3bcb19a7e
Instruction Fuzzy Hash:

Function 00F5781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00F5798B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 7ca8006ddbb72bebf824a7218cef32f4ebfdd5efc998caa8230a32d7101dde20
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 68516A72E0CB055BDB387528A85D7BF63859B12363F280509DF82D7692C619DE0EF361

Function 00F66DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7a73798764c0114fbf470992fa2e2ad1ec736c6baf2f5ad112361ec32afb16
Instruction ID: 9ce41943db2bb6b3d906f9ecbe0288824c9628d047b7a2ade852174bd5917f8d
Opcode Fuzzy Hash: 4b7a73798764c0114fbf470992fa2e2ad1ec736c6baf2f5ad112361ec32afb16
Instruction Fuzzy Hash: 88324622D2AF414DD723A634CC22335634AAFB73D9F14C737F81AB59A5EB29C4836140

Function 00F4CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c02b9e24f49f6ad4655dc17f9fad17ea7c3f4830a75a66fb7b8cf8e57729b02
Instruction ID: 753009225e8c38a4174f339edfc0fc9569c3eb96040b52d9fb67618baa161ac5
Opcode Fuzzy Hash: 4c02b9e24f49f6ad4655dc17f9fad17ea7c3f4830a75a66fb7b8cf8e57729b02
Instruction Fuzzy Hash: 7D320832E001558BDF28EF29C4D46FD7BA1EF45320F28856ADA599B291D234DD81FBE0

Function 00F37920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae36cb273d89f322feb732ced39999ebcb3893a71ceef676a6d56813c88d2550
Instruction ID: e6a708b933df47b1ada736e8f6e7ce9b65109f61f0685da2893a61080ac4c913
Opcode Fuzzy Hash: ae36cb273d89f322feb732ced39999ebcb3893a71ceef676a6d56813c88d2550
Instruction Fuzzy Hash: CF22E2B0E0460ADFDF14DF64C841BAEB7B5FF44320F208129E816A7291EB79AD14EB51

Function 00F391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5965afc701e01683ea846239fd66d0f5ce2f2fae39a3e44526a2c04bcd6226
Instruction ID: 5feda049f2ab20929efd7eed60457e27b45a77e5447ca5741f2b497885658801
Opcode Fuzzy Hash: cd5965afc701e01683ea846239fd66d0f5ce2f2fae39a3e44526a2c04bcd6226
Instruction Fuzzy Hash: E302C9B1E00109EBDF05DF54D841AAEBBB5FF48310F10816AE81A9B291EB75ED14EB91

Function 00F69EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183b1a66db54233ae572f645c5f14f8257c2ede333676d8de1ca35153c6a171a
Instruction ID: c8d02267ac7aa0af9556d7be5a6ae5c0a6aa267f864302ac815fdca454af1fee
Opcode Fuzzy Hash: 183b1a66db54233ae572f645c5f14f8257c2ede333676d8de1ca35153c6a171a
Instruction Fuzzy Hash: 25B11120E2AF444DD32396398931336B75DAFBB2D5F92D31BFC2674D22EB2286835141

Function 00F51C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 8cab826f732e3b511f41c46b7e0c8a15c8c6172b9a10cb92c4d75a7c111c9462
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: A29177339080A34ADB294639853567EFFF16A523B371A079DDDF2CA1C1EE10A95CF620

Function 00F51F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 58b162f89e6c1fcba77c3c6dd79732bba49fd1b010679bcb440f887914c64b3f
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 18916373A094A309DBA94239847413EFFE15A933B371A079DDEF2CA1C5EE24955CF620

Function 00F519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9a22468c55fccbea025610127bad335e4c079c62c04e1f49bf4afe5371d5a7ea
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 759177736090A349DB2E427A857427DFFE16A923B331A079DD9F2CA1C1FD14A55CF620

Function 00F57A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0caf91f67bcedb3ed14278e37c6a83261d41d4c8386aaa09e8710d298fe3e2
Instruction ID: a1a9275cb07d36afcc7641ca0b947f7ffcdc2762c2cbdbc294570726c008b332
Opcode Fuzzy Hash: fb0caf91f67bcedb3ed14278e37c6a83261d41d4c8386aaa09e8710d298fe3e2
Instruction Fuzzy Hash: 45617831A0870966DA34B928BC99BBE3384DF81363F140919EF43DB295DA199E4FB315

Function 00F57CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbaa452d3aaa45e5720b6d1cc5760d33cddaecc180d5e0053b8748e02df844c
Instruction ID: f5d9c42dea02fc2af633262cefb09e8eb07d5e54e33c8bb89093d969778b7b00
Opcode Fuzzy Hash: dbbaa452d3aaa45e5720b6d1cc5760d33cddaecc180d5e0053b8748e02df844c
Instruction Fuzzy Hash: 88619B31E0870957DA3879287C56BBF33A89F41763F100959EF43DB281EA16AD4FB251

Function 00F51706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 52ced95e8dffbc645951d4de2489d1e0430ec2f7b9a9ebba00e7f7988bb47f9d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D48156739090A309DB69423D853467EFFE17A923B371A079DD9F2CA1C1EE14A55CF620

Function 00FA2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0f79772ac88e6f2a3c1afb829d6d1061d357a38b5b19be355ecb2ba845e236
Instruction ID: 96f9727f363dc6c91deba2dc8c13041258782de077c4565a6ccaca3bdb7c763c
Opcode Fuzzy Hash: 4d0f79772ac88e6f2a3c1afb829d6d1061d357a38b5b19be355ecb2ba845e236
Instruction Fuzzy Hash: 6621B7727206118BD728CF79C92367E73E5AB54320F15862EE4A7C37C5DE7AA904DB80

Function 00FB2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FB2B30
DeleteObject.GDI32(00000000), ref: 00FB2B43
DestroyWindow.USER32 ref: 00FB2B52
GetDesktopWindow.USER32 ref: 00FB2B6D
GetWindowRect.USER32(00000000), ref: 00FB2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FB2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FB2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2CF8
GetClientRect.USER32(00000000,?), ref: 00FB2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FB2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D80
GlobalLock.KERNEL32(00000000), ref: 00FB2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D98
GlobalUnlock.KERNEL32(00000000), ref: 00FB2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2DA8
GlobalFree.KERNEL32(00000000), ref: 00FB2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FCFC38,00000000), ref: 00FB2DDB
GlobalFree.KERNEL32(00000000), ref: 00FB2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FB2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FB2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB303F

Strings

DISPLAY, xrefs: 00FB2EA2
, xrefs: 00FB2FC5
static, xrefs: 00FB2D3A, 00FB2E91
AutoIt v3, xrefs: 00FB2CF2

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 10556a92cca5b9ff756b9c5180eb3d51d234f9f5011ae7c713ead71d3e318f4d
Instruction ID: e1cdc61f8c6ca3d39b99cba0674b06e384a9396d30d75ffe4e17439e92ca3be4
Opcode Fuzzy Hash: 10556a92cca5b9ff756b9c5180eb3d51d234f9f5011ae7c713ead71d3e318f4d
Instruction Fuzzy Hash: A2025071900209AFDB14DF65CD89EAE7BB9EF48720F048558F919AB2A1CB74DD01EF60

Function 00FC70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FC712F
GetSysColorBrush.USER32(0000000F), ref: 00FC7160
GetSysColor.USER32(0000000F), ref: 00FC716C
SetBkColor.GDI32(?,000000FF), ref: 00FC7186
SelectObject.GDI32(?,?), ref: 00FC7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00FC71C0
GetSysColor.USER32(00000010), ref: 00FC71C8
CreateSolidBrush.GDI32(00000000), ref: 00FC71CF
FrameRect.USER32(?,?,00000000), ref: 00FC71DE
DeleteObject.GDI32(00000000), ref: 00FC71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00FC7230
FillRect.USER32(?,?,?), ref: 00FC7262
GetWindowLongW.USER32(?,000000F0), ref: 00FC7284

Part of subcall function 00FC73E8: GetSysColor.USER32(00000012), ref: 00FC7421
Part of subcall function 00FC73E8: SetTextColor.GDI32(?,?), ref: 00FC7425
Part of subcall function 00FC73E8: GetSysColorBrush.USER32(0000000F), ref: 00FC743B
Part of subcall function 00FC73E8: GetSysColor.USER32(0000000F), ref: 00FC7446
Part of subcall function 00FC73E8: GetSysColor.USER32(00000011), ref: 00FC7463
Part of subcall function 00FC73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FC7471
Part of subcall function 00FC73E8: SelectObject.GDI32(?,00000000), ref: 00FC7482
Part of subcall function 00FC73E8: SetBkColor.GDI32(?,00000000), ref: 00FC748B
Part of subcall function 00FC73E8: SelectObject.GDI32(?,?), ref: 00FC7498
Part of subcall function 00FC73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00FC74B7
Part of subcall function 00FC73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FC74CE
Part of subcall function 00FC73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00FC74DB

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 2e8795e30098212f2687e00c9839fb0174f25725f8a8eb1de419a900d9845ec8
Instruction ID: e55dcfcc280f93c5d21d12e0eeacc1eedb1c538e374d915b2179c4cbf6ad0353
Opcode Fuzzy Hash: 2e8795e30098212f2687e00c9839fb0174f25725f8a8eb1de419a900d9845ec8
Instruction Fuzzy Hash: ACA1AE72408306AFD700AF60DE4AF5B7BA9FB89320F140A19F966971E1D731E944EF91

Function 00F48D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F48E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F86AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F86AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F86F43

Part of subcall function 00F48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F48BE8,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F48FC5

SendMessageW.USER32(?,00001053), ref: 00F86F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F86F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F86FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F86FB7

Strings

0, xrefs: 00F86DCF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: b6a49ede93b3c7fe607014f88b787c4917c13d1245d6b083e9ae1158801c304d
Instruction ID: feb7b183bce0b994a37ca0324ea98b18cc397280fc53e756ba12c4c4774e179e
Opcode Fuzzy Hash: b6a49ede93b3c7fe607014f88b787c4917c13d1245d6b083e9ae1158801c304d
Instruction Fuzzy Hash: 4912AD31A00201EFDB25EF14C945BEABBE5FB45320F144469F999CB251CB36EC92EB91

Function 00FB2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00FB273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FB286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FB28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FB28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FB2900
GetClientRect.USER32(00000000,?), ref: 00FB290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FB2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FB2964
GetStockObject.GDI32(00000011), ref: 00FB2974
SelectObject.GDI32(00000000,00000000), ref: 00FB2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FB2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FB2991
DeleteDC.GDI32(00000000), ref: 00FB299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FB29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00FB29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FB2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FB2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00FB2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FB2A77
GetStockObject.GDI32(00000011), ref: 00FB2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FB2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FB2A97

Strings

DISPLAY, xrefs: 00FB295A
static, xrefs: 00FB294F, 00FB2A71
AutoIt v3, xrefs: 00FB28F8
msctls_progress32, xrefs: 00FB2A13

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a19e29bf816f70cb41ff88a3ea916a11489904107cca888bc437343128d78804
Instruction ID: e1c11f037eb9c8d5df01b31244f52ecb49b458781bd7aaed6b9c39d3f5754524
Opcode Fuzzy Hash: a19e29bf816f70cb41ff88a3ea916a11489904107cca888bc437343128d78804
Instruction Fuzzy Hash: 21B16FB1A00209AFEB24DF69CD4AFAE7BA9EB48710F148115F914E72D0DB74ED40DB94

Function 00FA4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA4AED
GetDriveTypeW.KERNEL32(?,00FCCB68,?,\\.\,00FCCC08), ref: 00FA4BCA
SetErrorMode.KERNEL32(00000000,00FCCB68,?,\\.\,00FCCC08), ref: 00FA4D36

Strings

USB, xrefs: 00FA4CB4
SSA, xrefs: 00FA4CA6
CDROM, xrefs: 00FA4BFB
1394, xrefs: 00FA4C9F
Unknown, xrefs: 00FA4BED, 00FA4C83
ATA, xrefs: 00FA4C98
Removable, xrefs: 00FA4C10, 00FA4C15
RAID, xrefs: 00FA4CBB
MMC, xrefs: 00FA4CDE
SAS, xrefs: 00FA4CC9
Fibre, xrefs: 00FA4CAD
SCSI, xrefs: 00FA4C8A
SSD, xrefs: 00FA4C4A
iSCSI, xrefs: 00FA4CC2
Virtual, xrefs: 00FA4CE5
Network, xrefs: 00FA4C02
Fixed, xrefs: 00FA4C09
PhysicalDrive, xrefs: 00FA4B76
FileBackedVirtual, xrefs: 00FA4CEC
ATAPI, xrefs: 00FA4C91
\\.\, xrefs: 00FA4B3F
SATA, xrefs: 00FA4CD0
RAMDisk, xrefs: 00FA4BF4

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ec71fc57c768452d7dbef71e11587e7680cdf96e33d4e9b3882fed144ccbd1c0
Instruction ID: cb75527d09e51b625944fd92ccccae06e69da24c196a3c73379e7f64bd76f09f
Opcode Fuzzy Hash: ec71fc57c768452d7dbef71e11587e7680cdf96e33d4e9b3882fed144ccbd1c0
Instruction Fuzzy Hash: 8B61A7B160520A9BCB04DF14CA81A7C77B0AF86760B244415F90AEB6A1DFF5FD41FB52

Function 00FC73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FC7421
SetTextColor.GDI32(?,?), ref: 00FC7425
GetSysColorBrush.USER32(0000000F), ref: 00FC743B
GetSysColor.USER32(0000000F), ref: 00FC7446
CreateSolidBrush.GDI32(?), ref: 00FC744B
GetSysColor.USER32(00000011), ref: 00FC7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FC7471
SelectObject.GDI32(?,00000000), ref: 00FC7482
SetBkColor.GDI32(?,00000000), ref: 00FC748B
SelectObject.GDI32(?,?), ref: 00FC7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00FC74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FC74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00FC74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FC752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FC7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00FC7572
DrawFocusRect.USER32(?,?), ref: 00FC757D
GetSysColor.USER32(00000011), ref: 00FC758E
SetTextColor.GDI32(?,00000000), ref: 00FC7596
DrawTextW.USER32(?,00FC70F5,000000FF,?,00000000), ref: 00FC75A8
SelectObject.GDI32(?,?), ref: 00FC75BF
DeleteObject.GDI32(?), ref: 00FC75CA
SelectObject.GDI32(?,?), ref: 00FC75D0
DeleteObject.GDI32(?), ref: 00FC75D5
SetTextColor.GDI32(?,?), ref: 00FC75DB
SetBkColor.GDI32(?,?), ref: 00FC75E5

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 720bf29b5f2cd084e5c7e5b885363e8731e7f5dc5836bb7ae75b459343be0d40
Instruction ID: e908876455d3fc1e72ba01ed9b9b6e6050f07d05821e18987fedec8a2a1730a6
Opcode Fuzzy Hash: 720bf29b5f2cd084e5c7e5b885363e8731e7f5dc5836bb7ae75b459343be0d40
Instruction Fuzzy Hash: AC617D72D00219AFDF009FA4DD4AEEEBFB9EB08320F144515F919AB2A1D7719940EF90

Function 00FC0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FC1128
GetDesktopWindow.USER32 ref: 00FC113D
GetWindowRect.USER32(00000000), ref: 00FC1144
GetWindowLongW.USER32(?,000000F0), ref: 00FC1199
DestroyWindow.USER32(?), ref: 00FC11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FC11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FC120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FC121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00FC1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FC1245
IsWindowVisible.USER32(00000000), ref: 00FC12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FC12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FC12D0
GetWindowRect.USER32(00000000,?), ref: 00FC12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00FC130E
GetMonitorInfoW.USER32(00000000,?), ref: 00FC1328
CopyRect.USER32(?,?), ref: 00FC133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00FC13AA

Strings

0, xrefs: 00FC10D3
tooltips_class32, xrefs: 00FC11E6
(, xrefs: 00FC131B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a4f9cdc81bda229b62aa4df36acd3fa0a26d646c16bde4ecd2eba6672ba65050
Instruction ID: 8d3d0e814b6086cbe759c3f6f430da6540a252a9311d5c9846af09a7c2a4031d
Opcode Fuzzy Hash: a4f9cdc81bda229b62aa4df36acd3fa0a26d646c16bde4ecd2eba6672ba65050
Instruction Fuzzy Hash: C6B1AE71A08341AFD700DF64CA86F6ABBE4FF85314F00891CF9999B262C771E854EB91

Function 00F90D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F91114
Part of subcall function 00F910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91120
Part of subcall function 00F910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F9112F
Part of subcall function 00F910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91136
Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F90DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F90E29
GetLengthSid.ADVAPI32(?), ref: 00F90E40
GetAce.ADVAPI32(?,00000000,?), ref: 00F90E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F90E96
GetLengthSid.ADVAPI32(?), ref: 00F90EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F90EB5
HeapAlloc.KERNEL32(00000000), ref: 00F90EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F90EDD
CopySid.ADVAPI32(00000000), ref: 00F90EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F90F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F90F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F90F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90F6E
HeapFree.KERNEL32(00000000), ref: 00F90F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90F7E
HeapFree.KERNEL32(00000000), ref: 00F90F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90F8E
HeapFree.KERNEL32(00000000), ref: 00F90F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00F90FA1
HeapFree.KERNEL32(00000000), ref: 00F90FA8

Part of subcall function 00F91193: GetProcessHeap.KERNEL32(00000008,00F90BB1,?,00000000,?,00F90BB1,?), ref: 00F911A1
Part of subcall function 00F91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F90BB1,?), ref: 00F911A8
Part of subcall function 00F91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F90BB1,?), ref: 00F911B7

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9eb9af8f8a8ade3411cb128ef6c4ce60af3fd81f638c43bb7b7f3c399ce58ce7
Instruction ID: a3fc36f41eb12a3c7a06c85312fe3eab98b7e6b9081018f0dc024f2268bb5177
Opcode Fuzzy Hash: 9eb9af8f8a8ade3411cb128ef6c4ce60af3fd81f638c43bb7b7f3c399ce58ce7
Instruction Fuzzy Hash: 6D714B7290020AAFEF209FA5DD45FAEBBB8FF04314F044125F919E7191DB319A05EBA0

Function 00FBC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FCCC08,00000000,?,00000000,?,?), ref: 00FBC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FBC5A4
_wcslen.LIBCMT ref: 00FBC5F4
_wcslen.LIBCMT ref: 00FBC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FBC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FBC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FBC84D
RegCloseKey.ADVAPI32(?), ref: 00FBC881
RegCloseKey.ADVAPI32(00000000), ref: 00FBC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FBC960

Strings

REG_MULTI_SZ, xrefs: 00FBC6F5
REG_DWORD, xrefs: 00FBC804
REG_BINARY, xrefs: 00FBC913
REG_SZ, xrefs: 00FBC644
REG_QWORD, xrefs: 00FBC8C3
REG_EXPAND_SZ, xrefs: 00FBC5CD

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 40c708e5baa13cd0b385ea00a5d772a9c9e10fb55d6247a7f7f09c5c3c70a7d1
Instruction ID: cbaabcb3d7b0f250eef16801d0df621c554b431f794cc139e4fc665506da5669
Opcode Fuzzy Hash: 40c708e5baa13cd0b385ea00a5d772a9c9e10fb55d6247a7f7f09c5c3c70a7d1
Instruction Fuzzy Hash: FD126B756042019FDB14DF15C881A6AB7E5EF88724F18885CF88A9B3A2DB35FD41EF81

Function 00FC091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FC09C6
_wcslen.LIBCMT ref: 00FC0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FC0A54
_wcslen.LIBCMT ref: 00FC0A8A
_wcslen.LIBCMT ref: 00FC0B06
_wcslen.LIBCMT ref: 00FC0B81

Part of subcall function 00F4F9F2: _wcslen.LIBCMT ref: 00F4F9FD

Part of subcall function 00F92BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F92BFA

Strings

COLLAPSE, xrefs: 00FC0B01, 00FC0B1C
GETSELECTED, xrefs: 00FC0C4E
EXPAND, xrefs: 00FC0BF8
GETITEMCOUNT, xrefs: 00FC0C1E
ISCHECKED, xrefs: 00FC0CE1
GETTEXT, xrefs: 00FC0C97
EXISTS, xrefs: 00FC0B7C, 00FC0B97
SELECT, xrefs: 00FC0D11
CHECK, xrefs: 00FC0A85, 00FC0AA0
GETTOTALCOUNT, xrefs: 00FC09F2, 00FC0A17
UNCHECK, xrefs: 00FC0D3E

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: b507728c92a0df4dec8a9752b92f6054985f83a105e5eb2f11d4e3963b9509a6
Instruction ID: d6c15008b1e6e7a526085bd417a93c92bfcce61d72bb9921094873e5e486ca1a
Opcode Fuzzy Hash: b507728c92a0df4dec8a9752b92f6054985f83a105e5eb2f11d4e3963b9509a6
Instruction Fuzzy Hash: 2FE18E36608302DFCB14EF24C951A2AB7E1BF94324F14495CF89697362DB35ED46EB81

Function 00FBC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
_wcslen.LIBCMT ref: 00FBC9F1
_wcslen.LIBCMT ref: 00FBCA68
_wcslen.LIBCMT ref: 00FBCA9E
_wcslen.LIBCMT ref: 00FBCAF9
_wcslen.LIBCMT ref: 00FBCB2F
_wcslen.LIBCMT ref: 00FBCB7F

Strings

HKLM, xrefs: 00FBCA98, 00FBCA9D
HKEY_USERS, xrefs: 00FBCBDF
HKCC, xrefs: 00FBCBAC
HKU, xrefs: 00FBCBF0
HKEY_CURRENT_CONFIG, xrefs: 00FBCB79, 00FBCB7E
HKEY_LOCAL_MACHINE, xrefs: 00FBCA62, 00FBCA67
HKCR, xrefs: 00FBCB29, 00FBCB2E
HKEY_CLASSES_ROOT, xrefs: 00FBCAF3, 00FBCAF8
HKEY_CURRENT_USER, xrefs: 00FBCBBD
HKCU, xrefs: 00FBCBCE

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 3e560894d8cf7475ee522e759cb1c04aceef3457eace07187ae319e30fe60b87
Instruction ID: 9cb8c3907a784f9755f8d602f05838abea83baee2ba9340d4f213dfc1b599ed6
Opcode Fuzzy Hash: 3e560894d8cf7475ee522e759cb1c04aceef3457eace07187ae319e30fe60b87
Instruction Fuzzy Hash: 85710533A0016A8BCB20EE2ACC516FF37959FA0774B214128FC559B295E638CD44BBE0

Function 00FC833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FC835A
_wcslen.LIBCMT ref: 00FC836E
_wcslen.LIBCMT ref: 00FC8391
_wcslen.LIBCMT ref: 00FC83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FC83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032), ref: 00FC844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FC8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FC84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FC8501
FreeLibrary.KERNEL32(?), ref: 00FC850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FC851D
DestroyIcon.USER32(?), ref: 00FC852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FC8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FC8555

Strings

.icl, xrefs: 00FC8368
.dll, xrefs: 00FC83AB
.exe, xrefs: 00FC8388

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: dc9cdc1252d02316bd7191c25e36761a1ebc75c1c6325182a25932f5d8d9a501
Instruction ID: 380161ba1c99d7085f43142495bf64f78b0e59c7a85f9f97196aeb4be1537fe6
Opcode Fuzzy Hash: dc9cdc1252d02316bd7191c25e36761a1ebc75c1c6325182a25932f5d8d9a501
Instruction Fuzzy Hash: 6A61D17194021ABAEB18DF64CD42FFE77A8BF04761F10450AF915D70D1DBB4A981EBA0

Function 00F37778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 00F377D3
#cs, xrefs: 00F37873, 00F378C5
#comments-end, xrefs: 00F378D9
Bad directive syntax error, xrefs: 00F7519A
#OnAutoItStartRegister, xrefs: 00F37817
#notrayicon, xrefs: 00F377E7
#include, xrefs: 00F37847
', xrefs: 00F75169
", xrefs: 00F75153
#include-once, xrefs: 00F3782F
Cannot parse #include, xrefs: 00F75279
#comments-start, xrefs: 00F3785F, 00F378B1
#ce, xrefs: 00F378ED
Unterminated group of comments, xrefs: 00F7528C
#requireadmin, xrefs: 00F377FF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d6c0211e362a51a0c99d93313495f016147efdc682280ee2ae354c7833ca3a09
Instruction ID: a84ec6fc7c7f0fe7d6a197115242a1aa9e2640a9afead965ab15f28e706ab996
Opcode Fuzzy Hash: d6c0211e362a51a0c99d93313495f016147efdc682280ee2ae354c7833ca3a09
Instruction Fuzzy Hash: E481F8B1A04305BBDB20BF60CC43FAE7BA4AF14760F044025FD09AA192EBB4D915F792

Function 00FA3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FA3EF8
_wcslen.LIBCMT ref: 00FA3F03
_wcslen.LIBCMT ref: 00FA3F5A
_wcslen.LIBCMT ref: 00FA3F98
GetDriveTypeW.KERNEL32(?), ref: 00FA3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FA401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FA4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FA4087

Strings

wait, xrefs: 00FA4044
set cd door , xrefs: 00FA4028
open, xrefs: 00FA3F54, 00FA3F59
close, xrefs: 00FA3EFE, 00FA3F18
open , xrefs: 00FA3FE5
closed, xrefs: 00FA3F08, 00FA3F2D, 00FA3F46, 00FA3F7E, 00FA3F97
close cd wait, xrefs: 00FA4072
type cdaudio alias cd wait, xrefs: 00FA4001

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 6defe51fbd53e519bb3fdb4e5f63c059c12814f394984a62d3d35c73ed84c1e8
Instruction ID: c1e972f4b3355ca5a41505009d972899e98cad9da24b62c9972ac018f5b6740f
Opcode Fuzzy Hash: 6defe51fbd53e519bb3fdb4e5f63c059c12814f394984a62d3d35c73ed84c1e8
Instruction Fuzzy Hash: 2771F1B2A042059FC310EF34C88186AB7F4EF95768F10892DF996D7261EB34ED45EB91

Function 00F95A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F95A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F95A40
SetWindowTextW.USER32(?,?), ref: 00F95A57
GetDlgItem.USER32(?,000003EA), ref: 00F95A6C
SetWindowTextW.USER32(00000000,?), ref: 00F95A72
GetDlgItem.USER32(?,000003E9), ref: 00F95A82
SetWindowTextW.USER32(00000000,?), ref: 00F95A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F95AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F95AC3
GetWindowRect.USER32(?,?), ref: 00F95ACC
_wcslen.LIBCMT ref: 00F95B33
SetWindowTextW.USER32(?,?), ref: 00F95B6F
GetDesktopWindow.USER32 ref: 00F95B75
GetWindowRect.USER32(00000000), ref: 00F95B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F95BD3
GetClientRect.USER32(?,?), ref: 00F95BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00F95C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F95C2F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: bd7d5e7c448d1f2d2df73926b493b9dafa9c9a56abdd9347780085d896dad067
Instruction ID: be1150821d3602bda9881e389f3f206f8de8891c4aad724cbc3feafdc4c5ba96
Opcode Fuzzy Hash: bd7d5e7c448d1f2d2df73926b493b9dafa9c9a56abdd9347780085d896dad067
Instruction Fuzzy Hash: AB717D31900A099FEB21DFA8CE86E6EBBF5FF48B14F104518E586A35A0D775E940EB50

Function 00FAFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00FAFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00FAFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00FAFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00FAFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00FAFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00FAFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00FAFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00FAFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00FAFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00FAFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00FAFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00FAFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00FAFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00FAFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00FAFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00FAFECC
GetCursorInfo.USER32(?), ref: 00FAFEDC
GetLastError.KERNEL32 ref: 00FAFF1E

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 505ed4a2adf25ca910e8f29a05ddae1dac348ad8dac4d39909af35960b9684eb
Instruction ID: e8e5c6ac02071980a931e482eeb162708c007547ec666296f0dfbfd7e29a6485
Opcode Fuzzy Hash: 505ed4a2adf25ca910e8f29a05ddae1dac348ad8dac4d39909af35960b9684eb
Instruction Fuzzy Hash: 0A4153B0D043196FDB109FBA8C85C5EBFE8FF05364B50462AE11DEB281DB7899019F91

Function 00F500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F500C6

Part of subcall function 00F500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0100070C,00000FA0,CEE1965A,?,?,?,?,00F723B3,000000FF), ref: 00F5011C
Part of subcall function 00F500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F723B3,000000FF), ref: 00F50127
Part of subcall function 00F500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F723B3,000000FF), ref: 00F50138
Part of subcall function 00F500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F5014E
Part of subcall function 00F500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F5015C
Part of subcall function 00F500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F5016A
Part of subcall function 00F500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F50195
Part of subcall function 00F500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F501A0

___scrt_fastfail.LIBCMT ref: 00F500E7

Part of subcall function 00F500A3: __onexit.LIBCMT ref: 00F500A9

Strings

kernel32.dll, xrefs: 00F50133
WakeAllConditionVariable, xrefs: 00F50162
InitializeConditionVariable, xrefs: 00F50148
SleepConditionVariableCS, xrefs: 00F50154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F50122

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 4acd2b02cc7a8bb834b82a4c6a113fc258165372590a0722b089bb0c404f1184
Instruction ID: d0c265db2c2697ad45573fbd77fc5cff02eba1a9d7faa3c91d59fd085d86330f
Opcode Fuzzy Hash: 4acd2b02cc7a8bb834b82a4c6a113fc258165372590a0722b089bb0c404f1184
Instruction Fuzzy Hash: 54212932E40B156BE7215B64AD07F6A7794EB04B62F04013AFD0A972C1DF788808BAD2

Function 00F930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F9318D
_wcslen.LIBCMT ref: 00F931F8

Strings

TEXT, xrefs: 00F9347C
CLASSNN, xrefs: 00F931F3, 00F93204
INSTANCE, xrefs: 00F93453
CLASS, xrefs: 00F93188, 00F931A5
NAME, xrefs: 00F93335, 00F93346
REGEXPCLASS, xrefs: 00F93255, 00F93266

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 213b8210681e746af9b23e2ccd1a06c955995ec56b88f0f262deb1af20cf1307
Instruction ID: 2fde87fc10329123395a966cb27b32b83a89e27edbe8fc7a558f10eb5729715f
Opcode Fuzzy Hash: 213b8210681e746af9b23e2ccd1a06c955995ec56b88f0f262deb1af20cf1307
Instruction Fuzzy Hash: F1E1E532E00516ABDF18DFA8C841BFDBBB0BF44720F558119E956E7250DB30AE89B790

Function 00FA44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00FCCC08), ref: 00FA4527
_wcslen.LIBCMT ref: 00FA453B
_wcslen.LIBCMT ref: 00FA4599
_wcslen.LIBCMT ref: 00FA45F4
_wcslen.LIBCMT ref: 00FA463F
_wcslen.LIBCMT ref: 00FA46A7

Part of subcall function 00F4F9F2: _wcslen.LIBCMT ref: 00F4F9FD

GetDriveTypeW.KERNEL32(?,00FF6BF0,00000061), ref: 00FA4743

Strings

all, xrefs: 00FA4531, 00FA4536
network, xrefs: 00FA469D, 00FA46A2
fixed, xrefs: 00FA4635, 00FA463A
removable, xrefs: 00FA45EA, 00FA45EF
unknown, xrefs: 00FA4708
ramdisk, xrefs: 00FA46F1
cdrom, xrefs: 00FA458F, 00FA4594

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 1e8c691230f5e28235f2dbe1093497a327eac7fd65c8cb68caf52e857a148589
Instruction ID: 8debabd50ec9d430ac24d090e94d07a30bd45bf3e8f557fd2b3600ef20f4a8a9
Opcode Fuzzy Hash: 1e8c691230f5e28235f2dbe1093497a327eac7fd65c8cb68caf52e857a148589
Instruction Fuzzy Hash: DEB1F3B1A083029FC710DF28C891A6AB7E5AFD6720F50491DF596C7291D7B4E844EB52

Function 00FB3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FCCC08), ref: 00FB40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FB40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00FCCC08), ref: 00FB40F2
FreeLibrary.KERNEL32(00000000,?,00FCCC08), ref: 00FB413E
StringFromGUID2.OLE32(?,?,00000028,?,00FCCC08), ref: 00FB41A8
SysFreeString.OLEAUT32(00000009), ref: 00FB4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FB42C8
SysFreeString.OLEAUT32(?), ref: 00FB42F2

Strings

kernel32.dll, xrefs: 00FB40B6
GetModuleHandleExW, xrefs: 00FB40C7

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 497ef0101a77e3297b6811868fce23313b6cc535d0c727b527dad5ec2af79d09
Instruction ID: 59587c4ee8c120b881d554fde51683c10f44e456e8ae9788f19254292173befd
Opcode Fuzzy Hash: 497ef0101a77e3297b6811868fce23313b6cc535d0c727b527dad5ec2af79d09
Instruction Fuzzy Hash: F7125A75A00109EFDB14DF95C984EAEBBB5FF45314F288098E9099B252C731ED42EFA0

Function 00F3326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01001990), ref: 00F72F8D
GetMenuItemCount.USER32(01001990), ref: 00F7303D
GetCursorPos.USER32(?), ref: 00F73081
SetForegroundWindow.USER32(00000000), ref: 00F7308A
TrackPopupMenuEx.USER32(01001990,00000000,?,00000000,00000000,00000000), ref: 00F7309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F730A9

Strings

0, xrefs: 00F3327D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 43a558747d1c2ee681dc8f5b95c07c3af6e9b92d28e4f3c8e645572bf0f688b4
Instruction ID: 75e578a325d3afbe5ae1d335def2b58f5f5d15f71d4a771b4a82e8a5a66d1752
Opcode Fuzzy Hash: 43a558747d1c2ee681dc8f5b95c07c3af6e9b92d28e4f3c8e645572bf0f688b4
Instruction Fuzzy Hash: 9A71F831A44205BEFB218F24DD49F9ABF64FF05374F248216F5186A1D0C7B1A910FB92

Function 00FC6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00FC6DEB

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FC6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FC6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FC6E94
DestroyWindow.USER32(?), ref: 00FC6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F30000,00000000), ref: 00FC6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FC6EFD
GetDesktopWindow.USER32 ref: 00FC6F16
GetWindowRect.USER32(00000000), ref: 00FC6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FC6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FC6F4D

Part of subcall function 00F49944: GetWindowLongW.USER32(?,000000EB), ref: 00F49952

Strings

0, xrefs: 00FC6D98
tooltips_class32, xrefs: 00FC6E58, 00FC6EDD

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 801f489f7bb0161b933c6e35af0360377dc7ffe417e39a74dcba22fc91282842
Instruction ID: 1ac532e1532bc993db52865d9d0ed51d7e739ddfafeaaee443c12884164b1ae3
Opcode Fuzzy Hash: 801f489f7bb0161b933c6e35af0360377dc7ffe417e39a74dcba22fc91282842
Instruction Fuzzy Hash: C5718870908245AFDB21CF18DA49FAABBE9FF88314F04041EF989C7261D775E906EB15

Function 00FC911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

DragQueryPoint.SHELL32(?,?), ref: 00FC9147

Part of subcall function 00FC7674: ClientToScreen.USER32(?,?), ref: 00FC769A
Part of subcall function 00FC7674: GetWindowRect.USER32(?,?), ref: 00FC7710
Part of subcall function 00FC7674: PtInRect.USER32(?,?,00FC8B89), ref: 00FC7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00FC91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FC91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FC91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FC9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00FC923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00FC9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00FC9277
DragFinish.SHELL32(?), ref: 00FC927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FC9371

Strings

@GUI_DROPID, xrefs: 00FC929E
@GUI_DRAGID, xrefs: 00FC92E9
@GUI_DRAGFILE, xrefs: 00FC9320

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 8fbd0b3f14f5deb6153dc172c0242e2202049d0c90da3aedc42f3116ca0b279b
Instruction ID: 254f8717566e425b96ba3570ad7bf024f611cacf55ecc7d044f58885e51eeb45
Opcode Fuzzy Hash: 8fbd0b3f14f5deb6153dc172c0242e2202049d0c90da3aedc42f3116ca0b279b
Instruction Fuzzy Hash: 4B616D71108305AFD701DF64DD86EAFBBE8EF88760F00091DF595931A0DBB49A49EB92

Function 00FAC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FAC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FAC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FAC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FAC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FAC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FAC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FAC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FAC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FAC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FAC5F0
InternetCloseHandle.WININET(00000000), ref: 00FAC5FB

Strings

, xrefs: 00FAC575

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4f389247796b208d338d8cb5a91ce61f60fb8aab64bfa0c6a07ec65cf1b21406
Instruction ID: f917366a960b87665276e6bcbc479fd0cdd8e82de3894f9f853ddb018840593b
Opcode Fuzzy Hash: 4f389247796b208d338d8cb5a91ce61f60fb8aab64bfa0c6a07ec65cf1b21406
Instruction Fuzzy Hash: 45513AB1900609BFDB219F64C989AAA7BFCEF09754F044419F94A97610DB34E944ABE0

Function 00FC856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00FC8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00FC85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00FC85AD
CloseHandle.KERNEL32(00000000), ref: 00FC85BA
GlobalLock.KERNEL32(00000000), ref: 00FC85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00FC85D7
GlobalUnlock.KERNEL32(00000000), ref: 00FC85E0
CloseHandle.KERNEL32(00000000), ref: 00FC85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FC85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FCFC38,?), ref: 00FC8611
GlobalFree.KERNEL32(00000000), ref: 00FC8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00FC8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00FC8671
DeleteObject.GDI32(00000000), ref: 00FC8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FC86AF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 3e87838f3414c94749df61304f5d79f6060fe3c669c4ea693d5b6d5ae0f2d35c
Instruction ID: bbf36b35a1350d7c7cb4fc6188b693d26294457e46557b364a2204e984bc4f06
Opcode Fuzzy Hash: 3e87838f3414c94749df61304f5d79f6060fe3c669c4ea693d5b6d5ae0f2d35c
Instruction Fuzzy Hash: 5A414C71600209AFDB11CFA5CE4AEAA7BB8FF89761F14405CF909E7260DB709D01EB60

Function 00FA14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FA1502
VariantCopy.OLEAUT32(?,?), ref: 00FA150B
VariantClear.OLEAUT32(?), ref: 00FA1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FA15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00FA1657
VariantInit.OLEAUT32(?), ref: 00FA1708
SysFreeString.OLEAUT32(?), ref: 00FA178C
VariantClear.OLEAUT32(?), ref: 00FA17D8
VariantClear.OLEAUT32(?), ref: 00FA17E7
VariantInit.OLEAUT32(00000000), ref: 00FA1823

Strings

Default, xrefs: 00FA16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00FA1625

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 08175971e3eddb8c40077de06d83599298f636467c970381c103aef223e1d47d
Instruction ID: 6acd70143e4e90f734995a71b2826e453f5a1f2977e7f9b6ca71089110e48e83
Opcode Fuzzy Hash: 08175971e3eddb8c40077de06d83599298f636467c970381c103aef223e1d47d
Instruction Fuzzy Hash: 70D121B2E00505DFDB00DFA5D895B79B7B0BF46710F1A805AE84AAB180DB34DC04FBA1

Function 00FBB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FBB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00FBB80A
RegCloseKey.ADVAPI32(?), ref: 00FBB87E
RegCloseKey.ADVAPI32(?), ref: 00FBB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00FBB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FBB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00FBB922
FreeLibrary.KERNEL32(00000000), ref: 00FBB983
RegCloseKey.ADVAPI32(00000000), ref: 00FBB994

Strings

advapi32.dll, xrefs: 00FBB8ED
RegDeleteKeyExW, xrefs: 00FBB8FE

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5c5784204634ac1aade661c74f33eff46d759cb9faf3be0c6ec681ae171ed315
Instruction ID: af39a60c11e986a985d3903d6effe1b6a1b964355b1b74d5088338a1c740f40c
Opcode Fuzzy Hash: 5c5784204634ac1aade661c74f33eff46d759cb9faf3be0c6ec681ae171ed315
Instruction Fuzzy Hash: 6EC19E35608201AFD710DF15C895F6ABBE1FF84328F14845CE49A8B2A2CBB5EC45EF91

Function 00FB255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FB25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FB25E8
CreateCompatibleDC.GDI32(?), ref: 00FB25F4
SelectObject.GDI32(00000000,?), ref: 00FB2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FB266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FB26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FB26D0
SelectObject.GDI32(?,?), ref: 00FB26D8
DeleteObject.GDI32(?), ref: 00FB26E1
DeleteDC.GDI32(?), ref: 00FB26E8
ReleaseDC.USER32(00000000,?), ref: 00FB26F3

Strings

(, xrefs: 00FB268D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f9c4b9aa1110aed366ecf1234bffffd51a6eb3c44925118df725b9ccdfa5bfcb
Instruction ID: eb68bea57e184fe44dd51f09d2220d1630d1022774bc6c07dec81793a3c52cc9
Opcode Fuzzy Hash: f9c4b9aa1110aed366ecf1234bffffd51a6eb3c44925118df725b9ccdfa5bfcb
Instruction Fuzzy Hash: 696101B5D00219EFCF04CFA9C985EAEBBB6FF48310F248529E959A7250D734A941DF90

Function 00F6DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00F6DAA1

Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D659
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D66B
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D67D
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D68F
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6A1
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6B3
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6C5
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6D7
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6E9
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6FB
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D70D
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D71F
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D731

_free.LIBCMT ref: 00F6DA96

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F6DAB8
_free.LIBCMT ref: 00F6DACD
_free.LIBCMT ref: 00F6DAD8
_free.LIBCMT ref: 00F6DAFA
_free.LIBCMT ref: 00F6DB0D
_free.LIBCMT ref: 00F6DB1B
_free.LIBCMT ref: 00F6DB26
_free.LIBCMT ref: 00F6DB5E
_free.LIBCMT ref: 00F6DB65
_free.LIBCMT ref: 00F6DB82
_free.LIBCMT ref: 00F6DB9A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 78c0c0fe0a2a59f2e4f4b39e4dd74ce4d560f06dc434dfc6e657a4835ae38283
Instruction ID: 149657d1e4e543c7087c729544c4d2274dfc451570661603e17bf4def5e265cd
Opcode Fuzzy Hash: 78c0c0fe0a2a59f2e4f4b39e4dd74ce4d560f06dc434dfc6e657a4835ae38283
Instruction Fuzzy Hash: F7317831F046049FEB25AA78EC41B6AB7F9FF80360F154529E048D7192DB38AC80FB20

Function 00F9365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F9369C
_wcslen.LIBCMT ref: 00F936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F93797
GetClassNameW.USER32(?,?,00000400), ref: 00F9380C
GetDlgCtrlID.USER32(?), ref: 00F9385D
GetWindowRect.USER32(?,?), ref: 00F93882
GetParent.USER32(?), ref: 00F938A0
ScreenToClient.USER32(00000000), ref: 00F938A7
GetClassNameW.USER32(?,?,00000100), ref: 00F93921
GetWindowTextW.USER32(?,?,00000400), ref: 00F9395D

Strings

%s%u, xrefs: 00F93734

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 350f32c68f281133a9fc180abf8ab1b370edeffdf0b0947acf7958bc67352964
Instruction ID: 4eec8736a8089507d306a7dc9e624f13af24040caa394f733c4756bfdd595125
Opcode Fuzzy Hash: 350f32c68f281133a9fc180abf8ab1b370edeffdf0b0947acf7958bc67352964
Instruction Fuzzy Hash: 5D910671604306AFEB19DF64C885FAAF7A9FF44350F004529F999C2190DB34EA49EBD1

Function 00F94954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00F94994
GetWindowTextW.USER32(?,?,00000400), ref: 00F949DA
_wcslen.LIBCMT ref: 00F949EB
CharUpperBuffW.USER32(?,00000000), ref: 00F949F7
_wcsstr.LIBVCRUNTIME ref: 00F94A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00F94A64
GetWindowTextW.USER32(?,?,00000400), ref: 00F94A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00F94AE6
GetClassNameW.USER32(?,?,00000400), ref: 00F94B20
GetWindowRect.USER32(?,?), ref: 00F94B8B

Strings

ThumbnailClass, xrefs: 00F94A6F, 00F94AF1

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a2cadb11b4b01b3b6542ec490fc612561f9a86c37a8c721be4e29aa7f47dc50f
Instruction ID: fa9a739ea90c5a9bf6338f18c58e6ce1b5fa3ec96dba76236b3040a5e5ccdead
Opcode Fuzzy Hash: a2cadb11b4b01b3b6542ec490fc612561f9a86c37a8c721be4e29aa7f47dc50f
Instruction Fuzzy Hash: B491B1714082099FEF04CF14C981FAA77E8FF94324F048469FD899A196DB34ED46EBA1

Function 00F9BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(01001990,000000FF,00000000,00000030), ref: 00F9BFAC
SetMenuItemInfoW.USER32(01001990,00000004,00000000,00000030), ref: 00F9BFE1
Sleep.KERNEL32(000001F4), ref: 00F9BFF3
GetMenuItemCount.USER32(?), ref: 00F9C039
GetMenuItemID.USER32(?,00000000), ref: 00F9C056
GetMenuItemID.USER32(?,-00000001), ref: 00F9C082
GetMenuItemID.USER32(?,?), ref: 00F9C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F9C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F9C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F9C145

Strings

0, xrefs: 00F9BF3D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 26b163cdda8837a97daf1d662c88f89b98e95f10f4e0c556a48ecd46fd73b63d
Instruction ID: 2ade1a41726cfccdd9cdcc679a9cc390de183425fa41e97849b3a35b0e4d2318
Opcode Fuzzy Hash: 26b163cdda8837a97daf1d662c88f89b98e95f10f4e0c556a48ecd46fd73b63d
Instruction Fuzzy Hash: C461B0B090024AAFEF15CF64DE88EEE7BB8EB05354F044155F945E3292C735AD45EBA0

Function 00FBCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FBCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FBCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FBCD48

Part of subcall function 00FBCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FBCCAA
Part of subcall function 00FBCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FBCCBD
Part of subcall function 00FBCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FBCCCF
Part of subcall function 00FBCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FBCD05
Part of subcall function 00FBCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FBCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FBCCF3

Strings

advapi32.dll, xrefs: 00FBCCB8
RegDeleteKeyExW, xrefs: 00FBCCC9

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3a6be05363cd40b892ce73a6cce3aede31eeeaf6237daa19828a6d860ae7a155
Instruction ID: c04407a8eb1e671e596d15bc7a804c4a72e70d178c1dc79ace12d29e72ec2033
Opcode Fuzzy Hash: 3a6be05363cd40b892ce73a6cce3aede31eeeaf6237daa19828a6d860ae7a155
Instruction Fuzzy Hash: 49318BB5D0112DBBDB208B52DC89EFFBB7CEF55750F000165E909E3200DA309A45BAE0

Function 00FA3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FA3D40
_wcslen.LIBCMT ref: 00FA3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FA3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FA3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00FA3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FA3E55
CloseHandle.KERNEL32(00000000), ref: 00FA3E60
CloseHandle.KERNEL32(00000000), ref: 00FA3E6B

Strings

\, xrefs: 00FA3D77
:, xrefs: 00FA3D82
\??\%s, xrefs: 00FA3D5B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1f8cf21eb2fdd0d3c2e5b6459728ecd50cb8fc9b451cc6169a34cd7e8b28ca2a
Instruction ID: 31576d08b160e98a608794492a132caece0a75883f14cd6dc2508215c0837392
Opcode Fuzzy Hash: 1f8cf21eb2fdd0d3c2e5b6459728ecd50cb8fc9b451cc6169a34cd7e8b28ca2a
Instruction Fuzzy Hash: D631B2B290020DABDB219BA0DC49FEF37BCEF89750F1041B5FA09D6060EB749744AB64

Function 00F9E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F9EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F9EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F9EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F9EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F9EAA7

Strings

play PlayMe, xrefs: 00F9EAA2
play PlayMe wait, xrefs: 00F9EA91
open , xrefs: 00F9EA0C
close PlayMe, xrefs: 00F9EA6E, 00F9EA9B
alias PlayMe, xrefs: 00F9EA36
status PlayMe mode, xrefs: 00F9EA58

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: f838091cd4ca58ffd68aa3c102fc88985350e031c5218c9dccdee7b7d285a97f
Instruction ID: 0d16d2f6821b76aa03174a0553aff53207717314eb875158d68bb9dfa45ad78c
Opcode Fuzzy Hash: f838091cd4ca58ffd68aa3c102fc88985350e031c5218c9dccdee7b7d285a97f
Instruction Fuzzy Hash: 3B114231A9021D79EB20E761DC4AEFB7A7CEFD1B50F4004297901E20E1DEB45905E6B1

Function 00F99F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F9A012
SetKeyboardState.USER32(?), ref: 00F9A07D
GetAsyncKeyState.USER32(000000A0), ref: 00F9A09D
GetKeyState.USER32(000000A0), ref: 00F9A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00F9A0E3
GetKeyState.USER32(000000A1), ref: 00F9A0F4
GetAsyncKeyState.USER32(00000011), ref: 00F9A120
GetKeyState.USER32(00000011), ref: 00F9A12E
GetAsyncKeyState.USER32(00000012), ref: 00F9A157
GetKeyState.USER32(00000012), ref: 00F9A165
GetAsyncKeyState.USER32(0000005B), ref: 00F9A18E
GetKeyState.USER32(0000005B), ref: 00F9A19C

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4dd174d6e3051018583d459eae3181ac5751eb9e2d57c67e67dc794fdaed1209
Instruction ID: 722a90fc3e3f5705a1ac8274fa2aa14fe1a7c0d73a7a4236c6eb4bd5c822751f
Opcode Fuzzy Hash: 4dd174d6e3051018583d459eae3181ac5751eb9e2d57c67e67dc794fdaed1209
Instruction Fuzzy Hash: D151FB30D0878829FF35DB6489117EAFFB49F11394F08459DD5C2571C2DA949A8CEBE2

Function 00F95CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F95CE2
GetWindowRect.USER32(00000000,?), ref: 00F95CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F95D59
GetDlgItem.USER32(?,00000002), ref: 00F95D69
GetWindowRect.USER32(00000000,?), ref: 00F95D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F95DCF
GetDlgItem.USER32(?,000003E9), ref: 00F95DDD
GetWindowRect.USER32(00000000,?), ref: 00F95DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F95E31
GetDlgItem.USER32(?,000003EA), ref: 00F95E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F95E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00F95E67

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f14ac7661052388b3e2c61a4018b02128c28d633f8629c26d0d508b824478e48
Instruction ID: 77c97003e24e40ea0a6cc76c17049d4f120765b6a5043d0db858789ce951dd90
Opcode Fuzzy Hash: f14ac7661052388b3e2c61a4018b02128c28d633f8629c26d0d508b824478e48
Instruction Fuzzy Hash: BC511FB1E00609AFDF18DF68CE8AEAE7BB5EB48710F108129F519E7290D7709E04DB50

Function 00F48BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F48BE8,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F48FC5

DestroyWindow.USER32(?), ref: 00F48C81
KillTimer.USER32(00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F48D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00F86973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F48BBA,00000000), ref: 00F869D4
DeleteObject.GDI32(00000000), ref: 00F869E6

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d60af06578d1413c3beea4aa0c6798d023df6ea3d52a193ccb52717d3a7c6819
Instruction ID: 8b2bec7a2a3d9ecba77412f0685ee46f6885bc830bee73bc0a97ce58cb277266
Opcode Fuzzy Hash: d60af06578d1413c3beea4aa0c6798d023df6ea3d52a193ccb52717d3a7c6819
Instruction Fuzzy Hash: 1061CE31902611DFDB369F14DA89B697BF1FB40362F104518E5829B5A0CB3AE982FF90

Function 00F49838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F49944: GetWindowLongW.USER32(?,000000EB), ref: 00F49952

GetSysColor.USER32(0000000F), ref: 00F49862

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 827ceba26f481ba5122201670c8a62472622292cc01698b3ff839e8707c19894
Instruction ID: e318cc86b52e3b8e0dc3d376120a4fb58b3416926d5fc30b4b06804c795a8eb1
Opcode Fuzzy Hash: 827ceba26f481ba5122201670c8a62472622292cc01698b3ff839e8707c19894
Instruction Fuzzy Hash: FA4193316086449FDB209F3C9C49FBA3B65AB46330F684615FDA68B1E1D771D842FB50

Function 00F996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00F99717
LoadStringW.USER32(00000000,?,00F7F7F8,00000001), ref: 00F99720

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00F99742
LoadStringW.USER32(00000000,?,00F7F7F8,00000001), ref: 00F99745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00F99866

Strings

^ ERROR, xrefs: 00F997FB
Line %d:, xrefs: 00F997A0
Line %d (File "%s"):, xrefs: 00F9978F
%s (%d) : ==> %s: %s %s, xrefs: 00F9984A
Error: , xrefs: 00F9981D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 5eb3bcd8a39cbaae61690e69bdcb45d6b74be6308f93bb52b243a1ba5899db33
Instruction ID: 81b5d27c674b5df8ad07d555ca5ed1410481daf934987e2d2c4f18e9c5e4705b
Opcode Fuzzy Hash: 5eb3bcd8a39cbaae61690e69bdcb45d6b74be6308f93bb52b243a1ba5899db33
Instruction Fuzzy Hash: C8414172804119AADF04FBE4CE46EEE7778AF55350F504029F605B2092EFB95F48EB61

Function 00F906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F90804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F9082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F90837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F9083C

Strings

SOFTWARE\Classes\, xrefs: 00F9070E
\CLSID, xrefs: 00F90724
\IPC$, xrefs: 00F90784

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 36d52a45ca7ec39a08d1b54ceb1ef8f9a659e7d9433dda86edaca25872f79a22
Instruction ID: e2e7311fc196e056edeac4c3c5979f9af5878f0b929ec3d9d5fd3ebb172ac72b
Opcode Fuzzy Hash: 36d52a45ca7ec39a08d1b54ceb1ef8f9a659e7d9433dda86edaca25872f79a22
Instruction Fuzzy Hash: 14411572C1022DAFDF25EBA4DC85CEDB778BF44760F444129E905A31A1EB749E04EBA0

Function 00FC3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FC403B
CreateCompatibleDC.GDI32(00000000), ref: 00FC4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FC4055
SelectObject.GDI32(00000000,00000000), ref: 00FC405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FC4068
DeleteDC.GDI32(00000000), ref: 00FC4072
GetWindowLongW.USER32(?,000000EC), ref: 00FC407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00FC4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00FC409E

Strings

static, xrefs: 00FC3FD3

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 2e197a870bf7502f297ecf4982768d2301d9d448a1f95c5de50e76138a49e232
Instruction ID: e843e4a6ef1f803dcd292e6e2072158d18896d244257aad96374b06369c69eb9
Opcode Fuzzy Hash: 2e197a870bf7502f297ecf4982768d2301d9d448a1f95c5de50e76138a49e232
Instruction Fuzzy Hash: 1631603254121AAFDF219FA4CE46FDA3B68FF0D360F110215FA58E61A0C775D811EB90

Function 00FB3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FB3C5C
CoInitialize.OLE32(00000000), ref: 00FB3C8A
CoUninitialize.OLE32 ref: 00FB3C94
_wcslen.LIBCMT ref: 00FB3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00FB3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FB3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FB3F0E
CoGetObject.OLE32(?,00000000,00FCFB98,?), ref: 00FB3F2D
SetErrorMode.KERNEL32(00000000), ref: 00FB3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FB3FC4
VariantClear.OLEAUT32(?), ref: 00FB3FD8

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a8a848bd030888a968ff1a96b289fee350a62a0f38528c94a69070af192f4e58
Instruction ID: 6b8d1f27818f3c5a2f7047111b86d1f82f512a49871e8fc4a0e99594e8050edf
Opcode Fuzzy Hash: a8a848bd030888a968ff1a96b289fee350a62a0f38528c94a69070af192f4e58
Instruction Fuzzy Hash: 93C16571A083059FC700DF6AC98496BBBE9FF88754F14491DF98A9B250DB30EE05DB92

Function 00FA7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FA7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FA7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00FA7BA3
CoCreateInstance.OLE32(00FCFD08,00000000,00000001,00FF6E6C,?), ref: 00FA7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FA7C74
CoTaskMemFree.OLE32(?,?), ref: 00FA7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00FA7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FA7D7A
CoTaskMemFree.OLE32(00000000), ref: 00FA7D81
CoTaskMemFree.OLE32(00000000), ref: 00FA7DD6
CoUninitialize.OLE32 ref: 00FA7DDC

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: b25cdf86cbdaced4d0604dbace6034dfd5e97180697c8856115318e255f5f21e
Instruction ID: 45b851ece2dabaa4f9660431b8692bbfb352127f642e35c6f91edf2660dc90b5
Opcode Fuzzy Hash: b25cdf86cbdaced4d0604dbace6034dfd5e97180697c8856115318e255f5f21e
Instruction Fuzzy Hash: A6C12AB5A04209AFCB14DF64C884DAEBBF9FF49314F148499E81ADB261D730ED45DB90

Function 00FC541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FC5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FC5515
CharNextW.USER32(00000158), ref: 00FC5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FC5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FC559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FC55AC

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a2211eb8d84b397c2f2fc48326b85ea64a963300dbaa9d34a2dd2c8c315a18fb
Instruction ID: 12315f7587b12d2d6a6bdcdf005a06aa7a6685f7133302051bbdbcac9e2f6568
Opcode Fuzzy Hash: a2211eb8d84b397c2f2fc48326b85ea64a963300dbaa9d34a2dd2c8c315a18fb
Instruction Fuzzy Hash: E5618C3190060AABDF10DF54CE86FFE7B79AB05B24F104549F529AB290D774AA80FB60

Function 00F8FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F8FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00F8FB08
VariantInit.OLEAUT32(?), ref: 00F8FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F8FB3A
VariantCopy.OLEAUT32(?,?), ref: 00F8FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F8FBA1
VariantClear.OLEAUT32(?), ref: 00F8FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F8FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F8FBCC
VariantClear.OLEAUT32(?), ref: 00F8FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F8FBE9

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 778c0629e75a9e59f533a16dedd576b1dab48ab3b41209ac9ffd1d17a0837369
Instruction ID: 49f29a5b5c426a335b05a4a283f50cb6861d5fb6bf7db8f0a9a453ec613672cb
Opcode Fuzzy Hash: 778c0629e75a9e59f533a16dedd576b1dab48ab3b41209ac9ffd1d17a0837369
Instruction Fuzzy Hash: D9413E35A002199FCB04EF64CC55DEEBBB9FF48354F008069E95AA7261DB34A949DFA0

Function 00F99C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F99CA1
GetAsyncKeyState.USER32(000000A0), ref: 00F99D22
GetKeyState.USER32(000000A0), ref: 00F99D3D
GetAsyncKeyState.USER32(000000A1), ref: 00F99D57
GetKeyState.USER32(000000A1), ref: 00F99D6C
GetAsyncKeyState.USER32(00000011), ref: 00F99D84
GetKeyState.USER32(00000011), ref: 00F99D96
GetAsyncKeyState.USER32(00000012), ref: 00F99DAE
GetKeyState.USER32(00000012), ref: 00F99DC0
GetAsyncKeyState.USER32(0000005B), ref: 00F99DD8
GetKeyState.USER32(0000005B), ref: 00F99DEA

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 70262764f96fb4e6db3467ff1b609c9f216945bcb30152afe092db66e2b2a953
Instruction ID: 28dfbae6ecd68f4c5b64f4fdcb2206f03fd6a22bd98bdd821e419fce05e7bf42
Opcode Fuzzy Hash: 70262764f96fb4e6db3467ff1b609c9f216945bcb30152afe092db66e2b2a953
Instruction Fuzzy Hash: 4241FB30D0C7CA69FF31976889443B5BEA06F12364F09405EC9C6575C1EBE559C8EBA2

Function 00FB055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FB05BC
inet_addr.WSOCK32(?), ref: 00FB061C
gethostbyname.WSOCK32(?), ref: 00FB0628
IcmpCreateFile.IPHLPAPI ref: 00FB0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FB06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FB06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00FB07B9
WSACleanup.WSOCK32 ref: 00FB07BF

Strings

Ping, xrefs: 00FB0676

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 263c382d84acc48611c5e3d2ed3c52a19eef3b5520d79234f8df6c5faecf9031
Instruction ID: 049ea33b6bbbc06ecf263832ea710dacdae9f9177335b61f5eb384826478eac4
Opcode Fuzzy Hash: 263c382d84acc48611c5e3d2ed3c52a19eef3b5520d79234f8df6c5faecf9031
Instruction Fuzzy Hash: 539190359042019FD720DF16C989F5BBBE0EF44328F1885A9F4698B6A2CB34EC45EF91

Function 00FB8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00FB8CF3

Part of subcall function 00F98E54: _wcslen.LIBCMT ref: 00F98E77

_wcslen.LIBCMT ref: 00FB8D4E
_wcslen.LIBCMT ref: 00FB8D9C
_wcslen.LIBCMT ref: 00FB8DDC
_wcslen.LIBCMT ref: 00FB8E6E

Strings

stdcall, xrefs: 00FB8DD6, 00FB8DDB
none, xrefs: 00FB8E65, 00FB8E6A
cdecl, xrefs: 00FB8D48, 00FB8D4D
winapi, xrefs: 00FB8D96, 00FB8D9B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 9fbd70ee54cc8b8a5b4103ae8e829ec7aa7382f93b2d11c43d96368431e75ee5
Instruction ID: 1e7d594a5d76813f62bd2c5120aa038ab9ce5733999bae18bdb0cbe033a58d9d
Opcode Fuzzy Hash: 9fbd70ee54cc8b8a5b4103ae8e829ec7aa7382f93b2d11c43d96368431e75ee5
Instruction Fuzzy Hash: AB51B431A041169BCB14DFA9C9419FEB7A9BFA4364B204229E916E7284DF34DD42EB90

Function 00FB372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00FB3774
CoUninitialize.OLE32 ref: 00FB377F
CoCreateInstance.OLE32(?,00000000,00000017,00FCFB78,?), ref: 00FB37D9
IIDFromString.OLE32(?,?), ref: 00FB384C
VariantInit.OLEAUT32(?), ref: 00FB38E4
VariantClear.OLEAUT32(?), ref: 00FB3936

Strings

Invalid parameter, xrefs: 00FB3865
NULL Pointer assignment, xrefs: 00FB381E
Failed to create object, xrefs: 00FB37E4, 00FB389A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: befa0de3a7d5d0248a58a822fd10e4bca1516988b846c3d81fccc0a92f6bb5de
Instruction ID: 71203e1948a633ae1b964c811771d907e82e5d04f393c8e22586653aaeb84f1a
Opcode Fuzzy Hash: befa0de3a7d5d0248a58a822fd10e4bca1516988b846c3d81fccc0a92f6bb5de
Instruction Fuzzy Hash: 3B61A072648301AFD710DF55C889FAABBE8EF44710F104809F98597291DB74EE48EF92

Function 00FA3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FA33CF

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FA33F0

Strings

Incorrect parameters to object property !, xrefs: 00FA34AB
"%s" (%d) : ==> %s:, xrefs: 00FA3522
Line %d (File "%s"):, xrefs: 00FA3443, 00FA345C
^ ERROR , xrefs: 00FA349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00FA3504
Error: , xrefs: 00FA34D1

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3db9bf5284ec299a4178235bdbf994389a53bf5aef737b1c5997afea289b71f1
Instruction ID: abc96c998d0a60460aa83cef109a2984c73a7ead069de1c2744ce0c9ab345738
Opcode Fuzzy Hash: 3db9bf5284ec299a4178235bdbf994389a53bf5aef737b1c5997afea289b71f1
Instruction Fuzzy Hash: 6A51AF72C0420AAADF15EBA0CD42EEEB778EF04350F148065F505B2062EB796F58FB61

Function 00F9B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F9B5FC
_wcslen.LIBCMT ref: 00F9B608
_wcslen.LIBCMT ref: 00F9B64D
_wcslen.LIBCMT ref: 00F9B68C
_wcslen.LIBCMT ref: 00F9B6C7

Strings

REMOVE, xrefs: 00F9B602, 00F9B607
APPEND, xrefs: 00F9B6C1, 00F9B6C6
EXISTS, xrefs: 00F9B686, 00F9B68B
KEYS, xrefs: 00F9B647, 00F9B64C

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 15c678affaf7e9dd1d3683b260248f96aa16453c259ec714e60f54862508eaf0
Instruction ID: 07a26ffc8577a8d7c52217ee75912d7809c62f8561b482f97eae0f952e396c99
Opcode Fuzzy Hash: 15c678affaf7e9dd1d3683b260248f96aa16453c259ec714e60f54862508eaf0
Instruction Fuzzy Hash: 74412933E0002A9BDF206F7DDE905BE77A5AFA0774B244269E521D7280E735EC81E790

Function 00FA5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FA5416
GetLastError.KERNEL32 ref: 00FA5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00FA54A7

Strings

INVALID, xrefs: 00FA5459
NOTREADY, xrefs: 00FA544B
READY, xrefs: 00FA5460, 00FA5468
UNKNOWN, xrefs: 00FA5444
READONLY, xrefs: 00FA5452

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: bb3865c5d1271ec33d5025df8f147470122dbe883347dfcd756c25e93168de0e
Instruction ID: 48f67fac31e8f2fd4aca3afd361f8e45e7e3de4b273941e06446c0127d511585
Opcode Fuzzy Hash: bb3865c5d1271ec33d5025df8f147470122dbe883347dfcd756c25e93168de0e
Instruction Fuzzy Hash: E231F6B5E006089FC710DF68C894FAD7BB4EF4A715F188055E905CB262DB75ED82EB90

Function 00FC3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00FC3C79
SetMenu.USER32(?,00000000), ref: 00FC3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC3D10
IsMenu.USER32(?), ref: 00FC3D24
CreatePopupMenu.USER32 ref: 00FC3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FC3D5B
DrawMenuBar.USER32 ref: 00FC3D63

Strings

0, xrefs: 00FC3C54
F, xrefs: 00FC3D4E

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d684f56ae8d796371fa051afbd8c64b1041bd40fc93df12d7311be71491d5b1a
Instruction ID: 6ff02fe79cb447c9b7e60be39fb78189235908ce49de8dd603f53e31d95b2ae6
Opcode Fuzzy Hash: d684f56ae8d796371fa051afbd8c64b1041bd40fc93df12d7311be71491d5b1a
Instruction Fuzzy Hash: 2F416B75A0120AAFDB14CF64D945FAA7BB5FF49350F14442CF946A7350D731AA10EF90

Function 00F91EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00F91F64
GetDlgCtrlID.USER32 ref: 00F91F6F
GetParent.USER32 ref: 00F91F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F91F8E
GetDlgCtrlID.USER32(?), ref: 00F91F97
GetParent.USER32(?), ref: 00F91FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F91FAE

Strings

ComboBox, xrefs: 00F91EEC
ListBox, xrefs: 00F91F21

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 7b8f06b1f26041458dd8ec0875ed9102810f30b0ae6b9414a3e47052a5eae302
Instruction ID: 16432aff97d5b140d1b1fb6071863736ba5e691a06ad26cc1183d4a399ab4ccf
Opcode Fuzzy Hash: 7b8f06b1f26041458dd8ec0875ed9102810f30b0ae6b9414a3e47052a5eae302
Instruction Fuzzy Hash: 0421A171900118ABDF05AFA0DD45DEEBBA4AF05354F000115F959A72A1CBB95908FB60

Function 00F91FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00F92043
GetDlgCtrlID.USER32 ref: 00F9204E
GetParent.USER32 ref: 00F9206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F9206D
GetDlgCtrlID.USER32(?), ref: 00F92076
GetParent.USER32(?), ref: 00F9208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F9208D

Strings

ComboBox, xrefs: 00F91FCD
ListBox, xrefs: 00F92002

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 274e2ea72996d73d00af598608b44fc35f602e0950107b456470d65a4b5ae87e
Instruction ID: cc254eb822844e6668c6ebd7ace859d9749f7d0c9121d1d0cdf3aa23bb4b8907
Opcode Fuzzy Hash: 274e2ea72996d73d00af598608b44fc35f602e0950107b456470d65a4b5ae87e
Instruction Fuzzy Hash: 8521C675D00218BBDF10AFA0DD85EFEBBB8EF05350F004015FA59A72A1DAB98915FB60

Function 00FC3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FC3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FC3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00FC3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FC3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FC3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FC3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FC3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FC3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FC3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FC3C13

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5ac84ca32a61a6abc052ab2544124e4ebd15d4fbae1892689e0a7b84d14b3f3e
Instruction ID: 562e3ed2c662157bec28f26f5ffd456e94c87504aeea7e43eb0124f541e90559
Opcode Fuzzy Hash: 5ac84ca32a61a6abc052ab2544124e4ebd15d4fbae1892689e0a7b84d14b3f3e
Instruction Fuzzy Hash: 82618A75900209AFDB21DFA8CD82FEE77F8EB49310F104099FA15A7291C774AE41EB60

Function 00F9B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F9B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B165
GetWindowThreadProcessId.USER32(00000000), ref: 00F9B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F9B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B21D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ced843a24019cee4a9af76562f8f2b805da9b8b9515d148408b338a8acd65a5d
Instruction ID: 443fe473f319dad72ee74a8c4a2b268f7df20070dab4c1542467327f6268bd77
Opcode Fuzzy Hash: ced843a24019cee4a9af76562f8f2b805da9b8b9515d148408b338a8acd65a5d
Instruction Fuzzy Hash: C5318E71900208AFEF27DF25EE59F6D7BA9FB51321F104005FA49DB180D7B9A941AF60

Function 00F62C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F62C94

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F62CA0
_free.LIBCMT ref: 00F62CAB
_free.LIBCMT ref: 00F62CB6
_free.LIBCMT ref: 00F62CC1
_free.LIBCMT ref: 00F62CCC
_free.LIBCMT ref: 00F62CD7
_free.LIBCMT ref: 00F62CE2
_free.LIBCMT ref: 00F62CED
_free.LIBCMT ref: 00F62CFB

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fff07eedab689fd0cc18de3ad0e1491b5924cd43b6e445a17670f7b9e4301654
Instruction ID: f4c6f0741a3caaf91430f43c648b3d966ee635c43ef3545d57da6ec4f3d05347
Opcode Fuzzy Hash: fff07eedab689fd0cc18de3ad0e1491b5924cd43b6e445a17670f7b9e4301654
Instruction Fuzzy Hash: CA119376600508AFCB86EF58DC82CDD3BB5FF45390F4144A5FA489B222DA35EA50BB90

Function 00FA7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FA7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA7FC1
GetFileAttributesW.KERNEL32(?), ref: 00FA7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FA8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FA80B0

Strings

*.*, xrefs: 00FA8066

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 87a11d616ef409676957c124201c1c7117acc867b9fcaf7292f16c363aa5c555
Instruction ID: 4a9232e54d78c92b1787c806c9f0d3bd0253001d78927372218881dfb484f70d
Opcode Fuzzy Hash: 87a11d616ef409676957c124201c1c7117acc867b9fcaf7292f16c363aa5c555
Instruction Fuzzy Hash: 8C81B6B29083459BCB24EF14CC84E6AB3E8BF86360F144C5EF885D7250DB75DD45AB92

Function 00F35BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F35C7A

Part of subcall function 00F35D0A: GetClientRect.USER32(?,?), ref: 00F35D30
Part of subcall function 00F35D0A: GetWindowRect.USER32(?,?), ref: 00F35D71
Part of subcall function 00F35D0A: ScreenToClient.USER32(?,?), ref: 00F35D99

GetDC.USER32 ref: 00F746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F74708
SelectObject.GDI32(00000000,00000000), ref: 00F74716
SelectObject.GDI32(00000000,00000000), ref: 00F7472B
ReleaseDC.USER32(?,00000000), ref: 00F74733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F747C4

Strings

U, xrefs: 00F74693

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9b21069ce189c107668efe47718cd70e7c7972419e81fc03463c65be25d90e6f
Instruction ID: 1bb59ce9ead5bb54b22e4679ee97f02ac37ca840790558e85ab75d0b45f876e2
Opcode Fuzzy Hash: 9b21069ce189c107668efe47718cd70e7c7972419e81fc03463c65be25d90e6f
Instruction Fuzzy Hash: 1671E331800205DFCF268F64C985AB97BB5FF4A374F14822AED595A166C335A842FF52

Function 00FA359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00FA35E4

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

LoadStringW.USER32(01002390,?,00000FFF,?), ref: 00FA360A

Strings

^ ERROR, xrefs: 00FA36C9
"%s" (%d) : ==> %s:, xrefs: 00FA3742
Line %d (File "%s"):, xrefs: 00FA366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00FA3724
Error: , xrefs: 00FA36EF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 51c99bd79b5922a0b19f7ffa0352812e3c8ca2c27c78610fac24b7f9f8e9a639
Instruction ID: 6e0e56901b1e43a64bbaa6e88a36b814de6e3df7cea12e50b2aa92a2c6b34d09
Opcode Fuzzy Hash: 51c99bd79b5922a0b19f7ffa0352812e3c8ca2c27c78610fac24b7f9f8e9a639
Instruction Fuzzy Hash: 12517FB1C0421ABADF15EBA0CC42EEDBB38EF05310F144125F505721A1EB795B99EFA1

Function 00FAC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FAC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FAC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FAC2CA
GetLastError.KERNEL32 ref: 00FAC322
SetEvent.KERNEL32(?), ref: 00FAC336
InternetCloseHandle.WININET(00000000), ref: 00FAC341

Strings

, xrefs: 00FAC2BB

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 00222de189e2b816f14e23de31e6652af7be13e2aedf4931ebb30c30315c2930
Instruction ID: f212d4c8f5f657b54561bae51e2178dd62098b8ebbeb9eafaf745ceb07e03215
Opcode Fuzzy Hash: 00222de189e2b816f14e23de31e6652af7be13e2aedf4931ebb30c30315c2930
Instruction Fuzzy Hash: F2313CB1900708AFDB219F649D89AAB7AECEF4A754B14851AE44AD3200DB34D905ABE1

Function 00F9989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F73AAF,?,?,Bad directive syntax error,00FCCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F998BC
LoadStringW.USER32(00000000,?,00F73AAF,?), ref: 00F998C3

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F99987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00F998F1
Line %d:, xrefs: 00F99912
Line %d (File "%s"):, xrefs: 00F9992D
., xrefs: 00F9996D
Error: , xrefs: 00F99955

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b8cdc8a700ec38246cb773ca7b7fcd75961c2627a0dae64ef504ff4b6989699b
Instruction ID: 480f5deb6655b149ee8326a176b243bccef97857bde37e65dd447420bab6984c
Opcode Fuzzy Hash: b8cdc8a700ec38246cb773ca7b7fcd75961c2627a0dae64ef504ff4b6989699b
Instruction Fuzzy Hash: 25217E3284421EABDF15EF90CC06EEE7775FF18710F044419F619660A2EBB99618FB51

Function 00F9209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00F920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F9214D

Strings

SHELLDLL_DefView, xrefs: 00F920CC
details, xrefs: 00F920FB
list, xrefs: 00F9212F
smallicons, xrefs: 00F92115
largeicons, xrefs: 00F920E1

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 9ef880bb506e650a2689cccfb7f93859b9148fb661d004e7b1cb0724a8a2d801
Instruction ID: 8620007239390e547cb34bb8bc4017937f3e3a070a92d0bf2b03d9565582689e
Opcode Fuzzy Hash: 9ef880bb506e650a2689cccfb7f93859b9148fb661d004e7b1cb0724a8a2d801
Instruction Fuzzy Hash: C6112C7768870ABAFE412620DC07DF6379CCF04725F200016FB08A50F1FE65A8957654

Function 00F68D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbbfc3ee2fbf46e8f2ea3fd00cc842ebea1264cd3dd59781647abf3e0f80705
Instruction ID: e935344005c3f2e9405047e801188d56d7b8a4183ce383118d470873bd3706fa
Opcode Fuzzy Hash: 4cbbfc3ee2fbf46e8f2ea3fd00cc842ebea1264cd3dd59781647abf3e0f80705
Instruction Fuzzy Hash: 3CC12475D08249AFCF11DFA8C841BADBBB4EF09360F044199F915A7392CB758946EB60

Function 00F6CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00F6CEB7
_free.LIBCMT ref: 00F6CF22
_free.LIBCMT ref: 00F6CF48
_free.LIBCMT ref: 00F6CF71
_free.LIBCMT ref: 00F6CFA9
_free.LIBCMT ref: 00F6CFDA
_free.LIBCMT ref: 00F6D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00F6D09C
_free.LIBCMT ref: 00F6D0B5

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1f91536b9fadee9a954d6b27211a667c8ea56d252377a6a2413d2522efba2367
Instruction ID: 8b097932f773483763a6a941e9d9163f722cabdda4b0d3cb024eeb82f30e4dd4
Opcode Fuzzy Hash: 1f91536b9fadee9a954d6b27211a667c8ea56d252377a6a2413d2522efba2367
Instruction Fuzzy Hash: 71611471E04201AFDB25AFB49C81B7E7BA5AF05360F04416EF9C597286DB3A9901B7F0

Function 00FC50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00FC5186
ShowWindow.USER32(?,00000000), ref: 00FC51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00FC51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00FC51D1

Part of subcall function 00FC6FBA: DeleteObject.GDI32(00000000), ref: 00FC6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00FC520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FC521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FC524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00FC5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00FC5296

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: de6fce36560383631556a80dde7c62efd7c4b849d4d2720910e98973b9df669f
Instruction ID: 69b27162bb7fadfa40e1169b71e1c7a93656fe00b9e9c27203b0018bb28b23a5
Opcode Fuzzy Hash: de6fce36560383631556a80dde7c62efd7c4b849d4d2720910e98973b9df669f
Instruction Fuzzy Hash: 97519E30E40A0ABEEB209F24CE4BFD93BA5EB05B24F584009F519962E1C375B9C0FB40

Function 00F48B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F86890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F48874,00000000,00000000,00000000,000000FF,00000000), ref: 00F86901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F8691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F48874,00000000,00000000,00000000,000000FF,00000000), ref: 00F8692D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a91ba30bdeef007cbd74a9d76a10ac04f58d78544bd00eeea10bf5bdaaeef7dc
Instruction ID: bf2628e696e8e071abaa49ecee489cc53f579910cff3b8689a848d4febb3d969
Opcode Fuzzy Hash: a91ba30bdeef007cbd74a9d76a10ac04f58d78544bd00eeea10bf5bdaaeef7dc
Instruction Fuzzy Hash: BC515970A00209EFDB20DF24CD46FAA7BB5EF88760F104518F95AD72A0DB75E991EB50

Function 00FAC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FAC182
GetLastError.KERNEL32 ref: 00FAC195
SetEvent.KERNEL32(?), ref: 00FAC1A9

Part of subcall function 00FAC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FAC272
Part of subcall function 00FAC253: GetLastError.KERNEL32 ref: 00FAC322
Part of subcall function 00FAC253: SetEvent.KERNEL32(?), ref: 00FAC336
Part of subcall function 00FAC253: InternetCloseHandle.WININET(00000000), ref: 00FAC341

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: e4ba750544614502097c1c7d6ea8f41dcbd64d00c53f0cbe6a37bf2a70831f24
Instruction ID: fef2b9b27d6cb90788aa66820ddd76754683bf261d03f1c927f879a7a0c5b3ef
Opcode Fuzzy Hash: e4ba750544614502097c1c7d6ea8f41dcbd64d00c53f0cbe6a37bf2a70831f24
Instruction Fuzzy Hash: 42319EB1600609AFDB219FA5DE44BA6BBF8FF5A310B04441EF95A83610D731E814FBE0

Function 00F925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F93A57
Part of subcall function 00F93A3D: GetCurrentThreadId.KERNEL32 ref: 00F93A5E
Part of subcall function 00F93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F925B3), ref: 00F93A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F92601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F92605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F9260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F92623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F92627

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d405738c91864bc60abce1fe172088f1197b9e11d18e9f6b71cb0829ecda509e
Instruction ID: 06e3e566138b5313533b337b893cf5c0ee6e0568f8dde6f5255fa5047e2e5b9b
Opcode Fuzzy Hash: d405738c91864bc60abce1fe172088f1197b9e11d18e9f6b71cb0829ecda509e
Instruction Fuzzy Hash: 2F01D431790214BBFB20676A9C8BF593F59DB4EB12F110001F31CAF1D2C9F22444AAA9

Function 00F91803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F91449,?,?,00000000), ref: 00F9180C
HeapAlloc.KERNEL32(00000000,?,00F91449,?,?,00000000), ref: 00F91813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F91449,?,?,00000000), ref: 00F91828
GetCurrentProcess.KERNEL32(?,00000000,?,00F91449,?,?,00000000), ref: 00F91830
DuplicateHandle.KERNEL32(00000000,?,00F91449,?,?,00000000), ref: 00F91833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F91449,?,?,00000000), ref: 00F91843
GetCurrentProcess.KERNEL32(00F91449,00000000,?,00F91449,?,?,00000000), ref: 00F9184B
DuplicateHandle.KERNEL32(00000000,?,00F91449,?,?,00000000), ref: 00F9184E
CreateThread.KERNEL32(00000000,00000000,00F91874,00000000,00000000,00000000), ref: 00F91868

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a6ff852a584debf8b280a1b93f07f61544b7bf7f27ea8643a0dac64e7113351d
Instruction ID: ce7ccccbcb21f1b545234fb10912bfb16a0afcd3dacd343759382562c9b13e96
Opcode Fuzzy Hash: a6ff852a584debf8b280a1b93f07f61544b7bf7f27ea8643a0dac64e7113351d
Instruction Fuzzy Hash: 6F01BFB5240348BFE710AB66DD4EF5B3B6CEB89B11F044411FA05DB192C6759800DB60

Function 00FBA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00F9D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00F9D501
Part of subcall function 00F9D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00F9D50F
Part of subcall function 00F9D4DC: CloseHandle.KERNELBASE(00000000), ref: 00F9D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FBA16D
GetLastError.KERNEL32 ref: 00FBA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FBA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FBA268
GetLastError.KERNEL32(00000000), ref: 00FBA273
CloseHandle.KERNEL32(00000000), ref: 00FBA2C4

Strings

SeDebugPrivilege, xrefs: 00FBA18F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 69d33fee6605247dd2d3fd29db8769308134fa07fc53ee15322fc288a03d67be
Instruction ID: b02c4c8c95f4d0adeb9e1e462024e4247f1767a7260c913005f0d4fb3ff40372
Opcode Fuzzy Hash: 69d33fee6605247dd2d3fd29db8769308134fa07fc53ee15322fc288a03d67be
Instruction Fuzzy Hash: 6161A131604242AFD720DF19C895F55BBE1AF44328F18849CE46A8BBA3C776EC45DF92

Function 00F9BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F9BCFD
IsMenu.USER32(00000000), ref: 00F9BD1D
CreatePopupMenu.USER32 ref: 00F9BD53
GetMenuItemCount.USER32(01565560), ref: 00F9BDA4
InsertMenuItemW.USER32(01565560,?,00000001,00000030), ref: 00F9BDCC

Strings

2, xrefs: 00F9BD37
0, xrefs: 00F9BCA8

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: cba4152e251c85fdccad1f063f6a823e8c4f63a883ce65b0e481dcce89cf3f9e
Instruction ID: 0e61719ab0a0819842d873e2f3b089500d1b598d690836901d0e568f4a3cf600
Opcode Fuzzy Hash: cba4152e251c85fdccad1f063f6a823e8c4f63a883ce65b0e481dcce89cf3f9e
Instruction Fuzzy Hash: 2C51D170A00209DBFF11CFA9EA88BAEBBF4FF45324F14411AE405D7290D7749941EB91

Function 00F9C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F9C913

Strings

warning, xrefs: 00F9C8FC
blank, xrefs: 00F9C895
info, xrefs: 00F9C8B4
stop, xrefs: 00F9C8E4
question, xrefs: 00F9C8CC

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d418944562558cc12c77e9038faa1a4574b3bf4dd51b8a84a5ff8c6afae70c38
Instruction ID: 827c8d7fe599e0b04276fd26ba134b590669fcabfa8be543fef3a14bcc821457
Opcode Fuzzy Hash: d418944562558cc12c77e9038faa1a4574b3bf4dd51b8a84a5ff8c6afae70c38
Instruction Fuzzy Hash: 59110033A8930ABAFF056B549C83DAA7B9CDF15769B10002AF604E6192DB74AD4073E5

Function 00F9DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F9DE42
gethostname.WSOCK32(?,00000100), ref: 00F9DE5C
gethostbyname.WSOCK32(?), ref: 00F9DE69
inet_ntoa.WSOCK32(?), ref: 00F9DEAB
_strcat.LIBCMT ref: 00F9DEB9
WSACleanup.WSOCK32 ref: 00F9DEDE

Strings

0.0.0.0, xrefs: 00F9DE87

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: ebb952ed86b5990c6efe1fb13088d07c9399ecde107d16a013ab099dddd452d4
Instruction ID: d34fa532e441afb71486a62143c4ec39690239e0a56ebedc6d9167006e734e9e
Opcode Fuzzy Hash: ebb952ed86b5990c6efe1fb13088d07c9399ecde107d16a013ab099dddd452d4
Instruction Fuzzy Hash: C4113671800109ABDF24BB60DC0BEEF37ACDF10721F110169F50997091EF749A84BAA0

Function 00FC9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

GetSystemMetrics.USER32(0000000F), ref: 00FC9FC7
GetSystemMetrics.USER32(0000000F), ref: 00FC9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00FCA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FCA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FCA263
ShowWindow.USER32(00000003,00000000), ref: 00FCA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00FCA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00FCA2CA

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 2250253d1c9a48122588d45a3b68065c547de42a8309606f4f45c951ed6070d0
Instruction ID: b95d9992a7af05c5c9bf19249d8373164f30a590ddd25711211953105fffbd25
Opcode Fuzzy Hash: 2250253d1c9a48122588d45a3b68065c547de42a8309606f4f45c951ed6070d0
Instruction Fuzzy Hash: 68B19E31A0021ADFDF14CF68CA86BEE7BB2FF44715F088069ED499B295D731A940EB51

Function 00F9ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F9ED2A
_wcslen.LIBCMT ref: 00F9ED3B
_wcslen.LIBCMT ref: 00F9ED79
_wcslen.LIBCMT ref: 00F9EDAF
_wcslen.LIBCMT ref: 00F9EDDF
_wcslen.LIBCMT ref: 00F9EDEF
_wcslen.LIBCMT ref: 00F9EE2B
_wcslen.LIBCMT ref: 00F9EE5A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a0f7e5e9f7d4d00d0b9771717efb8663b4049cd28b6b057da1f1a6c38c6e415c
Instruction ID: 39171252ec8f187d48992d126f802ad34ea456cae342bf39270cdf8da945fd72
Opcode Fuzzy Hash: a0f7e5e9f7d4d00d0b9771717efb8663b4049cd28b6b057da1f1a6c38c6e415c
Instruction Fuzzy Hash: A941B265C1021875DF11EBF48C8A9CFB7B8EF45311F508466EA18E3122FB38E249D3A5

Function 00F4F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,?,?,?,?,00000005,?,?,00F4F8B0,00000005,00000000), ref: 00F4F953
ShowWindow.USER32(FFFFFFFF,00000006,?,?,?,?,00000005,?,?,00F4F8B0,00000005,00000000), ref: 00F8F3D1
ShowWindow.USER32(FFFFFFFF,?,?,?,?,?,00000005,?,?,00F4F8B0,00000005,00000000), ref: 00F8F454

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: bf60cd3a61fe0f655412e55c30edb87e4501d8894395e3537eb113ebb6c109e6
Instruction ID: ff0cd6909c41fd8ee0396dabbab53e08f7effb3d49b604922d9575ab560d859b
Opcode Fuzzy Hash: bf60cd3a61fe0f655412e55c30edb87e4501d8894395e3537eb113ebb6c109e6
Instruction Fuzzy Hash: 9E413B31A18640BED7399F28CD88B6A7F91AF56320F14443DE88F53660C732A888FB51

Function 00FC2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FC2D1B
GetDC.USER32(00000000), ref: 00FC2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FC2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00FC2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FC2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FC2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FC5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00FC2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FC2DE1

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5b3de7f600d99fa2f699bbd0c12e164d7ad65a2bc6f29f56a1086ddbb73076cf
Instruction ID: 1df263becc5009b442f24b95207ba55718f795c6955a319820b7bee4ee98c451
Opcode Fuzzy Hash: 5b3de7f600d99fa2f699bbd0c12e164d7ad65a2bc6f29f56a1086ddbb73076cf
Instruction Fuzzy Hash: 3B318B72201214BFEB118F548E8AFEB3BA9EF59721F084055FE099B291C6759C41DBA0

Function 00F95622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F95637
_memcmp.LIBVCRUNTIME ref: 00F95659
_memcmp.LIBVCRUNTIME ref: 00F95671
_memcmp.LIBVCRUNTIME ref: 00F95684
_memcmp.LIBVCRUNTIME ref: 00F9569E
_memcmp.LIBVCRUNTIME ref: 00F956B1
_memcmp.LIBVCRUNTIME ref: 00F956C9
_memcmp.LIBVCRUNTIME ref: 00F956E4

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0f07bcf1d6cb21f5e8eab80baf54bbc3e85b81d8f5ba53ac9ee75cfb7d3ecc93
Instruction ID: 83d55d4e5326150de52a84ca164190786bada12305a5a498d99994093df9cc15
Opcode Fuzzy Hash: 0f07bcf1d6cb21f5e8eab80baf54bbc3e85b81d8f5ba53ac9ee75cfb7d3ecc93
Instruction Fuzzy Hash: 52213A62F4090A77FA159D208E93FBA734DBF51B91F400024FE049A541F724FE18B7A6

Function 00FB4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00FB5007
NULL Pointer assignment, xrefs: 00FB502E, 00FB5383

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 44101eb7786fbb970139b5d3724655a22747fd81021fb3c89fc287d3e02f26fd
Instruction ID: e67c65d8a13b8ca435ddd919b18ac7848cb12bfe9e7744cc8c47259162e6f17b
Opcode Fuzzy Hash: 44101eb7786fbb970139b5d3724655a22747fd81021fb3c89fc287d3e02f26fd
Instruction Fuzzy Hash: 1BD1EC71A0060AAFDF10DFA9C880BEEB7B5BF48754F148069E915AB280E774DD45DFA0

Function 00F71522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00F715CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F71651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F716E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F716FB

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F71777
__freea.LIBCMT ref: 00F717A2
__freea.LIBCMT ref: 00F717AE

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9fb93cf540668aa19f5110a743e8f913f88fe02be32ba3005e4d76b080ecde18
Instruction ID: c355d6a0854e5fef48adfa5a83f3fd6fa7b75be8c114fd17bc4825693d8c5b1b
Opcode Fuzzy Hash: 9fb93cf540668aa19f5110a743e8f913f88fe02be32ba3005e4d76b080ecde18
Instruction Fuzzy Hash: 2C91E972E002165ADF288E7CCC41EEE7BB5BF45720F18865AE809E7140D735DD49E7A2

Function 00FB4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FB4648
VariantInit.OLEAUT32(?), ref: 00FB4749
VariantClear.OLEAUT32(?), ref: 00FB4753
VariantClear.OLEAUT32(?), ref: 00FB47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00FB45D8, 00FB4706, 00FB47BE
Incorrect Object type in FOR..IN loop, xrefs: 00FB472C

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: c6e2f702aacdc7a98a2601c6e01947a938ce585e146c1765d06e34afbaf7434a
Instruction ID: 58adcbcaa3e07216c8e19873b7213d93130a4f85e21e5a84d83824af8c521fe0
Opcode Fuzzy Hash: c6e2f702aacdc7a98a2601c6e01947a938ce585e146c1765d06e34afbaf7434a
Instruction Fuzzy Hash: CA918271E00219ABDF20CF66C944FEEBBB9AF45720F108559E505AB282D770A945DFA0

Function 00FA1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00FA125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FA1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00FA12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA1430

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: d906d846d29f53dbfc44234fcc6151b7aa0076132ed2a404a937cc46237abaac
Instruction ID: fac13f3e811d0e54b938b7b9a742abac063dc05f1aec0379687a03ebeb524c2b
Opcode Fuzzy Hash: d906d846d29f53dbfc44234fcc6151b7aa0076132ed2a404a937cc46237abaac
Instruction Fuzzy Hash: 9691E6B1E002099FDB00DF98C885BBE77B5FF46325F164029E941EB291D778E945EB90

Function 00F4948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5dae07ea525b743813cd26840e974860c7ea799bac5a0f18f93977ed48b7846a
Instruction ID: 88fa6172958918ca1419e835d425b4355d02cf37769c299c72b3d5da56e6afef
Opcode Fuzzy Hash: 5dae07ea525b743813cd26840e974860c7ea799bac5a0f18f93977ed48b7846a
Instruction Fuzzy Hash: 01912871E44219AFCB10DFA9CC84AEEBFB8FF49320F244159E915B7251D378A941EB60

Function 00FB3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FB396B
CharUpperBuffW.USER32(?,?), ref: 00FB3A7A
_wcslen.LIBCMT ref: 00FB3A8A
VariantClear.OLEAUT32(?), ref: 00FB3C1F

Part of subcall function 00FA0CDF: VariantInit.OLEAUT32(00000000), ref: 00FA0D1F
Part of subcall function 00FA0CDF: VariantCopy.OLEAUT32(?,?), ref: 00FA0D28
Part of subcall function 00FA0CDF: VariantClear.OLEAUT32(?), ref: 00FA0D34

Strings

AUTOIT.ERROR, xrefs: 00FB3A80, 00FB3A85
Incorrect Parameter format, xrefs: 00FB39A6, 00FB3BA1

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 9178cc6cd57a3cf3ad13fe226685a2f6db7473b7ddfd7f4e3b9c2ce38e5fc2de
Instruction ID: 94c5b8781c4eff2b0e30bac6a968ff606a1de6f42630eacc59e5225866a13ce3
Opcode Fuzzy Hash: 9178cc6cd57a3cf3ad13fe226685a2f6db7473b7ddfd7f4e3b9c2ce38e5fc2de
Instruction Fuzzy Hash: 47913675A083059FC704EF25C88196AB7E5BF88324F14892DF88997351DB34EE45EF92

Function 00FB4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00F9000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?,?,00F9035E), ref: 00F9002B
Part of subcall function 00F9000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90046
Part of subcall function 00F9000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90054
Part of subcall function 00F9000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?), ref: 00F90064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FB4C51
_wcslen.LIBCMT ref: 00FB4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FB4DCF
CoTaskMemFree.OLE32(?), ref: 00FB4DDA

Strings

NULL Pointer assignment, xrefs: 00FB4E23, 00FB4E52

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b0e300ec7ef065fcbbc514f1caa359b92cda2067cc70a2616502c603e42cc0b0
Instruction ID: e30c6d2a873ff69eb17a38e74bf793399945412841a283dac941502e25bc3fdf
Opcode Fuzzy Hash: b0e300ec7ef065fcbbc514f1caa359b92cda2067cc70a2616502c603e42cc0b0
Instruction Fuzzy Hash: AE911671D0021DAFDF14DFA5CC91AEEB7B8BF48310F108169E915A7291DB74AA44EFA0

Function 00FC20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FC2183
GetMenuItemCount.USER32(00000000), ref: 00FC21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FC21DD
_wcslen.LIBCMT ref: 00FC2213
GetMenuItemID.USER32(?,?), ref: 00FC224D
GetSubMenu.USER32(?,?), ref: 00FC225B

Part of subcall function 00F93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F93A57
Part of subcall function 00F93A3D: GetCurrentThreadId.KERNEL32 ref: 00F93A5E
Part of subcall function 00F93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F925B3), ref: 00F93A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FC22E3

Part of subcall function 00F9E97B: Sleep.KERNEL32 ref: 00F9E9F3

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 485b89e680b04cb99d43d8d864f0394e5635c98cf78b543dcb0ef2d53ae08c22
Instruction ID: fca90c13dc46fdff3ec4498fa4246aea8f6052bb9046697920af51f5db19a856
Opcode Fuzzy Hash: 485b89e680b04cb99d43d8d864f0394e5635c98cf78b543dcb0ef2d53ae08c22
Instruction Fuzzy Hash: 40718E75E00206AFDB54EF64C942FAEB7F1EF48320F148459E816EB341D738AD41AB90

Function 00FC7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01565538), ref: 00FC7F37
IsWindowEnabled.USER32(01565538), ref: 00FC7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00FC801E
SendMessageW.USER32(01565538,000000B0,?,?), ref: 00FC8051
IsDlgButtonChecked.USER32(?,?), ref: 00FC8089
GetWindowLongW.USER32(01565538,000000EC), ref: 00FC80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FC80C3

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a7c9d5c89eb35499d845a01c9883ac1d155b951869c30c00dbbafd3939fd442d
Instruction ID: bd51882eb656ea21542f2eafa2c4330420c1156ea6f0821bb3e8b6c3fda23153
Opcode Fuzzy Hash: a7c9d5c89eb35499d845a01c9883ac1d155b951869c30c00dbbafd3939fd442d
Instruction Fuzzy Hash: 0C71BF34A08346AFEB21AF64CEC6FAABBB5EF09360F14005DE95553251CB31A845FF90

Function 00F9AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F9AEF9
GetKeyboardState.USER32(?), ref: 00F9AF0E
SetKeyboardState.USER32(?), ref: 00F9AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F9AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F9AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F9AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F9B020

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 898a758c5ab2a417faf40bc7f9c8a9331b514608025077334aed0470737c4a35
Instruction ID: 1d9dd83d8c2c3e31ea27f98fc55a4fae7bebcd8fd7e38b04e582f279ec8b4e92
Opcode Fuzzy Hash: 898a758c5ab2a417faf40bc7f9c8a9331b514608025077334aed0470737c4a35
Instruction Fuzzy Hash: C851D1A1A047D53DFF3743348D49BBABEA95B06318F088589E1D9458D2C3D9ACC8F791

Function 00F9ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F9AD19
GetKeyboardState.USER32(?), ref: 00F9AD2E
SetKeyboardState.USER32(?), ref: 00F9AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F9ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F9ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F9AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F9AE38

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 42d1c60442cb784ff7be0458aa38a04342d56bbe6c1db5310b3b2ab3c7444861
Instruction ID: c41996d84e70317f353046b2aaca43859b5f1397a88bf9c91e99b7c4ed3d5c84
Opcode Fuzzy Hash: 42d1c60442cb784ff7be0458aa38a04342d56bbe6c1db5310b3b2ab3c7444861
Instruction Fuzzy Hash: CC51D5A1D047D53DFF3793358C55B7A7EA85B46310F088489E1D9468C2D294EC98F7D2

Function 00F6542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00F73CD6,?,?,?,?,?,?,?,?,00F65BA3,?,?,00F73CD6,?,?), ref: 00F65470
__fassign.LIBCMT ref: 00F654EB
__fassign.LIBCMT ref: 00F65506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F73CD6,00000005,00000000,00000000), ref: 00F6552C
WriteFile.KERNEL32(?,00F73CD6,00000000,00F65BA3,00000000,?,?,?,?,?,?,?,?,?,00F65BA3,?), ref: 00F6554B
WriteFile.KERNEL32(?,?,00000001,00F65BA3,00000000,?,?,?,?,?,?,?,?,?,00F65BA3,?), ref: 00F65584

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d42a9af1b3bf286618d9fbeed2ab7ebaf2030c7a0ba37f7a5818f2655aa06e73
Instruction ID: 4d5c1456a2f136d58c50f59d9c43b0430267d5aa722060bf6fa8a63f0cee9254
Opcode Fuzzy Hash: d42a9af1b3bf286618d9fbeed2ab7ebaf2030c7a0ba37f7a5818f2655aa06e73
Instruction Fuzzy Hash: B851DFB1E006499FDB10CFA8D846AEEBBF9EF08710F18411EF946F3291D6309A41DB60

Function 00F52D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F52D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00F52D53
_ValidateLocalCookies.LIBCMT ref: 00F52DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00F52E0C
_ValidateLocalCookies.LIBCMT ref: 00F52E61

Strings

csm, xrefs: 00F52DF6

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c8a663c2390f4e43e973773d04606ebb373973cc707460d5bfb0aeef2f00cc0f
Instruction ID: aa77299c459bc567a4c195cc1a1f228f1b5d5abc269d3407529d1dcd09fce808
Opcode Fuzzy Hash: c8a663c2390f4e43e973773d04606ebb373973cc707460d5bfb0aeef2f00cc0f
Instruction Fuzzy Hash: 9041E834E002089BCF10DF68CC45A9EBBB5BF46326F148255EE146B352D735DA09EBD0

Function 00FB10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FB307A
Part of subcall function 00FB304E: _wcslen.LIBCMT ref: 00FB309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FB1112
WSAGetLastError.WSOCK32 ref: 00FB1121
WSAGetLastError.WSOCK32 ref: 00FB11C9
closesocket.WSOCK32(00000000), ref: 00FB11F9

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 2a0ef10c9c87fd122812cc3daeea518ef75f3952ad7f2137a419058c82276be4
Instruction ID: b5c976218307d2e1381e8cb5b95845b53b58bca90738b4a8aba6aaf5840bd138
Opcode Fuzzy Hash: 2a0ef10c9c87fd122812cc3daeea518ef75f3952ad7f2137a419058c82276be4
Instruction Fuzzy Hash: 5D41D036600208AFDB109F29CC95BEABBA9FF45364F148059F909AB291C774AD41DFE0

Function 00F9CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F9CF22,?), ref: 00F9DDFD

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F9CF22,?), ref: 00F9DE16

lstrcmpiW.KERNEL32(?,?), ref: 00F9CF45
MoveFileW.KERNEL32(?,?), ref: 00F9CF7F
_wcslen.LIBCMT ref: 00F9D005
_wcslen.LIBCMT ref: 00F9D01B
SHFileOperationW.SHELL32(?), ref: 00F9D061

Strings

\*.*, xrefs: 00F9CFF3

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 44f0a99d364e1bc74ef17fc3219208d88c95d082609533be5bf813fa61762c59
Instruction ID: 798038c7c8da9977500c7a0a1551f0061b0ee4cc95e207464b4c97a01ba858f4
Opcode Fuzzy Hash: 44f0a99d364e1bc74ef17fc3219208d88c95d082609533be5bf813fa61762c59
Instruction Fuzzy Hash: 0F415871D051185FEF12EBA4DD81EDDB7B8AF04384F1000E6E509E7141EA74A688DB50

Function 00FC2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00FC2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00FC2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00FC2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00FC2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00FC2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00FC2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FC2F0B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a6bac163865a9f5be888c63df0f3e06919d170a28ccf99a38b944aaf13c2a55c
Instruction ID: 8cffeba59296894baebce81cd110e9f7d85ad5971e7da97e64dee41f5b893d1d
Opcode Fuzzy Hash: a6bac163865a9f5be888c63df0f3e06919d170a28ccf99a38b944aaf13c2a55c
Instruction Fuzzy Hash: 6D311931A04156AFDB61DF58DE86FA537E1FB4A720F150168F9449F2A1CB72EC40EB41

Function 00F97726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F97769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F9778F
SysAllocString.OLEAUT32(00000000), ref: 00F97792
SysAllocString.OLEAUT32(?), ref: 00F977B0
SysFreeString.OLEAUT32(?), ref: 00F977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00F977DE
SysAllocString.OLEAUT32(?), ref: 00F977EC

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 43b18445bbc1bd483cc3213659730605935b6b33b3c912d23772a32eed4eb242
Instruction ID: cc796317202ed4ff2e8db7fd06cc56a432131a937b43d5ef1d38b84e603ce071
Opcode Fuzzy Hash: 43b18445bbc1bd483cc3213659730605935b6b33b3c912d23772a32eed4eb242
Instruction Fuzzy Hash: 9F21C476A04319AFEF10EFE9CC89DBB77ACEB093647048025F908DB150D670DC45A7A1

Function 00F977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F97842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F97868
SysAllocString.OLEAUT32(00000000), ref: 00F9786B
SysAllocString.OLEAUT32 ref: 00F9788C
SysFreeString.OLEAUT32 ref: 00F97895
StringFromGUID2.OLE32(?,?,00000028), ref: 00F978AF
SysAllocString.OLEAUT32(?), ref: 00F978BD

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 82d43b957fdd45752d8b3e82c408028bb975939cd15fba7b0e765e701ff3298a
Instruction ID: 897c6a86ecf36a18a5b75055c2d706635aae71ff2ecb935f3ba1f0e7d60c4c9d
Opcode Fuzzy Hash: 82d43b957fdd45752d8b3e82c408028bb975939cd15fba7b0e765e701ff3298a
Instruction Fuzzy Hash: E4217731A14308AFEF10EFA8DC89DAA77ECFB097607148125F915CB1A1D674DC41DB64

Function 00FA04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FA04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FA052E

Strings

nul, xrefs: 00FA0567

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a48ff1ec74a7bdbbc197a68f0ee333138bf94b1f32c0cb059dbcc114a097e150
Instruction ID: f21d93a65fe0dc82b1eb36043876e90b48503e1c300d1c159a3db5e3d67f4d1e
Opcode Fuzzy Hash: a48ff1ec74a7bdbbc197a68f0ee333138bf94b1f32c0cb059dbcc114a097e150
Instruction Fuzzy Hash: 782191B5D003059FDB208F29EC05A9A7BB4AF46760F244A18E8A1D31E0DB709940EF60

Function 00FA05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FA05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FA0601

Strings

nul, xrefs: 00FA0639

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 42503efe5c6855636095ae7789e8034aad8362f63c81a9c2e836c23228e6679d
Instruction ID: df54424ff4cd0ed0065d456441b41f135855c0deb3ebef8f1fe7c4f48069cf96
Opcode Fuzzy Hash: 42503efe5c6855636095ae7789e8034aad8362f63c81a9c2e836c23228e6679d
Instruction Fuzzy Hash: FD2183B59003059FDB209F69AC05E9A77F4BF96734F200A19F9A1E73E0DB719860EB50

Function 00F6D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F6D7A3: _free.LIBCMT ref: 00F6D7CC

_free.LIBCMT ref: 00F6D82D

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F6D838
_free.LIBCMT ref: 00F6D843
_free.LIBCMT ref: 00F6D897
_free.LIBCMT ref: 00F6D8A2
_free.LIBCMT ref: 00F6D8AD
_free.LIBCMT ref: 00F6D8B8

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: d650bb73ab1b75fc19b729ebf519ff975ed6d7710430088d82a6002db4b53f5d
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: F4115B71B40B04AADA25BFB0CC47FCB7BFCAF40740F440825B299A6092DA69B505B662

Function 00F9DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F9DA74
LoadStringW.USER32(00000000), ref: 00F9DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F9DA91
LoadStringW.USER32(00000000), ref: 00F9DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F9DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F9DAB9

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 23d4a50ed12875d37a6ab0c047a63d2119aab1a315a33966e0655725abe4506d
Instruction ID: df3d85e96833a06ef0b816e6c9763479e904a114061c589aa2b3f0e94be33267
Opcode Fuzzy Hash: 23d4a50ed12875d37a6ab0c047a63d2119aab1a315a33966e0655725abe4506d
Instruction Fuzzy Hash: 280117F650020C7FEB11EBA49E8AEE7766CDB04701F404455F749E2041EA749E856F75

Function 00FA096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0155E0A0,0155E0A0), ref: 00FA097B
EnterCriticalSection.KERNEL32(0155E080,00000000), ref: 00FA098D
TerminateThread.KERNEL32(?,000001F6), ref: 00FA099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00FA09A9
CloseHandle.KERNEL32(?), ref: 00FA09B8
InterlockedExchange.KERNEL32(0155E0A0,000001F6), ref: 00FA09C8
LeaveCriticalSection.KERNEL32(0155E080), ref: 00FA09CF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5a2c2b89bcbfcde72cf81ccc04067a09d1a0f38b106c0385c0904bc696f4baed
Instruction ID: b13c9852d3bcff426178ce099224bb39a5ff3944b79f181bebb6ce438f9e4f68
Opcode Fuzzy Hash: 5a2c2b89bcbfcde72cf81ccc04067a09d1a0f38b106c0385c0904bc696f4baed
Instruction Fuzzy Hash: 5DF01972442A06BBD7415BA4EF8AED6BA39FF06712F402025F206928A0CB759465EFD0

Function 00F35D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F35D30
GetWindowRect.USER32(?,?), ref: 00F35D71
ScreenToClient.USER32(?,?), ref: 00F35D99
GetClientRect.USER32(?,?), ref: 00F35ED7
GetWindowRect.USER32(?,?), ref: 00F35EF8

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 69886b21d9eb3343aab4e6884466c18856ac9cdef58e31bb6452c2d0665d696a
Instruction ID: 0fcf1b24f651401454c33e10509d9f3dc5aa27d8b27c127de2a66b2f337702f8
Opcode Fuzzy Hash: 69886b21d9eb3343aab4e6884466c18856ac9cdef58e31bb6452c2d0665d696a
Instruction Fuzzy Hash: 0DB17A35A0074ADBDB10CFA9C5807EEB7F1FF48320F14841AE8A9D7250DB34AA91EB55

Function 00F601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F600D6
__allrem.LIBCMT ref: 00F600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F6010B
__allrem.LIBCMT ref: 00F60122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F60140

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 58678b1a9af3c042052dfda87c743ecbaf68b50661eb5899ee5a7509716764ac
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 0581F672A00706ABE7249F78CC41B6B73E9AF42334F24463AF951D7681EB74D948B790

Function 00FB1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00FB101C,00000000,?,?,00000000), ref: 00FB3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FB1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FB1DE1
WSAGetLastError.WSOCK32 ref: 00FB1DF2
inet_ntoa.WSOCK32(?), ref: 00FB1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00FB1EDB
_strlen.LIBCMT ref: 00FB1F35

Part of subcall function 00F939E8: _strlen.LIBCMT ref: 00F939F2

Part of subcall function 00F36D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00F4CF58,?,?,?), ref: 00F36DBA
Part of subcall function 00F36D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00F4CF58,?,?,?), ref: 00F36DED

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: e0a301a3a828c3c0aacd3406e351ffacb52decb71c3ad92cfdeda8ef20a31874
Instruction ID: f411383df65eccaf937b0551690ec13984b6095cd45aa47dce3ac0df2f8387cd
Opcode Fuzzy Hash: e0a301a3a828c3c0aacd3406e351ffacb52decb71c3ad92cfdeda8ef20a31874
Instruction Fuzzy Hash: 55A1E031604300AFC320DF21CCA5F6A7BA5BF84328F94894CF5565B2A2CB75ED46EB91

Function 00F661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F582D9,00F582D9,?,?,?,00F6644F,00000001,00000001,8BE85006), ref: 00F66258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F6644F,00000001,00000001,8BE85006,?,?,?), ref: 00F662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F663D8
__freea.LIBCMT ref: 00F663E5

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

__freea.LIBCMT ref: 00F663EE
__freea.LIBCMT ref: 00F66413

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f6a5a3dfacb4b755b3fbdcac2cea45d04834f8cc7e21b20d569e6b5817b809f9
Instruction ID: 661cffd7ce330cc872c56ed4ce8c86223a28083d6fdd07e81600f501186a2267
Opcode Fuzzy Hash: f6a5a3dfacb4b755b3fbdcac2cea45d04834f8cc7e21b20d569e6b5817b809f9
Instruction Fuzzy Hash: AE51C372A00216ABDF258F64DD82EBF77A9EF44760F15462AFC05D7240EB34DC44E6A0

Function 00FBBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FBBD25
RegCloseKey.ADVAPI32(00000000), ref: 00FBBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FBBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FBBDF3
RegCloseKey.ADVAPI32(?), ref: 00FBBDFF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: eadf856a09887b7b1e9adb301df5caf1c7a03710d54348407543d01e48ce6d9d
Instruction ID: 7d869a2b9a01da0c2bd4e7deedfe650e886c982b2a96a3cd6fa4d36ca040e6bd
Opcode Fuzzy Hash: eadf856a09887b7b1e9adb301df5caf1c7a03710d54348407543d01e48ce6d9d
Instruction Fuzzy Hash: E381BC71608241AFC714DF25C881E6ABBE5FF84318F14895CF4998B2A2CB75ED05EF92

Function 00F8F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00F8F7B9
SysAllocString.OLEAUT32(00000001), ref: 00F8F860
VariantCopy.OLEAUT32(00F8FA64,00000000), ref: 00F8F889
VariantClear.OLEAUT32(00F8FA64), ref: 00F8F8AD
VariantCopy.OLEAUT32(00F8FA64,00000000), ref: 00F8F8B1
VariantClear.OLEAUT32(?), ref: 00F8F8BB

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 337eafffe8e973b675801510044c2aeaac9c2ee85951afe8bcb784aaa056e466
Instruction ID: db98c6b59cd22b95452b3a137c449cc956cb3b4e92d049a2c02fd263c1ece836
Opcode Fuzzy Hash: 337eafffe8e973b675801510044c2aeaac9c2ee85951afe8bcb784aaa056e466
Instruction Fuzzy Hash: D751D932A00310BEDF14BF65DC96BA9B3A4EF45320F249466E905DF291DB748C48E7A6

Function 00FA910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00FA94E5
_wcslen.LIBCMT ref: 00FA9506
_wcslen.LIBCMT ref: 00FA952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00FA9585

Strings

X, xrefs: 00FA9412

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c1c0bd8ca0852fb620de5ff956670f17a5171603dfdfbcfce0b9573daadea25e
Instruction ID: fb3f2075051f50f42c67a6834994d7e0d2bb76a5c31450503cbe2922ea8c72be
Opcode Fuzzy Hash: c1c0bd8ca0852fb620de5ff956670f17a5171603dfdfbcfce0b9573daadea25e
Instruction Fuzzy Hash: 4EE1A4719083409FC724DF24C881B6AB7E4BF85324F08856DF8899B2A2DB75ED05DB92

Function 00F4920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

BeginPaint.USER32(?,?,?), ref: 00F49241
GetWindowRect.USER32(?,?), ref: 00F492A5
ScreenToClient.USER32(?,?), ref: 00F492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F492D3
EndPaint.USER32(?,?,?,?,?), ref: 00F49321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F871EA

Part of subcall function 00F49339: BeginPath.GDI32(00000000), ref: 00F49357

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 0c246fef1cc3a881da84d4e74ebeea32ddd29bca5d46d24695972a2acfcb03e3
Instruction ID: 545b6b04968487f833eca11160505099abafa373a5eea883581d5b3943a866c9
Opcode Fuzzy Hash: 0c246fef1cc3a881da84d4e74ebeea32ddd29bca5d46d24695972a2acfcb03e3
Instruction Fuzzy Hash: 5B419131608301AFD721EF24CC89FBB7BA8EF46320F140269F998872E1C7759945EB61

Function 00FA07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FA080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FA0847
EnterCriticalSection.KERNEL32(?), ref: 00FA0863
LeaveCriticalSection.KERNEL32(?), ref: 00FA08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FA08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FA0921

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: a0cf417c64d66b47b03aa3f65cb2bff857bf0ecc4dc4c474ae48bccc65f94497
Instruction ID: 98d948fc84e3f77e3259e5ac559735b81e95e7d384df232913599d448724e8d6
Opcode Fuzzy Hash: a0cf417c64d66b47b03aa3f65cb2bff857bf0ecc4dc4c474ae48bccc65f94497
Instruction Fuzzy Hash: B7417C71900209EFDF149F54DC85AAAB7B8FF05310F1440A9ED049B297DB34DE65EBA4

Function 00FC81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,?,?,?,?,00F86C2A), ref: 00FC824C
EnableWindow.USER32(?,00000000), ref: 00FC8272
ShowWindow.USER32(?,00000000,?,?,?,?,00F86C2A), ref: 00FC82D1
ShowWindow.USER32(?,00000004,?,?,?,?,00F86C2A), ref: 00FC82E5
EnableWindow.USER32(?,00000001), ref: 00FC830B
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00FC832F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 9f2bfdf7c161bbfc78181579a81a0680b54aad369af3a07a06f4faaf45f96cbc
Instruction ID: ce1ed3d66f1645423ede8ba1bd3d08d3c20f4774d7f754127d66d38f2df23064
Opcode Fuzzy Hash: 9f2bfdf7c161bbfc78181579a81a0680b54aad369af3a07a06f4faaf45f96cbc
Instruction Fuzzy Hash: E341B934A01645EFDB22CF15CA8AFE47BE0FB06764F18516DE5484F262CB32A842EF50

Function 00F94C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F94C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F94CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F94CEA
_wcslen.LIBCMT ref: 00F94D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F94D10
_wcsstr.LIBVCRUNTIME ref: 00F94D1A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 35a1287cde8d07ef69f082ac50d66562b22cf15177fcd01112ae582e22853f19
Instruction ID: ca75e8ab7f81fc78c8bc3ce2b6c9a834c93541015d93d3956fabb2b3480534a4
Opcode Fuzzy Hash: 35a1287cde8d07ef69f082ac50d66562b22cf15177fcd01112ae582e22853f19
Instruction Fuzzy Hash: B4212936A042047BFF155B35ED0AE7B7F9CDF55760F10402AF809CB191EA65EC01B6A0

Function 00FA581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

_wcslen.LIBCMT ref: 00FA587B
CoInitialize.OLE32(00000000), ref: 00FA5995
CoCreateInstance.OLE32(00FCFCF8,00000000,00000001,00FCFB68,?), ref: 00FA59AE
CoUninitialize.OLE32 ref: 00FA59CC

Strings

.lnk, xrefs: 00FA5876, 00FA58C1, 00FA5985

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 696904c6f9f25b335417546040b45a6984a56e7b00d98044bad99af8be55b215
Instruction ID: 398e7affa00d16a19d5dc451be9adb73797cd8db24a4da124c3b4d8a889c699c
Opcode Fuzzy Hash: 696904c6f9f25b335417546040b45a6984a56e7b00d98044bad99af8be55b215
Instruction Fuzzy Hash: 0FD166B5A047019FC714DF25C880A2ABBE5FF8AB20F14885DF8899B361D735EC45DB92

Function 00F9175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F90FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F90FCA
Part of subcall function 00F90FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F90FD6
Part of subcall function 00F90FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F90FE5
Part of subcall function 00F90FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F90FEC
Part of subcall function 00F90FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F91002

GetLengthSid.ADVAPI32(?,00000000,00F91335), ref: 00F917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F917BA
HeapAlloc.KERNEL32(00000000), ref: 00F917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F917DA
GetProcessHeap.KERNEL32(00000000,00000000,00F91335), ref: 00F917EE
HeapFree.KERNEL32(00000000), ref: 00F917F5

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: df23123833eaaf32221ddbd2587828e9b75b719c07658df5561bf436fab36b5e
Instruction ID: 2d5236ad9d3c61401fbf0c4ffd48a6434aeefe81b675b53bc36e4f5c3c6a62e0
Opcode Fuzzy Hash: df23123833eaaf32221ddbd2587828e9b75b719c07658df5561bf436fab36b5e
Instruction Fuzzy Hash: 7911AC3290020AFFEF119FA5CD4AFAF7BA9FB41365F144028F44597221C739A940EBA0

Function 00F914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00F91506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F91515
CloseHandle.KERNEL32(00000004), ref: 00F91520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F9154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F91563

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: fa42eaaf1faaeb196f894ccd1dafbe2b027d180b4e63cc8b23bd98b57a74b9d6
Instruction ID: b9444e9c2cc4f2321ac5cd28b7d10830b69c4d2d6b8b850e792eac43d4afa2b1
Opcode Fuzzy Hash: fa42eaaf1faaeb196f894ccd1dafbe2b027d180b4e63cc8b23bd98b57a74b9d6
Instruction Fuzzy Hash: C5111A7250024EABEF12CF98DE49FDA7BA9FF49754F054025FA05A2060C3768E61AB60

Function 00F53382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F53379,00F52FE5), ref: 00F53390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F5339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F533B7
SetLastError.KERNEL32(00000000,?,00F53379,00F52FE5), ref: 00F53409

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a175758009a3e1fd59792d130facd9f9cec609ef305f0739054c67d7c1d832a8
Instruction ID: 8bfb04a77b69eb68bb435842096da64f7d912c9ac7fbddf3628a0db9fb5e17e4
Opcode Fuzzy Hash: a175758009a3e1fd59792d130facd9f9cec609ef305f0739054c67d7c1d832a8
Instruction Fuzzy Hash: B301B533A09329AEE615277C7D86A663E58DF053FB720022DFE10851F1EF554D0AB588

Function 00F62D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F65686,00F73CD6,?,00000000,?,00F65B6A,?,?,?,?,?,00F5E6D1,?,00FF8A48), ref: 00F62D78
_free.LIBCMT ref: 00F62DAB
_free.LIBCMT ref: 00F62DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00F5E6D1,?,00FF8A48,00000010,00F34F4A,?,?,00000000,00F73CD6), ref: 00F62DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00F5E6D1,?,00FF8A48,00000010,00F34F4A,?,?,00000000,00F73CD6), ref: 00F62DEC
_abort.LIBCMT ref: 00F62DF2

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 81b5c04f40282a77e11b73b5c8bb2c8a2e9ac8b2965e1a88b8c004082194b095
Instruction ID: 0450a4dc0566e9defa97b2e03db9d944f721e227956adf8889668de538f9fe6b
Opcode Fuzzy Hash: 81b5c04f40282a77e11b73b5c8bb2c8a2e9ac8b2965e1a88b8c004082194b095
Instruction Fuzzy Hash: 43F0C832E05E1527C3923739BD16F6E356DAFC27B1F250519F828931D6EF28880272A0

Function 00FC8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F49693
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496A2
Part of subcall function 00F49639: BeginPath.GDI32(?), ref: 00F496B9
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FC8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00FC8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FC8A70
LineTo.GDI32(?,00000000,00000003), ref: 00FC8A80
EndPath.GDI32(?), ref: 00FC8A90
StrokePath.GDI32(?), ref: 00FC8AA0

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 859806fb41bc43775542a447cae9e32963f06a0985b1308590483ff211a33c39
Instruction ID: f850df26a5e1e46ad96711fc6d2467278d67d361d4d15f59cba1a0654929e3b9
Opcode Fuzzy Hash: 859806fb41bc43775542a447cae9e32963f06a0985b1308590483ff211a33c39
Instruction Fuzzy Hash: AE11097644010DFFDB129F90DD89EAA7F6CEB08390F048016FA599A1A1C7729D55EFA0

Function 00F951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F95218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F95229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F95230
ReleaseDC.USER32(00000000,00000000), ref: 00F95238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F9524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F95261

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 10969ddb90bba011222401d2698ee146da33a389b64b186db9b49753af71e373
Instruction ID: ca30bc7bf841b3472f23890a763e62255cb6f0aff9eff6ab1ce47ef195f88b6d
Opcode Fuzzy Hash: 10969ddb90bba011222401d2698ee146da33a389b64b186db9b49753af71e373
Instruction Fuzzy Hash: BB018475E01708BBEF105BA59D4AE4EBF78EB44751F044065FA08A7280D6709800DBA0

Function 00F31BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F31BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F31BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F31C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F31C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F31C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F31C22

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8557dd3bb649fae0f15c8831364d3896f253883c04ae49aedb72e8a983dba543
Instruction ID: 37f0e19f2c8846bbb16a2589e9272c1a2b61fb8f43e42a892d8f83bb0facc490
Opcode Fuzzy Hash: 8557dd3bb649fae0f15c8831364d3896f253883c04ae49aedb72e8a983dba543
Instruction Fuzzy Hash: A50167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C4BA42C7F5A864CBE5

Function 00F9EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F9EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F9EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00F9EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F9EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F9EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F9EB75

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b277e2c5883c5243653607a608f67d736f93fe945957a66b9aacd779d35e36f8
Instruction ID: faf9e1b729c313b92347992b1ae5ad31732b55c6b5687c1153e93032cd32690c
Opcode Fuzzy Hash: b277e2c5883c5243653607a608f67d736f93fe945957a66b9aacd779d35e36f8
Instruction Fuzzy Hash: 29F03A72A4015CBBE7215B639E0EEEF3A7CEFCAB15F000158F609D2091D7A15A01EAF5

Function 00F91874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F9187F
UnloadUserProfile.USERENV(?,?), ref: 00F9188B
CloseHandle.KERNEL32(?), ref: 00F91894
CloseHandle.KERNEL32(?), ref: 00F9189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F918A5
HeapFree.KERNEL32(00000000), ref: 00F918AC

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3386af84c6987b7fcaf6d9dcdab1511a72c274ea4820873ca94364af8a9bf220
Instruction ID: ef155633d59e276a5af5091e68882571fa7643a5aa355976980335e276226bd7
Opcode Fuzzy Hash: 3386af84c6987b7fcaf6d9dcdab1511a72c274ea4820873ca94364af8a9bf220
Instruction Fuzzy Hash: 87E0ED36404509BBDB015FA2EE0DD05BF39FF497217108220F22982471CB335420EF90

Function 00F9C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F9C6EE
_wcslen.LIBCMT ref: 00F9C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F9C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F9C7CA

Strings

0, xrefs: 00F9C6AF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e17bfbcf9f675d7bfe97bb7598331addefe36d9db5dca3c28049d636eac6cb7d
Instruction ID: f92fb6b11d25ac4061ab42134f943a575ac20d3e6ea1e49fd1e1279f7d25fc3e
Opcode Fuzzy Hash: e17bfbcf9f675d7bfe97bb7598331addefe36d9db5dca3c28049d636eac6cb7d
Instruction Fuzzy Hash: D551AF71A043009BEB159F68C985B6B77E4AF89320F040A2DF999D31D1DB74D908EBD3

Function 00FBAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00FBAEA3

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

GetProcessId.KERNEL32(00000000), ref: 00FBAF38
CloseHandle.KERNEL32(00000000), ref: 00FBAF67

Strings

<, xrefs: 00FBAE6B
@, xrefs: 00FBAE72

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ecd0381009f44337ed858523e457fc3b932525d0ed72467063142dd88198a9cc
Instruction ID: b597d7ee9e031a87c508b610e0b9cb2ac27562155db3c3164940831a52da74d6
Opcode Fuzzy Hash: ecd0381009f44337ed858523e457fc3b932525d0ed72467063142dd88198a9cc
Instruction Fuzzy Hash: FB716975A00619DFCB14EF66C885A9EBBF0BF08320F048499E856AB352C774ED45EF91

Function 00F9719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F97206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F9723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F9724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F972CF

Strings

DllGetClassObject, xrefs: 00F97242

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c25a12262ec1d93283289550d1a49275569e08ecbbe2edb180d77107b3c7426e
Instruction ID: 4665484bdf1e05574b8ed9f8ddc36e3201d0f12831aaae9a7737fbd19665e359
Opcode Fuzzy Hash: c25a12262ec1d93283289550d1a49275569e08ecbbe2edb180d77107b3c7426e
Instruction Fuzzy Hash: C4418D71A24304EFEF15DF54C885B9A7BA9EF44710F2480A9BD099F24AD7B0D944EFA0

Function 00FC3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC3E35
IsMenu.USER32(?), ref: 00FC3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FC3E92
DrawMenuBar.USER32 ref: 00FC3EA5

Strings

0, xrefs: 00FC3D89

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 05cf3527c98872804c4296126f5d708a012feff35e43a020f6f12784f058ea2f
Instruction ID: 65ad72ca42df5c3d2570dcd54e174e692ee7b4189882b3e354946ebd2cd6a204
Opcode Fuzzy Hash: 05cf3527c98872804c4296126f5d708a012feff35e43a020f6f12784f058ea2f
Instruction Fuzzy Hash: 63414A75A0020AAFDB10DF50D985EAABBB5FF493A4F04812DF90597250D734EE49EFA0

Function 00F91DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F91E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F91E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F91EA9

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Strings

ComboBox, xrefs: 00F91DF0
ListBox, xrefs: 00F91E25

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 26edbc4a110ac7a30072238b0ced26add22c42b07ee19f8cfae93bf2440c0c96
Instruction ID: 681a47ab4e912ac555ece12a0ece61b1a8561f213f8148c9a79e6d1e87b69cf1
Opcode Fuzzy Hash: 26edbc4a110ac7a30072238b0ced26add22c42b07ee19f8cfae93bf2440c0c96
Instruction Fuzzy Hash: 4C213B75A00109BFEF14AB64DD46CFFB7B8EF45360F104129F919A71E1DB785909B620

Function 00F54D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F54D1E,00F628E9,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002), ref: 00F54D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F54DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00F54D1E,00F628E9,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002,00000000), ref: 00F54DC3

Strings

CorExitProcess, xrefs: 00F54D98
mscoree.dll, xrefs: 00F54D86

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e51c13866f658861d9d2873d5f43be678a4299c399d35df78ead9835ba72d9f5
Instruction ID: 12350ae1fd9e3c98157d1d052510587eafdf9d2dd3ca097311f0c99613e7c113
Opcode Fuzzy Hash: e51c13866f658861d9d2873d5f43be678a4299c399d35df78ead9835ba72d9f5
Instruction Fuzzy Hash: 7BF0813090020CABDB109B90DD0AFADBBB5EF04716F040155ED09A3250CF349984EAD1

Function 00F34E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F34EAE
FreeLibrary.KERNEL32(00000000,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F34EA8
kernel32.dll, xrefs: 00F34E94

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 09484a0c0c73b445ebc1331bc67daf69b3493894139f3d7dc65df07184c2418c
Instruction ID: b215839a817e5f5c46ce1eb0e0df179e8000a55ac2bb1b41372e909a1b840b8f
Opcode Fuzzy Hash: 09484a0c0c73b445ebc1331bc67daf69b3493894139f3d7dc65df07184c2418c
Instruction Fuzzy Hash: 98E08635E015225BD22117266C1AF6B7554AFC1B72B0D0115FD08D3120DB60ED4260E1

Function 00F34E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F34E74
FreeLibrary.KERNEL32(00000000,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F34E6E
kernel32.dll, xrefs: 00F34E5B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f45ff7c2d87c046ac400204faae754e08b896d94e639111b7c70538ed378b6ae
Instruction ID: 8728d81927d4be91d1e1972a42dc781d1ec228600e57f7cdcfc1caa6b9e10817
Opcode Fuzzy Hash: f45ff7c2d87c046ac400204faae754e08b896d94e639111b7c70538ed378b6ae
Instruction Fuzzy Hash: C0D0C232D026225786221B26AC0AE8B3A18AF81F3530D0115F908A3114CF20ED42B1D0

Function 00FA2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FA2C05
DeleteFileW.KERNEL32(?), ref: 00FA2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FA2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FA2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FA2CC0

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 30d4d613f0ff07a81f191ba96af4ad5546636d7a7ca8c6af637bf746e21f5125
Instruction ID: fe7839791b44103da15b4b153938eea9cc7893b71495bcd9b1093cebd4b19357
Opcode Fuzzy Hash: 30d4d613f0ff07a81f191ba96af4ad5546636d7a7ca8c6af637bf746e21f5125
Instruction Fuzzy Hash: AFB170B2E00119ABDF24DFA8CC85EDEB77DEF49350F0040A6FA09E7151EA349A449F61

Function 00FBA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00FBA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FBA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FBA468
CloseHandle.KERNEL32(?), ref: 00FBA63D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: ea486416fbdad2b46f374eec08bf5848d1542ae76db1c3ecec7ddd8fc44a0bae
Instruction ID: 44cda2fed4d5aa9d6418713f416045908ba8535090108cd479edfeb33c9e1bde
Opcode Fuzzy Hash: ea486416fbdad2b46f374eec08bf5848d1542ae76db1c3ecec7ddd8fc44a0bae
Instruction Fuzzy Hash: 4CA1A271604300AFD720DF25C886F2AB7E5AF44724F14881DFA9A9B392DB74EC419F92

Function 00F9E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F9CF22,?), ref: 00F9DDFD

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F9CF22,?), ref: 00F9DE16

Part of subcall function 00F9E199: GetFileAttributesW.KERNEL32(?,00F9CF95), ref: 00F9E19A

lstrcmpiW.KERNEL32(?,?), ref: 00F9E473
MoveFileW.KERNEL32(?,?), ref: 00F9E4AC
_wcslen.LIBCMT ref: 00F9E5EB
_wcslen.LIBCMT ref: 00F9E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F9E650

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: ce8a98f9d61d7508ecd2e7261a222bde4605937f2eb7413e9f0ecb4a19a7a268
Instruction ID: 309144dd3c8ce6b9aa4ac0b8fab9c391aa56b027abedbcf6f232142fd57ce621
Opcode Fuzzy Hash: ce8a98f9d61d7508ecd2e7261a222bde4605937f2eb7413e9f0ecb4a19a7a268
Instruction Fuzzy Hash: 9D5192B24083459BDB24DBA4DC819DF73ECAF84350F00491EF689D3191EF79A588D766

Function 00FBB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FBBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FBBB63
RegCloseKey.ADVAPI32(?,?), ref: 00FBBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00FBBBB3

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 8803b01100614447e3c23928a40a54c009a41ff2509bc314cc81f8a55ff01e59
Instruction ID: d34bfbb8ca028ca833a4bc876bb5b18a722eacdc8eb755b9afc87e43a2bf7cff
Opcode Fuzzy Hash: 8803b01100614447e3c23928a40a54c009a41ff2509bc314cc81f8a55ff01e59
Instruction Fuzzy Hash: D961C031608201AFC314DF15C891E6ABBE9FF84318F14855CF4998B2A2CB75ED45EF92

Function 00F98BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F98BCD
VariantClear.OLEAUT32 ref: 00F98C3E
VariantClear.OLEAUT32 ref: 00F98C9D
VariantClear.OLEAUT32(?), ref: 00F98D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F98D3B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 291cb3f6aecedb64109d19e0e41055d8679fbc140f1cd58d27088411cf332c3c
Instruction ID: 632c99ed75b9ae2abd439d1b1f1db4e73cf0c7803dc2e67ab8c909231fbeac65
Opcode Fuzzy Hash: 291cb3f6aecedb64109d19e0e41055d8679fbc140f1cd58d27088411cf332c3c
Instruction Fuzzy Hash: AE515AB5A00219EFDB14CF68C894EAAB7F8FF89350B158559E909DB350E730E912CF90

Function 00FA8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FA8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FA8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FA8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FA8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FA8C5F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: aa974e09500b3e752abcc990ce0c474cc044992cebd8b2e546c68daac46bde25
Instruction ID: 4caab79c85e38ea0b0c85e20ee5f7ac28c0ef68540cbf162fd9db3403921b898
Opcode Fuzzy Hash: aa974e09500b3e752abcc990ce0c474cc044992cebd8b2e546c68daac46bde25
Instruction Fuzzy Hash: 46515C75A002189FCB14DF65C881E69BBF5FF49364F088058E849AB362CB35ED51EFA0

Function 00FB8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FB8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00FB8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FB8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00FB9032
FreeLibrary.KERNEL32(00000000), ref: 00FB9052

Part of subcall function 00F4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FA1043,?,753CE610), ref: 00F4F6E6
Part of subcall function 00F4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F8FA64,00000000,00000000,?,?,00FA1043,?,753CE610,?,00F8FA64), ref: 00F4F70D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3d4fa56d8c05933ea2d8d3fca2d224b6fe95fa51da0125bfa52f429a7cfd8ec3
Instruction ID: 00bb09037e7ba97529a196c3ebb94a5494ebce70c968f45d73665df09d9dc711
Opcode Fuzzy Hash: 3d4fa56d8c05933ea2d8d3fca2d224b6fe95fa51da0125bfa52f429a7cfd8ec3
Instruction Fuzzy Hash: 27515C35A04205DFCB10EF65C4949ADBBB1FF49364F088098E9099B362DB75ED86EF90

Function 00FC6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FC6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00FC6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FC6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FAAB79,00000000,00000000), ref: 00FC6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FC6CC7

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 312eada402ed8e009ee223a034f6da86f9da9a4dc7c01ee9cb50a097e028ece0
Instruction ID: b1af642546ff78b5c768931054fd3d0dde7bff86df1ca3f81b2be8168dad400f
Opcode Fuzzy Hash: 312eada402ed8e009ee223a034f6da86f9da9a4dc7c01ee9cb50a097e028ece0
Instruction Fuzzy Hash: EC41D635A08105AFD724CF28CE56FA57BA5EB49361F15022CF899E73E1C371ED41EA90

Function 00F62051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F620C3
_free.LIBCMT ref: 00F620E3

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8fc6d05bf3c004f0ac263b6d92f9ae5c5b69f05f0e4fd748d9b62e99f74c0aa8
Instruction ID: 1252ad06e9ae2c6491d5981706a9e4941cca49a26b06d9f260bf5a2816d51164
Opcode Fuzzy Hash: 8fc6d05bf3c004f0ac263b6d92f9ae5c5b69f05f0e4fd748d9b62e99f74c0aa8
Instruction Fuzzy Hash: A741D232E00604AFCB24DF78CD81A6DB7B5EF89724F154569EA15EB351DB31AD01EB80

Function 00F4912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F49141
ScreenToClient.USER32(00000000,?), ref: 00F4915E
GetAsyncKeyState.USER32(00000001), ref: 00F49183
GetAsyncKeyState.USER32(00000002), ref: 00F4919D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c6dcd07f1e1abe0ab576f625aa98e7fb1a7a0f484a3a94a1f829852331aceb8c
Instruction ID: dd7ffb77db66b8080dd88197b2aca3585f64e64ebf479c2d68b8cb13329303fb
Opcode Fuzzy Hash: c6dcd07f1e1abe0ab576f625aa98e7fb1a7a0f484a3a94a1f829852331aceb8c
Instruction Fuzzy Hash: 21414131A0861AABDF15AF64C848BEEBB74FB45334F244219E829A7290C7746950EB91

Function 00FA3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FA38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FA3922
TranslateMessage.USER32(?), ref: 00FA394B
DispatchMessageW.USER32(?), ref: 00FA3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA3966

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b4976348c6d576d258c91ed9e9b385b00c209ad7212622d5b3d777b492cdc689
Instruction ID: a8222961002ed6795e81dc3d54faa6a617179952d8b0aef25fde84b9affabc81
Opcode Fuzzy Hash: b4976348c6d576d258c91ed9e9b385b00c209ad7212622d5b3d777b492cdc689
Instruction Fuzzy Hash: ED31C6B1D04345AFEB36CB34D849BB737A9EB0B314F04455DF49682190E3B9D684EB11

Function 00FACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00FAC21E,00000000), ref: 00FACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00FACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00FAC21E,00000000), ref: 00FACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FAC21E,00000000), ref: 00FACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FAC21E,00000000), ref: 00FACFF2

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: b14b361ead18fad01c09199e98a8507e6c113c33e4183f4f6ba87a9031c9fa53
Instruction ID: 8134017e5519e02cd549d593034839d111ea2229e5cc164e51dd44a44b78faff
Opcode Fuzzy Hash: b14b361ead18fad01c09199e98a8507e6c113c33e4183f4f6ba87a9031c9fa53
Instruction Fuzzy Hash: 3A314DB1904209AFDB24DFA5D985AAABBF9EB15351B10442EF51AD3140DB30AD41EBB0

Function 00F91901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F91915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00F919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00F919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00F919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F919E2

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4ff9ce3a2849a7a1dfb40212bba2fa2d6c0afd8a787cebe00d6c54a6c396d95c
Instruction ID: 91777e01488a4ab13e1da44ec4d3b05c9850647347eb4d46697cdd28d6c6d234
Opcode Fuzzy Hash: 4ff9ce3a2849a7a1dfb40212bba2fa2d6c0afd8a787cebe00d6c54a6c396d95c
Instruction Fuzzy Hash: 0331AF72A0021AEFDF14CFA8CE99ADE3BB5FB44325F104225F925A72D1C7709954EB90

Function 00FB0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FB0951
GetForegroundWindow.USER32 ref: 00FB0968
GetDC.USER32(00000000), ref: 00FB09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00FB09B0
ReleaseDC.USER32(00000000,00000003), ref: 00FB09E8

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 778064abd396831a90d5bb23594929d17f62b04e904192e692c5fb30a87477b9
Instruction ID: 816d347705af43968114199f8e6272177f19166a4d5e35d52153a97914687180
Opcode Fuzzy Hash: 778064abd396831a90d5bb23594929d17f62b04e904192e692c5fb30a87477b9
Instruction Fuzzy Hash: 35218175A00204AFD714EF65CD85EAEBBE9EF49750F048068F84A97752CB34AC04EF90

Function 00F6CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F6CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F6CDE9

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F6CE0F
_free.LIBCMT ref: 00F6CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F6CE31

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ff0a92cf47cfbbb1118f4563c237212df8d3b7fb0ce512589ad8e7aa4685c9b4
Instruction ID: d07f85d726826827cc7ff66ebb54f9dfb4592d89d96b0c917592762a49e07802
Opcode Fuzzy Hash: ff0a92cf47cfbbb1118f4563c237212df8d3b7fb0ce512589ad8e7aa4685c9b4
Instruction Fuzzy Hash: 4A01D472A022157F232116BA6D89D7B797DDED6FA13150129F989C7200EA6A8D01B1F0

Function 00F49639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F49693
SelectObject.GDI32(?,00000000), ref: 00F496A2
BeginPath.GDI32(?), ref: 00F496B9
SelectObject.GDI32(?,00000000), ref: 00F496E2

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: bd08838dc90f2fa06c25a3eef665e6de7be1b2ae4b266160afe7e0b28ecdf777
Instruction ID: 1f833d71c485e68d8f4dbe77b5684db6c0cf6727c30a0e4627474b3d0ea8b4bd
Opcode Fuzzy Hash: bd08838dc90f2fa06c25a3eef665e6de7be1b2ae4b266160afe7e0b28ecdf777
Instruction Fuzzy Hash: 8721A73191A305EFDB229F25ED09BAA3F74BB50325F110215F854971E4D3B5D851EF90

Function 00F95711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F95726
_memcmp.LIBVCRUNTIME ref: 00F95744
_memcmp.LIBVCRUNTIME ref: 00F95757
_memcmp.LIBVCRUNTIME ref: 00F9576F
_memcmp.LIBVCRUNTIME ref: 00F95787

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a46967d6594a2b53ddfaa819e23b872cc96cb6ad52fc3c68fcc150d61baf5191
Instruction ID: c94f58478b8800250e259a2f2f448be6de9798ea3be1f5ed481c9ad06dc2d624
Opcode Fuzzy Hash: a46967d6594a2b53ddfaa819e23b872cc96cb6ad52fc3c68fcc150d61baf5191
Instruction Fuzzy Hash: 1B01DB6264160EBAFA0955509E92FBA735D9B617A5B004024FE045A141F730FF14B3A3

Function 00F62DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F5F2DE,00F63863,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6), ref: 00F62DFD
_free.LIBCMT ref: 00F62E32
_free.LIBCMT ref: 00F62E59
SetLastError.KERNEL32(00000000,00F31129), ref: 00F62E66
SetLastError.KERNEL32(00000000,00F31129), ref: 00F62E6F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8c2e8feb4d63ce866bd3273c4920e55e6cec88047e890a0ac3ac345915e7ac47
Instruction ID: b5a1cd081173df500862646f7ca9595da4dcd0538bc4ef0a106afd0f69a09613
Opcode Fuzzy Hash: 8c2e8feb4d63ce866bd3273c4920e55e6cec88047e890a0ac3ac345915e7ac47
Instruction Fuzzy Hash: 8E012836A45E0467C75227357D86E2B366DEFE17B1B250038F425A32D2EF3A8C01B160

Function 00F9000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?,?,00F9035E), ref: 00F9002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?), ref: 00F90064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90070

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8df11c1cdb20887e1529adc35e68a1c4fafd0a3c6bc93f4ea60481277f11266b
Instruction ID: 1ba4f4742c68d84245f5e6c315cd007b862d43f3d75a33e801c4c8ba48c819f7
Opcode Fuzzy Hash: 8df11c1cdb20887e1529adc35e68a1c4fafd0a3c6bc93f4ea60481277f11266b
Instruction Fuzzy Hash: 2B018F72A00208BFEF108F68DD05FAA7AEDEB44761F144124F909D3260DB71DD40ABA0

Function 00F9E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00F9E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00F9E9A5
Sleep.KERNEL32(00000000), ref: 00F9E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00F9E9B7
Sleep.KERNEL32 ref: 00F9E9F3

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3379186f8ff7d9c7e46b555e0c5617e71f1af2e083b339d5e5f754311263474e
Instruction ID: 2641d4df9c4d97a53ed404f92dc43e34f3308e9198874dc92532920ec800d6bb
Opcode Fuzzy Hash: 3379186f8ff7d9c7e46b555e0c5617e71f1af2e083b339d5e5f754311263474e
Instruction Fuzzy Hash: E0015731C0162DDBDF40EBE6DD5AAEDBB78FB08310F050946E502B2241CB309950ABA1

Function 00F910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F91114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F9112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9114D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c5592ab2a98ba22b2df340d2582a6c2f2775da9b13c23f9375efa234c3561d0b
Instruction ID: e7d7f97926d6eb8be0a351c720680409d9906bbc47a077e5f8cf1f53e15e5490
Opcode Fuzzy Hash: c5592ab2a98ba22b2df340d2582a6c2f2775da9b13c23f9375efa234c3561d0b
Instruction Fuzzy Hash: 3C016D75500209BFDB114F65DD4EE6A3B6EFF85360B150424FA49C3360DB31DC41AAA0

Function 00F90FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F90FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F90FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F90FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F90FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F91002

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 400786bf12b0b6318772ca0ff069f850d3e347a8b572b9418a274bea4645dab5
Instruction ID: f0cf8b190df2e7fd07a609ea1ba6fd70d881e3ae1f76b1278bac349ab3bf2d3f
Opcode Fuzzy Hash: 400786bf12b0b6318772ca0ff069f850d3e347a8b572b9418a274bea4645dab5
Instruction Fuzzy Hash: 2EF06235540305EBDB214FA5DD4EF563B6DFF89761F144424F949C7261CA71DC40DAA0

Function 00F91014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F9102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F91036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F9104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91062

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bb8e2d5f7e0b857f47de851a227f1b86b7c3ab85965eadb9510881d66aa13e4a
Instruction ID: b7070b0cbbfcab6e9c0f0112e945abd31922c6ebb920551d9e97fa2ff4f56800
Opcode Fuzzy Hash: bb8e2d5f7e0b857f47de851a227f1b86b7c3ab85965eadb9510881d66aa13e4a
Instruction Fuzzy Hash: D5F06235540305EBDB215FA5ED4AF563B6DFF89761F140424F949C7261CA72D8409AA0

Function 00FA030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0324
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0331
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA033E
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA034B
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0358
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0365

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c3ad3fcc27041ec3c8cdd1eff83dc02a0b95e8cdeb02210087b47c7ee1f1b6fc
Instruction ID: 0aeb2e48c00258c130073634ea7236a5d4cf56cd13b74875ad27b74a8072f579
Opcode Fuzzy Hash: c3ad3fcc27041ec3c8cdd1eff83dc02a0b95e8cdeb02210087b47c7ee1f1b6fc
Instruction Fuzzy Hash: 3901A2B2800B159FCB309F66E880812F7F9BF613253158A3FD19652931C771A954EF80

Function 00F6D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F6D752

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F6D764
_free.LIBCMT ref: 00F6D776
_free.LIBCMT ref: 00F6D788
_free.LIBCMT ref: 00F6D79A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6b16d924ea5049960f3fec5e180d636768039d3bbca1a704d226523bad88477d
Instruction ID: eb0b73c048461cc04f4a29c0db57788a319b222139c097f566e2c5e39e875839
Opcode Fuzzy Hash: 6b16d924ea5049960f3fec5e180d636768039d3bbca1a704d226523bad88477d
Instruction Fuzzy Hash: EEF0FF32F4461CAB8669EB68FAC5C267BFDBF44760B940805F048D7501CB24FC80F6A5

Function 00F95C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F95C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F95C6F
MessageBeep.USER32(00000000), ref: 00F95C87
KillTimer.USER32(?,0000040A), ref: 00F95CA3
EndDialog.USER32(?,00000001), ref: 00F95CBD

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c8e3826e29ff6584c379f69feebbe46623a4e50bc539cede09a22386945fcbb2
Instruction ID: b95e44192bcd50cf9ea1a4ee57d697b2df386b197944adf3b6e465246d4473a1
Opcode Fuzzy Hash: c8e3826e29ff6584c379f69feebbe46623a4e50bc539cede09a22386945fcbb2
Instruction Fuzzy Hash: 93016770500704ABFF255B20DF4FF9577B8BB00F05F000559E646A15E1D7F45944AB90

Function 00F622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F622BE

Part of subcall function 00F629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F622D0
_free.LIBCMT ref: 00F622E3
_free.LIBCMT ref: 00F622F4
_free.LIBCMT ref: 00F62305

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cc6843ed631d07c22d3fad7460ac43cf1fbf492cd29d226e112c0598228b45c2
Instruction ID: aa2bbad4af0e0cb53714d3c12d2c0ca7e376937310798e4d4d601d83c32f7215
Opcode Fuzzy Hash: cc6843ed631d07c22d3fad7460ac43cf1fbf492cd29d226e112c0598228b45c2
Instruction Fuzzy Hash: 2EF030B09009248B8767AF58FC019283BB4BB187E1F00051AF450D2269C73E4411FBE5

Function 00F495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F495D4
StrokeAndFillPath.GDI32(?,?,00F871F7,00000000,?,?,?), ref: 00F495F0
SelectObject.GDI32(?,00000000), ref: 00F49603
DeleteObject.GDI32 ref: 00F49616
StrokePath.GDI32(?), ref: 00F49631

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1ec6558f40112519879b1ba33c22776beb45c59ed82277d4679148dc12c2ad04
Instruction ID: eb9a115fe45329663b6298e43f8977f86d12dd524ffa7f819700acd6cff3f37d
Opcode Fuzzy Hash: 1ec6558f40112519879b1ba33c22776beb45c59ed82277d4679148dc12c2ad04
Instruction Fuzzy Hash: 9AF03C31509208EBDB275F65EE0DB653F61BB00332F148214F9A9960F4CB7A8991EF60

Function 00F60F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00F610F9
__freea.LIBCMT ref: 00F61117

Part of subcall function 00F61537: _free.LIBCMT ref: 00F6154F

Strings

am/pm, xrefs: 00F6117A
a/p, xrefs: 00F611DE

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a9bd80f194cdf2b3e74ff5058b8fd7d63cf37508d7549c21de56218fbab196b8
Instruction ID: d204e4756f066e60072195444a80b3e5e6d37ab56c804836dc9940ecab1d33d3
Opcode Fuzzy Hash: a9bd80f194cdf2b3e74ff5058b8fd7d63cf37508d7549c21de56218fbab196b8
Instruction Fuzzy Hash: E0D10132D00206DADB289F68C856BFEB7B5FF06320F2C4159E906AB751D7359D80EB91

Function 00FB7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00F50242: EnterCriticalSection.KERNEL32(0100070C,01001884,?,?,00F4198B,01002518,?,?,?,00F312F9,00000000), ref: 00F5024D
Part of subcall function 00F50242: LeaveCriticalSection.KERNEL32(0100070C,?,00F4198B,01002518,?,?,?,00F312F9,00000000), ref: 00F5028A

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F500A3: __onexit.LIBCMT ref: 00F500A9

__Init_thread_footer.LIBCMT ref: 00FB7BFB

Part of subcall function 00F501F8: EnterCriticalSection.KERNEL32(0100070C,?,?,00F48747,01002514), ref: 00F50202
Part of subcall function 00F501F8: LeaveCriticalSection.KERNEL32(0100070C,?,00F48747,01002514), ref: 00F50235

Strings

5, xrefs: 00FB7C78
G, xrefs: 00FB7C7F
Variable must be of type 'Object'., xrefs: 00FB7C3A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 8a5af8f856e350eb6b64cafd98063e61bd7f80e0eae6302f8ba53bb5c8f38a60
Instruction ID: e73325fed7b5483a56d0b0da1bdcd043bbe22ac84a628c038eafd21bdc741555
Opcode Fuzzy Hash: 8a5af8f856e350eb6b64cafd98063e61bd7f80e0eae6302f8ba53bb5c8f38a60
Instruction Fuzzy Hash: 70919A70A04209AFCB14EF56D891DEDBBB1BF88350F148049F846AB292DB75AE41EF51

Function 00F92716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F921D0,?,?,00000034,00000800,?,00000034), ref: 00F9B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F92760

Part of subcall function 00F9B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00F9B3F8

Part of subcall function 00F9B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00F9B355
Part of subcall function 00F9B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F92194,00000034,?,?,00001004,00000000,00000000), ref: 00F9B365
Part of subcall function 00F9B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F92194,00000034,?,?,00001004,00000000,00000000), ref: 00F9B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F9281A

Strings

@, xrefs: 00F92832

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 471358b870f5b91ec497d7d39208cd6a4eac61b849f9089f32b277c66bd99a40
Instruction ID: d6cb8534c5b52ab299347c7e4ae2775eb6a40896fa800300e7069d01af4bdd28
Opcode Fuzzy Hash: 471358b870f5b91ec497d7d39208cd6a4eac61b849f9089f32b277c66bd99a40
Instruction Fuzzy Hash: 1A412A72900218BEEF10DFA4DD46EEEBBB8AF09310F004095EA55B7181DA716E45EBA1

Function 00F6172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00F61769
_free.LIBCMT ref: 00F61834
_free.LIBCMT ref: 00F6183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00F61760, 00F61767, 00F61796, 00F617CE

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: fcc38755f7fd9b6d9e25132d88d093264a89839740ed0bfdd77be7e4793b9189
Instruction ID: 2ababf98555e20861330bff6d60c9abdf0ad3c89aefdc6c4f64c2c242e78ecd5
Opcode Fuzzy Hash: fcc38755f7fd9b6d9e25132d88d093264a89839740ed0bfdd77be7e4793b9189
Instruction Fuzzy Hash: 3D3161B1E00218ABDB22DFA99C85D9EBBFCFB85360F184166F844D7201D6748E41EB90

Function 00F9C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F9C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00F9C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01001990,01565560), ref: 00F9C395

Strings

0, xrefs: 00F9C2DF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 0111b8111ad49048d5168acf27f0eec5cd3a84b4b2dc97f05815a2f8b041e251
Instruction ID: 98856ed0535e1aedee5d71d9d1d3a9417583b43fa1ab72c7d6088b911a5b2fe2
Opcode Fuzzy Hash: 0111b8111ad49048d5168acf27f0eec5cd3a84b4b2dc97f05815a2f8b041e251
Instruction Fuzzy Hash: F041C2716043019FEB24DF29DC85F1ABBE8AF85320F048A1DF9A5972D1D774E904EB92

Function 00FB304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FB3077,?,?), ref: 00FB3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FB307A
_wcslen.LIBCMT ref: 00FB309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00FB3106

Strings

255.255.255.255, xrefs: 00FB3095, 00FB309A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b23d50ddf5c4c8cdfcbfd5a5d8f9064b7b49653351afdb0dfff87beb7df71f92
Instruction ID: 9ece32de23d5a81e73eb6c4c169683459d7e9b15d8c8b0a07fbf64f13db7eb73
Opcode Fuzzy Hash: b23d50ddf5c4c8cdfcbfd5a5d8f9064b7b49653351afdb0dfff87beb7df71f92
Instruction Fuzzy Hash: BF313739A042059FCB10DF2EC881EEA77E0EF14368F248059E8158B392DB71EE41EF60

Function 00FC4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FC4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FC4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FC471A

Strings

msctls_updown32, xrefs: 00FC4684

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 7e8dbee1562d04f99203d0fafdbfacae28cc0133b424c25ff92261d75f59a344
Instruction ID: ae979b70d3dedf99ecba5009ce0ce6dc257f40f0041dcf2e904e49806b5dcff0
Opcode Fuzzy Hash: 7e8dbee1562d04f99203d0fafdbfacae28cc0133b424c25ff92261d75f59a344
Instruction Fuzzy Hash: 2D215CB5600209AFDB11DF64DD92EA737ADEF4A3A4B040059FA049B391CB35FC51EBA0

Function 00F995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F9961D

Strings

#OnAutoItStartRegister, xrefs: 00F995F3
#notrayicon, xrefs: 00F995B7
#requireadmin, xrefs: 00F995D9

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f5d546e8b529c2d5b02114dd945be03be9d38173b5cf225431759a82faeff118
Instruction ID: c2b1b17625fdeac2479356f4cd9e8bcfbc23544161a30db31a5ea0e90bb62fb9
Opcode Fuzzy Hash: f5d546e8b529c2d5b02114dd945be03be9d38173b5cf225431759a82faeff118
Instruction Fuzzy Hash: C321387250861166EB31AA2CDC03FB7B7E89F91320F16402EF94997041EBD6AD49F2D6

Function 00FA49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FA4A5C
SetErrorMode.KERNEL32(00000000,?,?,00FCCC08), ref: 00FA4AD0

Strings

%lu, xrefs: 00FA4A6F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 84558129202e02ab0e26badab146f832dcef51c96398ccdf932705a516cd1dd1
Instruction ID: 4844c1a13d1e979ef8e6185e9c9014be76801a3aa8b03f8289a150f1e822ca1d
Opcode Fuzzy Hash: 84558129202e02ab0e26badab146f832dcef51c96398ccdf932705a516cd1dd1
Instruction Fuzzy Hash: 5831D271A00109AFDB10DF54C981EAA7BF8EF49318F1480A9F908DB352DBB5ED45DBA1

Function 00F92F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Part of subcall function 00F92DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F92DC5
Part of subcall function 00F92DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F92DD6
Part of subcall function 00F92DA7: GetCurrentThreadId.KERNEL32 ref: 00F92DDD
Part of subcall function 00F92DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F92DE4

GetFocus.USER32 ref: 00F92F78

Part of subcall function 00F92DEE: GetParent.USER32(00000000), ref: 00F92DF9

GetClassNameW.USER32(?,?,00000100), ref: 00F92FC3
EnumChildWindows.USER32(?,00F9303B), ref: 00F92FEB

Strings

%s%d, xrefs: 00F92FFF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 6a68c89fbe8085b73ebcd8546853e00f036716ad7b9169833f39c134f5de0ce7
Instruction ID: 200ea05bc1e4f80ba94e9b98c556b933312176d9683331a85250cf9e566f82d0
Opcode Fuzzy Hash: 6a68c89fbe8085b73ebcd8546853e00f036716ad7b9169833f39c134f5de0ce7
Instruction Fuzzy Hash: A311E4716002096BDF407F708D8AEED776AAF84314F048075FA0DDB252DE349909BB60

Function 00F8D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F8D3BF
FreeLibrary.KERNEL32 ref: 00F8D3E5

Strings

X64, xrefs: 00F8D2A8
GetSystemWow64DirectoryW, xrefs: 00F8D3B9

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: d27686f5e2e605ed7376e409a77e64eabd7294ef8a0285a6022128f787e478d3
Instruction ID: 172dc952ed4a04bd7e07173994fe51fc9cdf407a610ba4be07aa4342d8d01dc6
Opcode Fuzzy Hash: d27686f5e2e605ed7376e409a77e64eabd7294ef8a0285a6022128f787e478d3
Instruction Fuzzy Hash: D6F0AB33C02622EBD33232118C59FE9B310AF00701F598119F80AE30C5DB20CD40B3C2

Function 00F9007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c007c858b434a6ad71b7f3f90c97feccc5e6965d9e7f80df4d1452e8f26b85
Instruction ID: 37154d77f25197aa91f4d7bfe25a4a65b797ddb586c17450675e663f5d632791
Opcode Fuzzy Hash: 91c007c858b434a6ad71b7f3f90c97feccc5e6965d9e7f80df4d1452e8f26b85
Instruction Fuzzy Hash: 2FC11B75A0021AEFEB14CF94C894EAEB7B5FF48714F208598E505EB251DB31DD81EB90

Function 00F63E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F63F0B
__alldvrm.LIBCMT ref: 00F6410C
__alldvrm.LIBCMT ref: 00F6412E

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 3ed389782f5bb65d5dc2de8273a291c3a6ba9efb038f9df5db23cccda3cf183f
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 69A18E72E00356AFDB26DF18CC917AEBBF4EF62360F14416DE5559B282C238AD81E750

Function 00FB342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FB3459
CoUninitialize.OLE32 ref: 00FB3463
VariantInit.OLEAUT32(?), ref: 00FB346E
VariantClear.OLEAUT32(?), ref: 00FB371B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: c335a1eb7459a300141b77ba537fac270589e995cd7a3faf4680db86eed4106d
Instruction ID: b39d47d2208e0af4756d68bfe410d5ffb296b27c51d78dcfbf7e9ea675f45a70
Opcode Fuzzy Hash: c335a1eb7459a300141b77ba537fac270589e995cd7a3faf4680db86eed4106d
Instruction Fuzzy Hash: 94A16D756043009FCB14EF29C985A5AB7E5FF88720F088859F9499B362DB34ED01EF91

Function 00F90436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FCFC08,?), ref: 00F905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FCFC08,?), ref: 00F90608
CLSIDFromProgID.OLE32(?,?,00000000,00FCCC40,000000FF,?,00000000,00000800,00000000,?,00FCFC08,?), ref: 00F9062D
_memcmp.LIBVCRUNTIME ref: 00F9064E

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 92ae87863a495b29ef2d9bcff8561358fd805c13720f4551e46a7b9b59f57a4f
Instruction ID: 3be96a316969fd47948b5f153b0480f2a9617160e179b2de2673cb55748e5ac8
Opcode Fuzzy Hash: 92ae87863a495b29ef2d9bcff8561358fd805c13720f4551e46a7b9b59f57a4f
Instruction Fuzzy Hash: 2B810671A00109EFDF04DF94C984EEEB7B9FF89315F244598E506AB250DB71AE06DB60

Function 00FBA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FBA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00FBA6BA

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Process32NextW.KERNEL32(00000000,?), ref: 00FBA79C
CloseHandle.KERNEL32(00000000), ref: 00FBA7AB

Part of subcall function 00F4CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F73303,?), ref: 00F4CE8A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 39a9f72bc7643a8a32814333bb210183cd979da637ae8d77f30d40b151531f42
Instruction ID: e952985726c4c6164ac70ecce323637fe16b94d1d9661649b42a205d0cfb413f
Opcode Fuzzy Hash: 39a9f72bc7643a8a32814333bb210183cd979da637ae8d77f30d40b151531f42
Instruction Fuzzy Hash: 55514A71508300AFD710EF25CC86A6BBBE8FF89764F40891DF98997261EB74D904DB92

Function 00F71391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F714C0

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 45dd52bc277abc44171b19370028dbc6b263b63f58575fd09b55dbae38520e62
Instruction ID: 05494fe114e7ecd7b13d5a6bf4f518c400be1d326ba01e6b5c6a21c075082c78
Opcode Fuzzy Hash: 45dd52bc277abc44171b19370028dbc6b263b63f58575fd09b55dbae38520e62
Instruction Fuzzy Hash: A3414B72A001006BDB25EFBC9C46AAE3AA5FF42770F14C267F91DD3191E678484D7263

Function 00FC6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FC62E2
ScreenToClient.USER32(?,?), ref: 00FC6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FC6382

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1b5d700d0dfe11628755d150dddcad2f4e95233dacf4b28a84ffc6fe2c5469d2
Instruction ID: bf83720ceec6ca5109f84a9acb3aaa16d93d31e14db46e4f098114a5e3102ec3
Opcode Fuzzy Hash: 1b5d700d0dfe11628755d150dddcad2f4e95233dacf4b28a84ffc6fe2c5469d2
Instruction Fuzzy Hash: 35512974A0424AAFCF24DF54DA82EAE7BB5EB85360F10815DF855D7290D730ED41EB90

Function 00FB1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00FB1AFD
WSAGetLastError.WSOCK32 ref: 00FB1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FB1B8A
WSAGetLastError.WSOCK32 ref: 00FB1B94

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: e88621152209e5ef7fa380af039d79caa9ebe4d1dc63a2c984a63505037064aa
Instruction ID: f063d57c0ef76b605c32fc25a43d85fd37c5de1175585ab9d38cb90267ea0ecc
Opcode Fuzzy Hash: e88621152209e5ef7fa380af039d79caa9ebe4d1dc63a2c984a63505037064aa
Instruction Fuzzy Hash: 7B41D175600200AFE720AF20CC86F6A7BE5AB84728F54C44CFA1A9F7D2D776DD419B90

Function 00F6B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de933fc2a69f588e7fa42309e840968b18bd5b12c63ab7d53002d7bd5fb337b
Instruction ID: 6c3c73fe338719740ba25122972b498e1e4f57cf0753cbb5d6e54ddd09d620c5
Opcode Fuzzy Hash: 5de933fc2a69f588e7fa42309e840968b18bd5b12c63ab7d53002d7bd5fb337b
Instruction Fuzzy Hash: AD415C71A00314BFD724EF38CC41BAA7BE9EB84720F10852EF546DB282D775A941A790

Function 00FA56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FA5783
GetLastError.KERNEL32(?,00000000), ref: 00FA57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FA57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FA57FA

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 988a562bf4042f3a6119665eaa9470cb38901522df2337f4ac197d54f6682959
Instruction ID: c4d1088c09934395c5e1108c997bcbc14161476c46c18b3feec1b7880874e4b1
Opcode Fuzzy Hash: 988a562bf4042f3a6119665eaa9470cb38901522df2337f4ac197d54f6682959
Instruction Fuzzy Hash: FA415079600614DFCF14EF15C545A5DBBE1EF49720F188488E94AAB365CB38FD00EB91

Function 00F6D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F56D71,00000000,00000000,00F582D9,?,00F582D9,?,00000001,00F56D71,8BE85006,00000001,00F582D9,00F582D9), ref: 00F6D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F6D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F6D9AB
__freea.LIBCMT ref: 00F6D9B4

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 610af1e008eadf5144d6936ea13cbe5f498beccbecf8cccf8deb520ec823ef2e
Instruction ID: 343bbbc2808ad964d4fa05fa913f449d35f20d184cc2418da1e1659ab40003a4
Opcode Fuzzy Hash: 610af1e008eadf5144d6936ea13cbe5f498beccbecf8cccf8deb520ec823ef2e
Instruction Fuzzy Hash: DF31AD72E0020AABDB249F65DC45EAF7BA5EB41760B054168FC08D7250EB39DD54EBA0

Function 00FC52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00FC5352
GetWindowLongW.USER32(?,000000F0), ref: 00FC5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FC5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FC53A8

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f330c96ec31f7fac195330eb1ec34079432ea5c990695ea256f4224f2cfc17e2
Instruction ID: 2f15c45d5230e1203f65f9ccce4913eeb304e6964b833b42361a5eee89fab928
Opcode Fuzzy Hash: f330c96ec31f7fac195330eb1ec34079432ea5c990695ea256f4224f2cfc17e2
Instruction Fuzzy Hash: 4831F431F55A4AAFEB349A54CE07FE83763AB04BA0F584109FA54861D1C7B5B9C0BB41

Function 00F9AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00F9ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F9AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F9AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00F9ACC6

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ac7fb27e375aa883a92a70b4d75d9b030f516400b4c1bf5d635df5d49db35795
Instruction ID: 705542e6f9446113ed645ee0f96bda573398a2957e515c6cd753d3285f1a216b
Opcode Fuzzy Hash: ac7fb27e375aa883a92a70b4d75d9b030f516400b4c1bf5d635df5d49db35795
Instruction Fuzzy Hash: FE310530E04718AFFF35CB658C05BFA7BA5AB89321F04471AE4859A1D1C379C985B7E2

Function 00FC7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FC769A
GetWindowRect.USER32(?,?), ref: 00FC7710
PtInRect.USER32(?,?,00FC8B89), ref: 00FC7720
MessageBeep.USER32(00000000), ref: 00FC778C

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 57f80ab76b4b377d76344c180b6a67b8dfdbd0873dc88378e98086c01b204c0e
Instruction ID: 2706c54389c97afd460ffaaf5805b87cd334c78682ba863188766b506fab85a8
Opcode Fuzzy Hash: 57f80ab76b4b377d76344c180b6a67b8dfdbd0873dc88378e98086c01b204c0e
Instruction Fuzzy Hash: 53419F34A0531AAFCB11EF68CA86FA9BBF4BF48310F1440ACE4549B251C335E941EF90

Function 00FC16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FC16EB

Part of subcall function 00F93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F93A57
Part of subcall function 00F93A3D: GetCurrentThreadId.KERNEL32 ref: 00F93A5E
Part of subcall function 00F93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F925B3), ref: 00F93A65

GetCaretPos.USER32(?), ref: 00FC16FF
ClientToScreen.USER32(00000000,?), ref: 00FC174C
GetForegroundWindow.USER32 ref: 00FC1752

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: eaac3cd5f3c66db447d64c0b11e089de4fce33e396c2a38ec1774a330176d5e2
Instruction ID: c81cc2dbdc9121c65e2ef24a6afc1ade7a166ade41c80ec209fe53d5728002a5
Opcode Fuzzy Hash: eaac3cd5f3c66db447d64c0b11e089de4fce33e396c2a38ec1774a330176d5e2
Instruction Fuzzy Hash: B9316FB5D00209AFCB04EFA9C981DAEBBF9EF49314B5080A9E415E7212D735DE45DFA0

Function 00F9DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

_wcslen.LIBCMT ref: 00F9DFCB
_wcslen.LIBCMT ref: 00F9DFE2
_wcslen.LIBCMT ref: 00F9E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00F9E018

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 96349abc9c45f28996afa555ee2a5c09e9808039aec99da0667e4e02b6860f51
Instruction ID: f4baf9ce8b74a74d5755c9aa9d13bdbced03fed78760c7b16fd475423d02ae74
Opcode Fuzzy Hash: 96349abc9c45f28996afa555ee2a5c09e9808039aec99da0667e4e02b6860f51
Instruction Fuzzy Hash: 0521E571D00214AFDF20DFA8CD82B6EB7F8EF85720F144065E905BB245D6749E45EBA1

Function 00FC8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

GetCursorPos.USER32(?), ref: 00FC9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F87711,?,?,?,?,?), ref: 00FC9016
GetCursorPos.USER32(?), ref: 00FC905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F87711,?,?,?), ref: 00FC9094

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6ec8b9c1d8a60871e04ae01a5d36c1ceff41918a6dbb61b24890c8a92ddd5717
Instruction ID: da46561950884c40e9e33c2e754a0a8d6e17880cfdd9a247b78716adc36e45a0
Opcode Fuzzy Hash: 6ec8b9c1d8a60871e04ae01a5d36c1ceff41918a6dbb61b24890c8a92ddd5717
Instruction Fuzzy Hash: 4321A135A04018FFDB268FA4C95AFFA7BB9EF89360F044059F90547261C3759990FBA0

Function 00F9D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FCCB68), ref: 00F9D2FB
GetLastError.KERNEL32 ref: 00F9D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F9D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FCCB68), ref: 00F9D376

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 97040ad723ebd0b6d1df70264071991255904af57961bbcc0e5cf465db70b37a
Instruction ID: df3759248d71d8651e3de0c0996159e0b962174c1ad243e89a264bb905beadce
Opcode Fuzzy Hash: 97040ad723ebd0b6d1df70264071991255904af57961bbcc0e5cf465db70b37a
Instruction Fuzzy Hash: 8F21A370908201DF9B00DF24C981CAA77E4EF95375F604A1DF499C32A1D731D946EB93

Function 00F91571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F9102A
Part of subcall function 00F91014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F91036
Part of subcall function 00F91014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91045
Part of subcall function 00F91014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F9104C
Part of subcall function 00F91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F915BE
_memcmp.LIBVCRUNTIME ref: 00F915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F91617
HeapFree.KERNEL32(00000000), ref: 00F9161E

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d1903b948c66c0b1005c146cb2111eef9e686bca703b2126e95ed651a1df688e
Instruction ID: bc1e9651343886d12b2cced1c69e201e80e31b4ea2c2869d1f33eb5c388694b6
Opcode Fuzzy Hash: d1903b948c66c0b1005c146cb2111eef9e686bca703b2126e95ed651a1df688e
Instruction Fuzzy Hash: 6D219D31E4010AEFEF10DFA5C945BEEB7B8FF44354F094469E445AB241E730AA05EBA0

Function 00FC2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FC280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FC2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FC2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FC2840

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 34bc10ec2f872d5f1926cb528b82e9764cef59bdbdaf211d9ff86f1a119c44b8
Instruction ID: 90ae92ab2bbb8444204a605236d93b3d63febed4131398b61940ba9cb78cca3c
Opcode Fuzzy Hash: 34bc10ec2f872d5f1926cb528b82e9764cef59bdbdaf211d9ff86f1a119c44b8
Instruction Fuzzy Hash: 04212131204112AFD7549B24CD82FAA7B95EF85324F18810CF42A8B6E2CB75FC42DBD0

Function 00F978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F98D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F9790A,?,000000FF,?,00F98754,00000000,?,0000001C,?,?), ref: 00F98D8C
Part of subcall function 00F98D7D: lstrcpyW.KERNEL32(00000000,?,?,00F9790A,?,000000FF,?,00F98754,00000000,?,0000001C,?,?,00000000), ref: 00F98DB2
Part of subcall function 00F98D7D: lstrcmpiW.KERNEL32(00000000,?,00F9790A,?,000000FF,?,00F98754,00000000,?,0000001C,?,?), ref: 00F98DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F98754,00000000,?,0000001C,?,?,00000000), ref: 00F97923
lstrcpyW.KERNEL32(00000000,?,?,00F98754,00000000,?,0000001C,?,?,00000000), ref: 00F97949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F98754,00000000,?,0000001C,?,?,00000000), ref: 00F97984

Strings

cdecl, xrefs: 00F9797B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 64ce826a97dafb5bc91584866711d76d569237894d32bd31125a73014e1912b5
Instruction ID: e13d125cff2f83cdf12a088fd1d69fa4a3122f83991e28a52f1150d143969185
Opcode Fuzzy Hash: 64ce826a97dafb5bc91584866711d76d569237894d32bd31125a73014e1912b5
Instruction Fuzzy Hash: 8911E43A600305ABDF156F35DC45E7A77A5EF85390B10402AE906C7264EB319801E791

Function 00FC7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00FC7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FC7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FC7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FAB7AD,00000000), ref: 00FC7D6B

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 295fcb37e195882e8fa669e50a33072c1c41f015a857531f4bb5b80e677a9ed1
Instruction ID: a53be2344b31aa2d7f78641576fc39fdd5d3c63e610d7c18ee23b33130be92a0
Opcode Fuzzy Hash: 295fcb37e195882e8fa669e50a33072c1c41f015a857531f4bb5b80e677a9ed1
Instruction Fuzzy Hash: 03118C32A0461AAFCB11AF28DD05FA63BA5AF45370F154728F83AD72E0D7319950EF90

Function 00F61D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb6ea86a290ccee9b4b18be5c4b283ace8d800d54dfbcf5921a7fec86086f47
Instruction ID: 9c926f2455beb7f684b1754dfe9e0aa6b6c3b1a63d7bb371e58c5cf6df541965
Opcode Fuzzy Hash: deb6ea86a290ccee9b4b18be5c4b283ace8d800d54dfbcf5921a7fec86086f47
Instruction Fuzzy Hash: 4201D6B2A05A1A3EF62126786CC1F27762CEF817B8F380326F521522D2DB658C007170

Function 00F91A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F91A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F91A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F91A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F91A8A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c95f1ae0b62abc97e428861f6881a217368176324097ae8309ec52497de6acfe
Instruction ID: 5b26874d3c5382e2365daeaecf66708e7217bf2de0668d02d439aedbe5874252
Opcode Fuzzy Hash: c95f1ae0b62abc97e428861f6881a217368176324097ae8309ec52497de6acfe
Instruction Fuzzy Hash: DF11F73AD01219FFEF119BA5CD85FADBB78FB08750F2000A1EA04B7290D6756E50EB94

Function 00F9E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F9E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00F9E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F9E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F9E24D

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 37d9a2322d1752aa4faca06535714c8d71d04dbca4bf3bf6fe426e3b1a74a177
Instruction ID: 1921e3bad3547f460dbda3462876c3ce3b452763af2d3c0434ef616eea5ba6e2
Opcode Fuzzy Hash: 37d9a2322d1752aa4faca06535714c8d71d04dbca4bf3bf6fe426e3b1a74a177
Instruction Fuzzy Hash: 08112672D04258BFDB11DFA8AC0AE9E7FACEB45320F148215F928E3281D6B5CD0497A0

Function 00F5D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F5CFF9,00000000,00000004,00000000), ref: 00F5D218
GetLastError.KERNEL32 ref: 00F5D224
__dosmaperr.LIBCMT ref: 00F5D22B
ResumeThread.KERNEL32(00000000), ref: 00F5D249

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: e543ae07f896ad487517e44655f8596fc7cd91413d29793d6ba16a916d5713fd
Instruction ID: e88086efaff1f943ff6face9ff8ae7ec90e14cbe71837f784065366db93005c4
Opcode Fuzzy Hash: e543ae07f896ad487517e44655f8596fc7cd91413d29793d6ba16a916d5713fd
Instruction Fuzzy Hash: A201F9768066087BD7315BA5DC05FAE7A69DF81332F100259FE25921D0DB75C909F7E0

Function 00FC9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

GetClientRect.USER32(?,?), ref: 00FC9F31
GetCursorPos.USER32(?), ref: 00FC9F3B
ScreenToClient.USER32(?,?), ref: 00FC9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00FC9F7A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 807a31659244b3d523127e8e04aafbda2f249ef1444096f0afa1c2d3614a3ff9
Instruction ID: 8b8e8524542221f470c02f9840c8587ae4f7304e5a95da9b74b65fa5a59deff6
Opcode Fuzzy Hash: 807a31659244b3d523127e8e04aafbda2f249ef1444096f0afa1c2d3614a3ff9
Instruction Fuzzy Hash: D711183290411AEBDB11DF68DA8AEEE77B9FB45311F000459F911E3140D775BA81EBA1

Function 00F3600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F3604C
GetStockObject.GDI32(00000011), ref: 00F36060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F3606A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 02f35ae8e1257679a0184536f9dff1ab0e26630b06375459997c9135c8245870
Instruction ID: 3d0c240a2a2bfcd2c35ad5f9558606803bbad6230347ea99749be680023897f3
Opcode Fuzzy Hash: 02f35ae8e1257679a0184536f9dff1ab0e26630b06375459997c9135c8245870
Instruction Fuzzy Hash: 4C116DB2501508BFEF164FA49D46EEABB69EF093B4F044216FA1892110D736DC60FBA0

Function 00F53B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F53B56

Part of subcall function 00F53AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F53AD2
Part of subcall function 00F53AA3: ___AdjustPointer.LIBCMT ref: 00F53AED

_UnwindNestedFrames.LIBCMT ref: 00F53B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F53B7C
CallCatchBlock.LIBVCRUNTIME ref: 00F53BA4

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 0c88a69af704ad1c8f587265d49967e995174b32f1cfcedfa479e9d3c69af7bc
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: A6012932500148BBDF125E99CC42EEB3B69EF887A9F044014FF4896121C736E965EBA0

Function 00F63073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F313C6,00000000,00000000,?,00F6301A,00F313C6,00000000,00000000,00000000,?,00F6328B,00000006,FlsSetValue), ref: 00F630A5
GetLastError.KERNEL32(?,00F6301A,00F313C6,00000000,00000000,00000000,?,00F6328B,00000006,FlsSetValue,00FD2290,FlsSetValue,00000000,00000364,?,00F62E46), ref: 00F630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F6301A,00F313C6,00000000,00000000,00000000,?,00F6328B,00000006,FlsSetValue,00FD2290,FlsSetValue,00000000), ref: 00F630BF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 14e61367aea5ce794db5bc23aff2e5a84b8ebd65705f29ca6036771b69a4475f
Instruction ID: bf14876d1139bb4fa61cf9e37d8b4c7e771b245d9707dfa6b38a28994ea76be0
Opcode Fuzzy Hash: 14e61367aea5ce794db5bc23aff2e5a84b8ebd65705f29ca6036771b69a4475f
Instruction Fuzzy Hash: 3101F732701226BBCB314B79AC45E677B98EF45BB9B100720F909E3140C721D909E6E0

Function 00F97464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00F9747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F97497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F974CA

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 120ac3b9d499ae46067795d1c0a6b4050c884f0d13dfc1d7a682a2dd8fd85c23
Instruction ID: 218c2d95ff1a4f2a4597e9fcdf24f7476090667effa338d39bdc6cb4327dbbf3
Opcode Fuzzy Hash: 120ac3b9d499ae46067795d1c0a6b4050c884f0d13dfc1d7a682a2dd8fd85c23
Instruction Fuzzy Hash: BE117CB1615314DBFB20DF19DD09F927BB8EB00B00F108569E61AD7192D770E904AB90

Function 00F9B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B126

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: bb53a9da0ab159c19e107a50e9bf73054b1c5af7597a3e5445d04957fa461273
Instruction ID: 9fe8d4fdb16d49c5076d3f6a9e7d471c27c3a49995ee0732e7db330947261856
Opcode Fuzzy Hash: bb53a9da0ab159c19e107a50e9bf73054b1c5af7597a3e5445d04957fa461273
Instruction Fuzzy Hash: C0115B31C0162CE7DF00AFE5EA69AEEBF78FF49711F114095D941B3181CB305690AB91

Function 00FC7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FC7E33
ScreenToClient.USER32(?,?), ref: 00FC7E4B
ScreenToClient.USER32(?,?), ref: 00FC7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FC7E8A

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f4b712aacbdd29a9b24b8243c8c37e898a9bfc144ea35193784846a031a42314
Instruction ID: c0d0f4b62357bcf0236d9d663ba72efadd93a437388e007cdc9d813510399999
Opcode Fuzzy Hash: f4b712aacbdd29a9b24b8243c8c37e898a9bfc144ea35193784846a031a42314
Instruction Fuzzy Hash: 9A1143B9D0020AAFDB41DF98C985AEEBBF5FF08310F505056E915E3210D735AA55DF90

Function 00F92DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F92DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F92DD6
GetCurrentThreadId.KERNEL32 ref: 00F92DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F92DE4

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 44e4dbd15b1b616dd9f7fb305a2cb2d33b23498a9e6252eeb57a4e60a5161bc9
Instruction ID: 144dee92e64faa8a6624549b5f151be75f179b1a7d99048983155b2a260a818c
Opcode Fuzzy Hash: 44e4dbd15b1b616dd9f7fb305a2cb2d33b23498a9e6252eeb57a4e60a5161bc9
Instruction Fuzzy Hash: 2CE065715012287AEB2017639D0EFE73E5CEF42B61F000015F109D20409AA18445F6F0

Function 00FC8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F49693
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496A2
Part of subcall function 00F49639: BeginPath.GDI32(?), ref: 00F496B9
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FC8887
LineTo.GDI32(?,?,?), ref: 00FC8894
EndPath.GDI32(?), ref: 00FC88A4
StrokePath.GDI32(?), ref: 00FC88B2

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 95405e36052e4e5ad9e37b7c1c0df9d0fc9e25b668cc719f878a003f69f3baf9
Instruction ID: 9b63ccc69464b041c584f1f44f85084b2d9998bae0e21f412e6f42e7b647afa8
Opcode Fuzzy Hash: 95405e36052e4e5ad9e37b7c1c0df9d0fc9e25b668cc719f878a003f69f3baf9
Instruction Fuzzy Hash: 0AF05E36045259FADB225F94AD0AFDE3F59AF06310F048004FA55A60E1C7B95511EFE5

Function 00F498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F498CC
SetTextColor.GDI32(?,?), ref: 00F498D6
SetBkMode.GDI32(?,00000001), ref: 00F498E9
GetStockObject.GDI32(00000005), ref: 00F498F1

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 96552f8f42157becf96a02fbaa393c25dfad74ce8a45c905fd37aa6f158082d6
Instruction ID: 5c1c4ceddffb8e5fd02ad80ee2e231ab27fad2f1d231e62b30bd7e67d193f91e
Opcode Fuzzy Hash: 96552f8f42157becf96a02fbaa393c25dfad74ce8a45c905fd37aa6f158082d6
Instruction Fuzzy Hash: B0E06531644284AEDB216B75BD0AFD93F10AB51735F188219F6FD590E1C3718640BB10

Function 00F9162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F91634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F911D9), ref: 00F9163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F911D9), ref: 00F91648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F911D9), ref: 00F9164F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: bca393a582915906600dd5a68e5298d5218136badb4826c3382f8c126f5301ba
Instruction ID: fe12c3bd0f2ca3a3df0fe1b138b698db01c2aa7ecb957ea13cd944e2b6fa2322
Opcode Fuzzy Hash: bca393a582915906600dd5a68e5298d5218136badb4826c3382f8c126f5301ba
Instruction Fuzzy Hash: FBE08671E41215DBEB201FA0AF0EF863B7CBF847A1F184818F249CA080D6358441E790

Function 00F8D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F8D858
GetDC.USER32(00000000), ref: 00F8D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F8D882
ReleaseDC.USER32(?), ref: 00F8D8A3

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 674cf15e36a41e750dc82351f9c6450270ee939679fdbaa66f429d474ec3ba35
Instruction ID: 76a214a5b8b12438c8e0a5f1706fcfd5792bfbbde9d2bf25199ea6c5332c53dd
Opcode Fuzzy Hash: 674cf15e36a41e750dc82351f9c6450270ee939679fdbaa66f429d474ec3ba35
Instruction Fuzzy Hash: 1EE09AB5840209DFCB41AFA4DA0DA6DBBB5FB48311F148459E84EE7250C7399942BF90

Function 00F8D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F8D86C
GetDC.USER32(00000000), ref: 00F8D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F8D882
ReleaseDC.USER32(?), ref: 00F8D8A3

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a7a1b9e512ac22d0ca4b0a8023fe0e2fc676f5e90cf111d13c9f0095ab054513
Instruction ID: 1162f6728b65c86691595b0d65a79818ae836713465b2b0507efc878af7135cc
Opcode Fuzzy Hash: a7a1b9e512ac22d0ca4b0a8023fe0e2fc676f5e90cf111d13c9f0095ab054513
Instruction Fuzzy Hash: CCE092B5C00208EFCB51AFA4DA0DA6DBBB5BB48311F148449E94EE7250CB399902BF90

Function 00F3BBE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F3BEB3

Strings

D%, xrefs: 00F3BC2F
D%, xrefs: 00F3BC28

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%$D%
API String ID: 1385522511-485025506
Opcode ID: 3738c92ba9d45e618168756cf39bff34c91476b95b40f9e89446452b06fb443b
Instruction ID: 2e8cdb7c856792cddef04331c4262e98887227b240044b8142f20c7b13a7833d
Opcode Fuzzy Hash: 3738c92ba9d45e618168756cf39bff34c91476b95b40f9e89446452b06fb443b
Instruction Fuzzy Hash: A1911B75E00206DFCB28CF59C0A16A9B7F1FF58325F24416EDA85AB351D731E981EB90

Function 00FA4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FA4ED4

Strings

*, xrefs: 00FA4E10
LPT, xrefs: 00FA4DFB

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 2bd2b64f0fa2e8bb2454a07394bc4b2052a77b0eb9d4d177d707526ebc93b574
Instruction ID: 11a1675128611ebb7451a58e27779045c30c2c71d7ce061ed7b57ee7681c0533
Opcode Fuzzy Hash: 2bd2b64f0fa2e8bb2454a07394bc4b2052a77b0eb9d4d177d707526ebc93b574
Instruction Fuzzy Hash: 409161B5A00204DFCB14DF58C485EAABBF1BF85314F198099E80A9F3A2C775ED85DB91

Function 00F5E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F5E30D

Strings

pow, xrefs: 00F5E2E5, 00F5E302

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 023a1bf50456337be355d760fd0149bb4c13f172e2e70535d91bca03659d9005
Instruction ID: 0d9bc7823350ded7b9a10e338e7994d098e8451abdb5872f95de85bef107a9db
Opcode Fuzzy Hash: 023a1bf50456337be355d760fd0149bb4c13f172e2e70535d91bca03659d9005
Instruction Fuzzy Hash: F3518E61E0C30196CB197724CD0137A7F94AB60766F304D99E8D5422EDEB358DCDBB86

Function 00F4E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F4E1B1

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: c505a43fba767466dbbabecf5eac7d978bbdd856d420e2f74a2b0970b417e357
Instruction ID: b01389cc9061adf678ca0a7a0d2c8c4b74af5ce210c5fa4434a6d370a628fe42
Opcode Fuzzy Hash: c505a43fba767466dbbabecf5eac7d978bbdd856d420e2f74a2b0970b417e357
Instruction Fuzzy Hash: 2C51F235E04246DFDB15EF28C8816FE7BA8FF55320F244055ECA19B290D7789E42EB90

Function 00F4F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F4F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F4F2BB

Strings

@, xrefs: 00F4F2AF

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9bc0238f8b4b1e576644f9e1fb9be883e4f1d92a634d6e1db54c38277f40d65d
Instruction ID: 9d882b8d41fcdfa7a3181e5d1932858686253ff690acd0059ad2a47548e15605
Opcode Fuzzy Hash: 9bc0238f8b4b1e576644f9e1fb9be883e4f1d92a634d6e1db54c38277f40d65d
Instruction Fuzzy Hash: B95137B140C7489BD320AF11DC86BAFBBF8FB84310F81885DF2D952195EB748529DB66

Function 00FB5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00FB57E0
_wcslen.LIBCMT ref: 00FB57EC

Strings

CALLARGARRAY, xrefs: 00FB57E6, 00FB57EB

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 5205076a73761130e3b517119ced8c7d936fa29d9dd5e61455e8d4fcaa677399
Instruction ID: 3dc8b9b62c3fb12eed21150cdf7ad36c66e92bbe5f23d8a3675c98f87961abe0
Opcode Fuzzy Hash: 5205076a73761130e3b517119ced8c7d936fa29d9dd5e61455e8d4fcaa677399
Instruction Fuzzy Hash: A3419F31E002099FCB14DFAAC882AEEBBB5EF59724F144029E505A7251E778DD81EF90

Function 00FAD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FAD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FAD13A

Strings

|, xrefs: 00FAD10B

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: f0b2c2aea5d41ad610cb2ebcc6b8f947a6f40f55f3303617beefbfe8ba816bab
Instruction ID: 3c3e24b0e313a9c1e000d4691af83ae882838879d596ca375fcbaa8b9e5a803f
Opcode Fuzzy Hash: f0b2c2aea5d41ad610cb2ebcc6b8f947a6f40f55f3303617beefbfe8ba816bab
Instruction Fuzzy Hash: 97313E71D00109EBDF15EFA4CC85AEE7FB9FF05310F104019F815A6161D735AA46EB64

Function 00FC4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00FC461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FC4634

Strings

', xrefs: 00FC458E

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 324617a1965e0b82d2be3681b3fc854bdd4fd450c0dda0cc8d465c66b9bf87fe
Instruction ID: 04f453ed61a9012287b9bdcc55f16a289f42a13e948bd65ad1ac080fcd153758
Opcode Fuzzy Hash: 324617a1965e0b82d2be3681b3fc854bdd4fd450c0dda0cc8d465c66b9bf87fe
Instruction Fuzzy Hash: FF313975A0020A9FDB14CF69CA91FDABBB5FF49310F14446AE904AB385D770A941EF90

Function 00FC31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FC327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FC3287

Strings

Combobox, xrefs: 00FC3249

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: dc7d7178ff97b112af1062aa60839d8961a44e29976a54a82e3781722ab77d2e
Instruction ID: 4bb80e7008905cd6f0f185c6a15de268f17b467753a9be9f46b4d57226114778
Opcode Fuzzy Hash: dc7d7178ff97b112af1062aa60839d8961a44e29976a54a82e3781722ab77d2e
Instruction Fuzzy Hash: A811E27170020A7FEF219E54DD82FFB376AEB943B4F108128F91897290D631DD51A760

Function 00FACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FACDA6

Strings

<local>, xrefs: 00FACD66

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1efb0971847ed22c4c3ef3e778e2f9957dd375969a73a2059a4a0a5b2b057621
Instruction ID: d9033af4d6d3a068badd62f66f0eda61cdae57e31349da8564ea043a804d582b
Opcode Fuzzy Hash: 1efb0971847ed22c4c3ef3e778e2f9957dd375969a73a2059a4a0a5b2b057621
Instruction Fuzzy Hash: 8411A3B26156367AD7244B668C45FE7BE6CEF137B4F004226F12983180D7609840E6F0

Function 00F96C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

CharUpperBuffW.USER32(?,?,?), ref: 00F96CB6
_wcslen.LIBCMT ref: 00F96CC2

Strings

STOP, xrefs: 00F96CBC, 00F96CC1

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 7037d3262c2765224f4b3c141a971d56b61d883d949c79d045520ee352b5c99c
Instruction ID: 40d850fc4dd9e01afce3b2102aa4ac832e267dab023be549c44c86cd99108c35
Opcode Fuzzy Hash: 7037d3262c2765224f4b3c141a971d56b61d883d949c79d045520ee352b5c99c
Instruction Fuzzy Hash: 95010432A045278ADF219FBDDC819BF37A4EE60720B000525F862D3190EA75E840E650

Function 00F91CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F91D4C

Strings

ComboBox, xrefs: 00F91CEB
ListBox, xrefs: 00F91D16

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ace332fe397bd5fc68e2fcc80f3b7d09884bf3a1cfce263f8df272968cf13764
Instruction ID: b3a8068ee0d18b4b04a8bb5850bda1e2aefa452bcf7da58f7c97388acd5997b4
Opcode Fuzzy Hash: ace332fe397bd5fc68e2fcc80f3b7d09884bf3a1cfce263f8df272968cf13764
Instruction Fuzzy Hash: FB012831E04219AB9F08EBA0CD11DFE73A8FF423A0F00051AF922573D1EAB45908F660

Function 00F91BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F91C46

Strings

ComboBox, xrefs: 00F91BE5
ListBox, xrefs: 00F91C10

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d22880e4433ba87f5eab090a903db8bd02279c2b7da883cd020772b1280a807e
Instruction ID: 455b3196ffa1e9e4dda661e818fbe137dfd2925e5240b3dc813e3d95be3543c8
Opcode Fuzzy Hash: d22880e4433ba87f5eab090a903db8bd02279c2b7da883cd020772b1280a807e
Instruction Fuzzy Hash: 0701F771A8810966EF04EB90CE52EFF77A8AF51350F100029B90663281EAA59E08F6B1

Function 00F91C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F91CC8

Strings

ComboBox, xrefs: 00F91C69
ListBox, xrefs: 00F91C94

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a546058634786fc42cd2f0f6d160e090df38f67543e6b43c2d1a330d3b465847
Instruction ID: efd387868d3981526ff41e826e1f807a56a92cf20bcde10fc1b08d2af3da6922
Opcode Fuzzy Hash: a546058634786fc42cd2f0f6d160e090df38f67543e6b43c2d1a330d3b465847
Instruction Fuzzy Hash: B601A775B4411966DF04E790CE01AFE77A8AF11350F540025B90573281EAA49F08F671

Function 00F91D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00F91DD3

Strings

ComboBox, xrefs: 00F91D75
ListBox, xrefs: 00F91DA0

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f4b579fabfa515b30d32df19aef31b0cab2f032b20b8ef0c2b72c2a1a47c28ba
Instruction ID: 965e39a0fb02353086f94202bf488538f1ce6cb4876726f328dcf4cc98abb5dd
Opcode Fuzzy Hash: f4b579fabfa515b30d32df19aef31b0cab2f032b20b8ef0c2b72c2a1a47c28ba
Instruction Fuzzy Hash: 1FF0F471A4421966EF04E7A4CD52FFE77A8BF41360F040926B922A32C1DAE4990CA2A0

Function 00FB747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB7493
_wcslen.LIBCMT ref: 00FB74B9

Strings

3, 3, 16, 1, xrefs: 00FB7483

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2371fb37b72f348a23aceaa28538e4b891f1b6702e596a54f3188ea55ef53470
Instruction ID: a88b14117881bc444a12f04ff2ceaedf2d26917dce0a07c57a68b0c9a7af1d1c
Opcode Fuzzy Hash: 2371fb37b72f348a23aceaa28538e4b891f1b6702e596a54f3188ea55ef53470
Instruction Fuzzy Hash: 3EE02B06A04320E09331327BDCC29BF7689CFC5762710182BFE81C2266EA98DDD1B3A1

Function 00F90B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F90B23

Strings

Error allocating memory., xrefs: 00F90B1C
AutoIt, xrefs: 00F90B17

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: b78fe49c3fc65b7e633a907cd93840cbd884bfa6893b3424e0f9faee031df0f0
Instruction ID: 3bffe48aaabe928ba1d8c17a70365d6a4517bac35ffc52aa5ede24b31d18bf3f
Opcode Fuzzy Hash: b78fe49c3fc65b7e633a907cd93840cbd884bfa6893b3424e0f9faee031df0f0
Instruction Fuzzy Hash: DEE0D8312443083AD21437547D03FC97E848F05F21F10042AFB9C959C38EE6649036E9

Function 00F50D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F4F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F50D71,?,?,?,00F3100A), ref: 00F4F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00F3100A), ref: 00F50D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F3100A), ref: 00F50D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F50D7F

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8e258f0e16443c7adc37d65c1d7d48f0d40a7357dd90576b763490de58492a6a
Instruction ID: d8f19f91606a04279657718a7caebcbbbb70cdfd4c7b74361df04726444c09b9
Opcode Fuzzy Hash: 8e258f0e16443c7adc37d65c1d7d48f0d40a7357dd90576b763490de58492a6a
Instruction Fuzzy Hash: 42E06D702003418BD3309FB8DA05B82BBF0AF00741F00892DE986C7656DFB9E44CAB91

Function 00FA3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FA302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00FA3044

Strings

aut, xrefs: 00FA3038

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 86ab9fcdbfd95065f24c0c177adc42a6765273236df75a6d7e307cc73427dc52
Instruction ID: 5fd49ccb54fad145c54ea93e5c068728c20152ae94c8e4b4b43d6195310f80f3
Opcode Fuzzy Hash: 86ab9fcdbfd95065f24c0c177adc42a6765273236df75a6d7e307cc73427dc52
Instruction Fuzzy Hash: FDD05E7250032C67DA20E7A4AD0EFDB3A6CDB04750F0002A1B659E30A1DAB4D984CAD0

Function 00F8D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F8D220

Strings

%.3d, xrefs: 00F8D22B
X64, xrefs: 00F8D2A8

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d40b073e54bc2aa37d24d9c43ed005dfb1834f2e07e27fff0907c3f6b23d0bac
Instruction ID: 31203d498f5cfe12c2427302e164e10b8d4915e3da72cbf3302a72d895cd4282
Opcode Fuzzy Hash: d40b073e54bc2aa37d24d9c43ed005dfb1834f2e07e27fff0907c3f6b23d0bac
Instruction Fuzzy Hash: 80D06262C49119F9CB50BAD4DD4AEF9B77CEF59341F508452FD0AD2080D628D5487761

Function 00FC2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FC236C
PostMessageW.USER32(00000000), ref: 00FC2373

Part of subcall function 00F9E97B: Sleep.KERNEL32 ref: 00F9E9F3

Strings

Shell_TrayWnd, xrefs: 00FC2365

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d36e5f4308706b78bd04952f7c117eb85cb11b37e714b41edef8bf9b1f795c7d
Instruction ID: c2a51021c431737ce0207b6e84e449734411e9f03029dcceb887d7b07198b14b
Opcode Fuzzy Hash: d36e5f4308706b78bd04952f7c117eb85cb11b37e714b41edef8bf9b1f795c7d
Instruction Fuzzy Hash: 43D0C9327813147AE664B7719E0FFC676149B04B14F004916B74AEA1E0C9A4A801AA94

Function 00FC2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FC232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FC233F

Part of subcall function 00F9E97B: Sleep.KERNEL32 ref: 00F9E9F3

Strings

Shell_TrayWnd, xrefs: 00FC2325

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a554b6024434706ca2263bc42d792f5577a182be18f556ab2016d4484aeff892
Instruction ID: f9bbeba68b68980550c66e8ee35171ead03d99d67503762cc617969e5b009a5e
Opcode Fuzzy Hash: a554b6024434706ca2263bc42d792f5577a182be18f556ab2016d4484aeff892
Instruction Fuzzy Hash: BDD0C936794314B6E664B7719E0FFD67A149B00B14F004916B74AEA1E0C9A4A801AA94

Function 00F6BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F6BE93
GetLastError.KERNEL32 ref: 00F6BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F6BEFC

Memory Dump Source

Source File: 00000000.00000002.1722816671.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.1722793235.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722892151.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722945635.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722969557.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: aa605880860a04613c2cb0492c8aa5807a3ea2aa1d593daab5a73f34587878ed
Instruction ID: c61bfd96316b9ab7ee47d7bccf754ee254a42abc415ce1a205446e4adc5a56ad
Opcode Fuzzy Hash: aa605880860a04613c2cb0492c8aa5807a3ea2aa1d593daab5a73f34587878ed
Instruction Fuzzy Hash: 17410635A04206AFCF218FA5CC44BBA7BA5EF51320F144169F959DB1B1DB318C85FB60

Analysis Process: firefox.exePID: 7552, Parent PID: 7744COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000024F409B3CF2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000024F409B3D57

Strings

z, xrefs: 0000024F409B3D8B
#, xrefs: 0000024F409B3D82
#, xrefs: 0000024F409B4E31
A, xrefs: 0000024F409B3D4F
z, xrefs: 0000024F409B5336
4, xrefs: 0000024F409B7DD9
>, xrefs: 0000024F409B4B5C
>, xrefs: 0000024F409B7DFF
#, xrefs: 0000024F409B20C5
>, xrefs: 0000024F409B3DB9

Memory Dump Source

Source File: 00000010.00000002.2928711886.0000024F409B1000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000024F409B1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_24f409b1000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction ID: e374f15f0b6668f5a32fbd0cf5ff5a3393185d82a6bd288d74a0254ec8ec64cd
Opcode Fuzzy Hash: a7beeb6ed6d4bd1c13836e24e4a4bf8602c8d7752103ee20adf8d6ea9f6b849f
Instruction Fuzzy Hash: DFA3D431618A4C8FDB6DDF68DC856AA77E5FB98310F14423EDA4AC7251DF34E9028AC1

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1750963158.000001C09AE07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1750912987.000001C09AE0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1791660967.000001C09B89F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870012230.000001C09B89F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854728462.000001C09B89F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1853120385.000001C0A1BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1786487772.000001C0A1698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786487772.000001C0A16B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832458164.000001C0A4FCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1786487772.000001C0A1698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786487772.000001C0A16B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832458164.000001C0A4FCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1875778530.000001C09ADC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791660967.000001C09B89F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870012230.000001C09B89F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1853120385.000001C0A1BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1786487772.000001C0A1698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786487772.000001C0A16B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832458164.000001C0A4FCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1786487772.000001C0A1698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786487772.000001C0A16B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832458164.000001C0A4FCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2923250199.0000024F40403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2924449408.0000024B7950C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2923250199.0000024F40403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2924449408.0000024B7950C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2923250199.0000024F40403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2924449408.0000024B7950C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1875778530.000001C09AD63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750912987.000001C09AE0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1875778530.000001C09ADC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791660967.000001C09B89F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853167122.000001C0A1BA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1853120385.000001C0A1BC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877882427.000001C09A451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1853167122.000001C0A1BA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872888151.000001C0A1BBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1864122082.000001C09ABB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875778530.000001C09ADE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875778530.000001C09AD89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.114.100:443 -> 192.168.2.4:59707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:59742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:59744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:59741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:59746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:59745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:59747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:59748 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.100
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.100
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.100
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.100
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.100
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.100
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.100
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.114.100
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 59708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59707
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59745
Source: unknown	Network traffic detected: HTTP traffic on port 59746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59744
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59901
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59746
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 59707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59741
Source: unknown	Network traffic detected: HTTP traffic on port 59742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59742
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_900abc6c-abba-435f-9234-3abee6a4a246.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_900abc6c-abba-435f-9234-3abee6a4a246.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre