Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546648
MD5:	47e53a1655bb6d29868f5a784f62177d
SHA1:	132b0df160a02064f3f8e6a506118cd380a3f5ee
SHA256:	06ebef8676c90791d679ecb47b67e33da9908034b529eab7d278530eab431d8b
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 980 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 47E53A1655BB6D29868F5A784F62177D)

taskkill.exe (PID: 6376 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1020 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4940 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4248 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2484 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 2352 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6616 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1700 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6992 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7aeda06e-1277-45a8-823c-dc715986717c} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd6816e510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7696 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4512 -parentBuildID 20230927232528 -prefsHandle 3876 -prefMapHandle 3120 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa0e31d-f123-4488-bb82-ef33fd8d5505} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd7a133110 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6672 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4932 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {478ec684-3c8f-4465-8153-7285f54d1359} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd83b44d10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 980	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T11:29:47.353868+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49763	TCP
2024-11-01T11:30:25.593404+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49786	TCP

Code function: 0_2_006EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_006EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_006EED6A

Source: C:\Users\user\Desktop\file.exe

0_2_006EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_006DAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00709576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00709576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_21c92271-e
Source: file.exe, 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_44de58e7-0
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ab420e90-e
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3ae2a8df-9

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000026387098DB7 NtQuerySystemInformation,		16_2_0000026387098DB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000263870CB2B2 NtQuerySystemInformation,		16_2_00000263870CB2B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006DD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_006DD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_006D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_006DE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067BF40	0_2_0067BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00678060	0_2_00678060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E2046	0_2_006E2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D8298	0_2_006D8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006AE4FF	0_2_006AE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A676B	0_2_006A676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00704873	0_2_00704873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067CAF0	0_2_0067CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069CAA0	0_2_0069CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068CC39	0_2_0068CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A6DD9	0_2_006A6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068D065	0_2_0068D065
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068B119	0_2_0068B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006791C0	0_2_006791C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00691394	0_2_00691394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00691706	0_2_00691706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069781B	0_2_0069781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068997D	0_2_0068997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00677920	0_2_00677920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006919B0	0_2_006919B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00697A4A	0_2_00697A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00691C77	0_2_00691C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00697CA7	0_2_00697CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FBE44	0_2_006FBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A9EEE	0_2_006A9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00691F32	0_2_00691F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000026387098DB7	16_2_0000026387098DB7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000263870CB2B2	16_2_00000263870CB2B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000263870CB2F2	16_2_00000263870CB2F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000263870CB9DC	16_2_00000263870CB9DC

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00690A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0068F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/41@74/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E37B5 GetLastError,FormatMessageW,

0_2_006E37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D10BF AdjustTokenPrivileges,CloseHandle,		0_2_006D10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006D16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006E51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006DD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_006DD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_006E648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006742A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6256:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1834091163.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829104929.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768757475.000001DD83BD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815001867.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1834091163.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829104929.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815001867.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1834091163.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829104929.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815001867.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1834091163.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829104929.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815001867.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1768757475.000001DD83BDE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1834091163.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829104929.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815001867.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1834091163.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829104929.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815001867.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1834091163.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829104929.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815001867.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1834091163.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829104929.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815001867.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1834091163.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829104929.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815001867.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7aeda06e-1277-45a8-823c-dc715986717c} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd6816e510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4512 -parentBuildID 20230927232528 -prefsHandle 3876 -prefMapHandle 3120 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa0e31d-f123-4488-bb82-ef33fd8d5505} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd7a133110 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4932 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {478ec684-3c8f-4465-8153-7285f54d1359} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd83b44d10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7aeda06e-1277-45a8-823c-dc715986717c} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd6816e510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4512 -parentBuildID 20230927232528 -prefsHandle 3876 -prefMapHandle 3120 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa0e31d-f123-4488-bb82-ef33fd8d5505} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd7a133110 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4932 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {478ec684-3c8f-4465-8153-7285f54d1359} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd83b44d10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mswsock.pdbP4O source: firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000D.00000003.1852056433.000001DD79071000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1858394818.000001DD77972000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winsta.pdb source: firefox.exe, 0000000D.00000003.1851529405.000001DD79611000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000D.00000003.1834899590.000001DD77936000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841391112.000001DD7793A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842392923.000001DD77938000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828291018.000001DD7793F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WscApi.pdb source: firefox.exe, 0000000D.00000003.1840839383.000001DD79AE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1858394818.000001DD77972000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1858394818.000001DD77972000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1856634602.000001DD7796D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nsi.pdb source: firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1852056433.000001DD79071000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000D.00000003.1852056433.000001DD79092000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: winrnr.pdb source: firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dcomp.pdb source: firefox.exe, 0000000D.00000003.1840839383.000001DD79AE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdbGCTL source: firefox.exe, 0000000D.00000003.1834899590.000001DD77936000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841391112.000001DD7793A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1842392923.000001DD77938000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828291018.000001DD7793F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscms.pdb source: firefox.exe, 0000000D.00000003.1840839383.000001DD79AE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: twinapi.pdb source: firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1856634602.000001DD7796D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnsapi.pdb source: firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: firefox.exe, 0000000D.00000003.1840839383.000001DD79AE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mswsock.pdbp,P source: firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nlaapi.pdb source: firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1857240519.000001DD7C021000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1858394818.000001DD77972000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: firefox.exe, 0000000D.00000003.1840839383.000001DD79AE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: devobj.pdb source: firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1857240519.000001DD7C021000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdb source: firefox.exe, 0000000D.00000003.1840839383.000001DD79AE4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: firefox.exe, 0000000D.00000003.1851700200.000001DD790F9000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006742DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00690A76 push ecx; ret

0_2_00690A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0068F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0068F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00701C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00701C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94480

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000026387098DB7 rdtsc

16_2_0000026387098DB7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006DDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E68EE FindFirstFileW,FindClose,	0_2_006E68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_006E698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006DD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006DD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006E9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006E979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_006E9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_006E5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006742DE

Source: firefox.exe, 0000000F.00000002.3505881563.000001F16349A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: firefox.exe, 00000011.00000002.3508502465.0000018CEB580000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQ
Source: firefox.exe, 00000010.00000002.3509017152.0000026387790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: firefox.exe, 0000000F.00000002.3505881563.000001F16349A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3509349911.000001F163A06000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3509017152.0000026387790000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3505294426.0000018CEB1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3508732982.000001F16391B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3505692338.000002638700A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0gy
Source: firefox.exe, 0000000F.00000002.3509349911.000001F163A06000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3509017152.0000026387790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000026387098DB7 rdtsc

16_2_0000026387098DB7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006EEAA2 BlockInput,

0_2_006EEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006A2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00694CE8 mov eax, dword ptr fs:[00000030h]

0_2_00694CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_006D0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006A2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0069083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006909D5 SetUnhandledExceptionFilter,	0_2_006909D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00690C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00690C21

Source: C:\Users\user\Desktop\file.exe

0_2_006D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006B2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006DB226 SendInput,keybd_event,

0_2_006DB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_006F22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_006D0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006D1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1824810741.000001DD7C021000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00690698 cpuid

0_2_00690698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_006E8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006CD27A GetUserNameW,

0_2_006CD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006ABB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_006ABB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006742DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 980, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 980, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_006F1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_006F1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.1	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.129.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	172.217.18.110	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.206	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.129.140	true	false	unknown
ipv4only.arpa	192.0.0.170	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.3506413536.0000018CEB4C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1819409336.000001DD8016B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1843576065.000001DD81572000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1766693130.000001DD7886B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1766493116.000001DD7886B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764680240.000001DD81329000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1769500182.000001DD81572000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1817974620.000001DD81572000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3506849619.000001F1638B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3506876814.00000263873E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3508632971.0000018CEB704000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1723117787.000001DD7FE4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1794517665.000001DD7FE4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1718730581.000001DD7FE4F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3506876814.0000026387389000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3506413536.0000018CEB48E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1847906735.000001DD7A75B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1727319938.000001DD78CE9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.comP	firefox.exe, 0000000D.00000003.1838989006.000001DD7A2EA000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1831536519.000001DD7FD51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1817889088.000001DD818CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835796791.000001DD7B588000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1774388796.000001DD7FFED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1687129497.000001DD77C1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1686864376.000001DD77A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1687420433.000001DD77C5A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1726153850.000001DD78BD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1771224859.000001DD809F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1834091163.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829104929.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1815001867.000001DD838AA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1819409336.000001DD8018B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1687129497.000001DD77C1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792414245.000001DD792D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818958529.000001DD80883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773718074.000001DD80883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1686864376.000001DD77A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1687420433.000001DD77C5A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1832800239.000001DD7B37F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1687270368.000001DD77C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1687567532.000001DD77C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1687129497.000001DD77C1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1686864376.000001DD77A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1687420433.000001DD77C5A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1832175783.000001DD7B5D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849080111.000001DD7A1DF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1847906735.000001DD7A75B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3506849619.000001F1638B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3506876814.00000263873E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3508632971.0000018CEB704000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1817398590.000001DD8387D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.li	firefox.exe, 0000000D.00000003.1734890124.000001DD791C1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ok.ru/	firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1819409336.000001DD801C2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1769500182.000001DD815CF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3506849619.000001F1638B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3506876814.00000263873E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3508632971.0000018CEB704000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000011.00000002.3506413536.0000018CEB40C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1766493116.000001DD7885D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1727319938.000001DD78CE9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.3506413536.0000018CEB4C3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1849306403.000001DD79F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1840063498.000001DD79F75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1767245790.000001DD788B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1766493116.000001DD7883B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1781669703.000001DD79286000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1835245802.000001DD818F7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1771224859.000001DD809F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1829392941.000001DD818CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1831536519.000001DD7FD51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3506876814.0000026387312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3506413536.0000018CEB413000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727319938.000001DD78CE9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/CN=The	firefox.exe, 00000011.00000002.3506413536.0000018CEB413000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1766609574.000001DD78826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1767245790.000001DD788B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1801529477.000001DD788FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849080111.000001DD7A15C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763448696.000001DD80FB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823690069.000001DD788FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779835013.000001DD80FDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812275776.000001DD79730000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1782997248.000001DD780D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1722905513.000001DD7FE3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729441618.000001DD7FDB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1796791484.000001DD788D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1774805137.000001DD7FDF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1780831762.000001DD80FC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812348371.000001DD79726000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1777760757.000001DD792B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723117787.000001DD7FE4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1812579523.000001DD7977A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786713892.000001DD7FE99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1794517665.000001DD7FE46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835496628.000001DD7B8E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878584398.000001DD788FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1718987701.000001DD7FE42000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1832800239.000001DD7B37F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1846505916.000001DD7B30C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832800239.000001DD7B37F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1835496628.000001DD7B8E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1831617026.000001DD7B8E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1729441618.000001DD7FDDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1729441618.000001DD7FDDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1723117787.000001DD7FE4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1794517665.000001DD7FE4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1718730581.000001DD7FE4F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1774388796.000001DD7FF35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830239249.000001DD7FF5B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1688889664.000001DD77433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1689927685.000001DD77433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875074793.000001DD77439000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1689689910.000001DD7741B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1766609574.000001DD78826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1767245790.000001DD788B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1843709472.000001DD808C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773375052.000001DD808C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834319186.000001DD808C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818585908.000001DD808C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1846387814.000001DD7B38D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832403184.000001DD7B38B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1766665457.000001DD7881C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1766493116.000001DD7885D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1767245790.000001DD788B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1766493116.000001DD7883B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1688889664.000001DD77433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1689927685.000001DD77433000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1875074793.000001DD77439000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1689689910.000001DD7741B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3506849619.000001F1638B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3506876814.00000263873E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3508632971.0000018CEB704000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1843850505.000001DD80140000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1727319938.000001DD78CE9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1768757475.000001DD83BD6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1687420433.000001DD77C5A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1781669703.000001DD792D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1687270368.000001DD77C3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1687567532.000001DD77C77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1687129497.000001DD77C1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792414245.000001DD792D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850142842.000001DD796D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1818958529.000001DD80883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1773718074.000001DD80883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1686864376.000001DD77A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1687420433.000001DD77C5A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.1847906735.000001DD7A75B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3506412740.000001F1635D0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3505902440.0000026387040000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3506122457.0000018CEB290000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1819409336.000001DD801C2000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
172.217.18.110	youtube.com	United States	15169	GOOGLEUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546648
Start date and time:	2024-11-01 11:28:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/41@74/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.11.191.138, 35.160.212.113, 54.185.230.140, 2.22.61.56, 2.22.61.59, 142.250.185.174, 142.250.186.46, 216.58.206.42, 216.58.212.170
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	https://send-space.s3.eu-north-1.amazonaws.com/de.html	Get hash	malicious	Unknown	Browse	34.117.77.79
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://send-space.s3.eu-north-1.amazonaws.com/de.html	Get hash	malicious	Unknown	Browse	34.36.216.150
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	https://pcapp.store/pixel.gif	Get hash	malicious	Unknown	Browse	151.101.193.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://delview.com/MobileDefault.aspx?reff=https%3A%2F%2Fstrasburgva.jimdosite.com	Get hash	malicious	Unknown	Browse	151.101.2.79
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://send-space.s3.eu-north-1.amazonaws.com/de.html	Get hash	malicious	Unknown	Browse	34.36.216.150
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8e1024c6-a904-4ad9-9906-d3c31a0dc2d3.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177613531159151
Encrypted:	false
SSDEEP:	192:zajMXkGZcbhbVbTbfbRbObtbyEl7nEr5JA6WnSrDtTUd/SkDrZ:GYhcNhnzFSJkrUBnSrDhUd/b
MD5:	D8DA26C8D09CAB8BE89844B06FD86A19
SHA1:	C07AF14FB6D663210AA803F76005DD3892B4943D
SHA-256:	0EAF498F7411553A9AD25A1FCED06A7D75ED8343D87E816A21D80D79C9E8A2A8
SHA-512:	828DAFF9E5366C2AB11CC2BC619A9186268C5FF856D2120F94B89FC0F4B0DDD6BEBA45ABFC52BD9CBDDCF234447506FB7A02050737F8CC52C63A79844C0B95D7
Malicious:	false
Preview:	{"type":"uninstall","id":"8e1024c6-a904-4ad9-9906-d3c31a0dc2d3","creationDate":"2024-11-01T12:05:40.705Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8e1024c6-a904-4ad9-9906-d3c31a0dc2d3.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.177613531159151
Encrypted:	false
SSDEEP:	192:zajMXkGZcbhbVbTbfbRbObtbyEl7nEr5JA6WnSrDtTUd/SkDrZ:GYhcNhnzFSJkrUBnSrDhUd/b
MD5:	D8DA26C8D09CAB8BE89844B06FD86A19
SHA1:	C07AF14FB6D663210AA803F76005DD3892B4943D
SHA-256:	0EAF498F7411553A9AD25A1FCED06A7D75ED8343D87E816A21D80D79C9E8A2A8
SHA-512:	828DAFF9E5366C2AB11CC2BC619A9186268C5FF856D2120F94B89FC0F4B0DDD6BEBA45ABFC52BD9CBDDCF234447506FB7A02050737F8CC52C63A79844C0B95D7
Malicious:	false
Preview:	{"type":"uninstall","id":"8e1024c6-a904-4ad9-9906-d3c31a0dc2d3","creationDate":"2024-11-01T12:05:40.705Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	dropped
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3046951173909074
Encrypted:	false
SSDEEP:	24:MYYdfa2qd2DAhTIUx2dWoM15lpLN8zmCYrdfa2qd2DAhswM+bpoqdWoM15lpLFXU:GdymUgdw3EzEdy26Bdw3UGdy2adw321
MD5:	07588FFC1B0387BF4426E07E29C41EED
SHA1:	E06A17FF6FBAAC39C7482C80798FD31C9D26895F
SHA-256:	2380E6F2E1E07520882871380812CBDEB4B0542223EEC7383D166FD459435B2B
SHA-512:	2D719E39267F4D95C9BCA656BA6BD5E57BE0B473A429A027B20AAC61F32B10C50D291A0BBA6FF9F168F545B78A1C4F40C59E1849712923DF0D46E1D6BCAAF5A1
Malicious:	false
Preview:	...................................FL..................F.@.. ...p......."GU.H,..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IaY.S....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WaY.S............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WaY.S..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............%......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3046951173909074
Encrypted:	false
SSDEEP:	24:MYYdfa2qd2DAhTIUx2dWoM15lpLN8zmCYrdfa2qd2DAhswM+bpoqdWoM15lpLFXU:GdymUgdw3EzEdy26Bdw3UGdy2adw321
MD5:	07588FFC1B0387BF4426E07E29C41EED
SHA1:	E06A17FF6FBAAC39C7482C80798FD31C9D26895F
SHA-256:	2380E6F2E1E07520882871380812CBDEB4B0542223EEC7383D166FD459435B2B
SHA-512:	2D719E39267F4D95C9BCA656BA6BD5E57BE0B473A429A027B20AAC61F32B10C50D291A0BBA6FF9F168F545B78A1C4F40C59E1849712923DF0D46E1D6BCAAF5A1
Malicious:	false
Preview:	...................................FL..................F.@.. ...p......."GU.H,..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IaY.S....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WaY.S............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WaY.S..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............%......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N2YU3HEZYD5C986D5N5B.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3046951173909074
Encrypted:	false
SSDEEP:	24:MYYdfa2qd2DAhTIUx2dWoM15lpLN8zmCYrdfa2qd2DAhswM+bpoqdWoM15lpLFXU:GdymUgdw3EzEdy26Bdw3UGdy2adw321
MD5:	07588FFC1B0387BF4426E07E29C41EED
SHA1:	E06A17FF6FBAAC39C7482C80798FD31C9D26895F
SHA-256:	2380E6F2E1E07520882871380812CBDEB4B0542223EEC7383D166FD459435B2B
SHA-512:	2D719E39267F4D95C9BCA656BA6BD5E57BE0B473A429A027B20AAC61F32B10C50D291A0BBA6FF9F168F545B78A1C4F40C59E1849712923DF0D46E1D6BCAAF5A1
Malicious:	false
Preview:	...................................FL..................F.@.. ...p......."GU.H,..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IaY.S....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WaY.S............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WaY.S..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............%......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TUHCJ7T574UJFMNWO596.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3046951173909074
Encrypted:	false
SSDEEP:	24:MYYdfa2qd2DAhTIUx2dWoM15lpLN8zmCYrdfa2qd2DAhswM+bpoqdWoM15lpLFXU:GdymUgdw3EzEdy26Bdw3UGdy2adw321
MD5:	07588FFC1B0387BF4426E07E29C41EED
SHA1:	E06A17FF6FBAAC39C7482C80798FD31C9D26895F
SHA-256:	2380E6F2E1E07520882871380812CBDEB4B0542223EEC7383D166FD459435B2B
SHA-512:	2D719E39267F4D95C9BCA656BA6BD5E57BE0B473A429A027B20AAC61F32B10C50D291A0BBA6FF9F168F545B78A1C4F40C59E1849712923DF0D46E1D6BCAAF5A1
Malicious:	false
Preview:	...................................FL..................F.@.. ...p......."GU.H,..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IaY.S....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WaY.S............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WaY.S..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............%......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928362832752855
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL4LT8P:8S+OBIUjOdwiOdYVjjwL4LT8P
MD5:	8874D945406A9F5002AA5324FA222FA8
SHA1:	DD96A0B1DFEF604BC83EC182F2687731049EFCE3
SHA-256:	09B6343DB86D77B76110C68B0826136DB8390BFF04107FEB0B76FAC5A0B4F7EB
SHA-512:	9B09F8836707FF4BE5E7EF498C752AF14E667897718197ABF410A3A3D941D4961796F9620350D4F6800516032EBE980C78908C9F2AD71CFBF8F46B93970F9FCA
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928362832752855
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL4LT8P:8S+OBIUjOdwiOdYVjjwL4LT8P
MD5:	8874D945406A9F5002AA5324FA222FA8
SHA1:	DD96A0B1DFEF604BC83EC182F2687731049EFCE3
SHA-256:	09B6343DB86D77B76110C68B0826136DB8390BFF04107FEB0B76FAC5A0B4F7EB
SHA-512:	9B09F8836707FF4BE5E7EF498C752AF14E667897718197ABF410A3A3D941D4961796F9620350D4F6800516032EBE980C78908C9F2AD71CFBF8F46B93970F9FCA
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07333359575325823
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkis:DLhesh7Owd4+ji
MD5:	856DD0837B4818E1AA8F3F11869F629B
SHA1:	BDD92E15ADF894F598DF55D043F6BB236C98CD3F
SHA-256:	0E8CEE05B0B0651C3C474758A903C33A47D71DE8602E8E3D764E6795DCA7EA98
SHA-512:	4F09BC48CACC6DBBF409E84BE8FB309C77F99F5D7BF1CDF9698F9679E6154109C8EFAC7882AE5B98EBB860C5348F1DF800AD2EA15B988E95EC8A0A5273B3FFFE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.038931135672181434
Encrypted:	false
SSDEEP:	3:GHlhVFsytcIgx+94HlhVFsytcIgx+ltlil8a9//Ylll4llqlyllel4lt:G7V6ytcKG7V6ytcKXQL9XIwlio
MD5:	C3E990E6B4CAD1182BC123346DBAEEE3
SHA1:	250C860154A71DB8F5CFE02E350EA575602E4ED5
SHA-256:	A02E8AB3E5D68906FEC107BE83E3569D044025E751EE8B5ECF8ED2166FA47AFC
SHA-512:	E46FA764FA5775531F19A2A8C353559BD726885D2B39F47D1A041CEB521562ABC70C1188C52351100F972D76080873C2EE25C200A9E146697748488D32ED8A77
Malicious:	false
Preview:	..-......................1.5.H....4A. }].x.0O...-......................1.5.H....4A. }].x.0O.........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11799045082179721
Encrypted:	false
SSDEEP:	24:Kgtx/fkdLxsZ+4jxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxluwlUVZ2i7+:btx/MjQHJtUnWdU+RVxlPEZk
MD5:	0F76D0BE254D44A96103EAF44DE99D8A
SHA1:	15ED47DADFA342AB435A107F09F514C15F05AECB
SHA-256:	13ABE26101044D0693A570A3F62CB4778A72C9E94C640131B665CD514679FF44
SHA-512:	F90CEA48C5B3AED7FB25CE50EF9D2C5A6684B4B0F7BC16FDF932CF7E294E29D40B7538BC8FF696F12614AC11F615FF0AD4F647EC11435CEF2A39F260D50B6DD4
Malicious:	false
Preview:	7....-..............4A. . ...9.............4A. <....u................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4939864538672065
Encrypted:	false
SSDEEP:	192:ZnaRtLYbBp6khj4qyaaXq6KSSNYjW5RfGNBw8daSl:EeSquB+7cwN0
MD5:	68E9AC3B64D22D0C56448BF5C352B3CA
SHA1:	1463509A64815351D851E769617E7F474A92BD8B
SHA-256:	E701292CCEAB5B24639B2EAFC1EF4D0E273BD95894A0EEA36279AB5B5EE6AC0C
SHA-512:	21F6F3637C25AB45ACF28E2B005DB8335C8A021D3C46D57539F3AADB89A721B2538D9C1A159CE95C6908E10B6E618FCBB414FE69A363C3F00C18F77D84C1567E
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730462711);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730462711);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730462711);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173046

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.4939864538672065
Encrypted:	false
SSDEEP:	192:ZnaRtLYbBp6khj4qyaaXq6KSSNYjW5RfGNBw8daSl:EeSquB+7cwN0
MD5:	68E9AC3B64D22D0C56448BF5C352B3CA
SHA1:	1463509A64815351D851E769617E7F474A92BD8B
SHA-256:	E701292CCEAB5B24639B2EAFC1EF4D0E273BD95894A0EEA36279AB5B5EE6AC0C
SHA-512:	21F6F3637C25AB45ACF28E2B005DB8335C8A021D3C46D57539F3AADB89A721B2538D9C1A159CE95C6908E10B6E618FCBB414FE69A363C3F00C18F77D84C1567E
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730462711);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730462711);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730462711);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173046

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\3b4c2b4a-1b81-42ec-94c0-357cc9ee0926 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.943460570587994
Encrypted:	false
SSDEEP:	12:YZFgISHiwTeUclZIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YcCwThclZSlCOlZGV1AQIWZcy6Z2d
MD5:	B4D960D79DBEA1824876A1B3B6CDAF1A
SHA1:	E885D5E3F821614902287A35593CD82638688768
SHA-256:	13DAAAE1B48E340C25191715388E6D59459C7894392E7304B8918C462DBD538E
SHA-512:	4BE9F8452823EC3D42DC3618AE0092E4DEB6CF979342560C806E9966A356FE5402B52B473A97B379B5263B7AA970A7F1EA7E75564B27A0774BF1E8AF752CCB00
Malicious:	false
Preview:	{"type":"health","id":"3b4c2b4a-1b81-42ec-94c0-357cc9ee0926","creationDate":"2024-11-01T12:05:41.303Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\3b4c2b4a-1b81-42ec-94c0-357cc9ee0926.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	modified
Size (bytes):	493
Entropy (8bit):	4.943460570587994
Encrypted:	false
SSDEEP:	12:YZFgISHiwTeUclZIVHlW8cOlZGV1AQIYzvZcyBuLZ2d:YcCwThclZSlCOlZGV1AQIWZcy6Z2d
MD5:	B4D960D79DBEA1824876A1B3B6CDAF1A
SHA1:	E885D5E3F821614902287A35593CD82638688768
SHA-256:	13DAAAE1B48E340C25191715388E6D59459C7894392E7304B8918C462DBD538E
SHA-512:	4BE9F8452823EC3D42DC3618AE0092E4DEB6CF979342560C806E9966A356FE5402B52B473A97B379B5263B7AA970A7F1EA7E75564B27A0774BF1E8AF752CCB00
Malicious:	false
Preview:	{"type":"health","id":"3b4c2b4a-1b81-42ec-94c0-357cc9ee0926","creationDate":"2024-11-01T12:05:41.303Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.3295459260622176
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSLAwLXnIgs/pnxQwRlszT5sKtS3eHVQj6T+amhujJlOsIomNVr0aDO:GUpOxw1snR6U3eHT+4JlIquR4
MD5:	05E2269BC46623E14B339FBF5E6D978D
SHA1:	60F3CDD19C3F6CFF543DC5F757F18BB01F66D6C3
SHA-256:	CDDAEE6917C6DCD99F9A7AA62859C18603671195A2663306A002B9584212D623
SHA-512:	1A821A6DBB64EF4F4D6FF3F5A6A4CAC4719B4FA15C17B7FE26C9028E6BD22E9D8A9031A0082557423E668B8D5F8BBDFEF432E9F78E5FD4C1C6760E7A5E999B41
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{2e18322e-2739-47f3-af4a-4b9aa268d6ab}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730462715085,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`680488...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....688517,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.3295459260622176
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSLAwLXnIgs/pnxQwRlszT5sKtS3eHVQj6T+amhujJlOsIomNVr0aDO:GUpOxw1snR6U3eHT+4JlIquR4
MD5:	05E2269BC46623E14B339FBF5E6D978D
SHA1:	60F3CDD19C3F6CFF543DC5F757F18BB01F66D6C3
SHA-256:	CDDAEE6917C6DCD99F9A7AA62859C18603671195A2663306A002B9584212D623
SHA-512:	1A821A6DBB64EF4F4D6FF3F5A6A4CAC4719B4FA15C17B7FE26C9028E6BD22E9D8A9031A0082557423E668B8D5F8BBDFEF432E9F78E5FD4C1C6760E7A5E999B41
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{2e18322e-2739-47f3-af4a-4b9aa268d6ab}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730462715085,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`680488...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....688517,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1573
Entropy (8bit):	6.3295459260622176
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSLAwLXnIgs/pnxQwRlszT5sKtS3eHVQj6T+amhujJlOsIomNVr0aDO:GUpOxw1snR6U3eHT+4JlIquR4
MD5:	05E2269BC46623E14B339FBF5E6D978D
SHA1:	60F3CDD19C3F6CFF543DC5F757F18BB01F66D6C3
SHA-256:	CDDAEE6917C6DCD99F9A7AA62859C18603671195A2663306A002B9584212D623
SHA-512:	1A821A6DBB64EF4F4D6FF3F5A6A4CAC4719B4FA15C17B7FE26C9028E6BD22E9D8A9031A0082557423E668B8D5F8BBDFEF432E9F78E5FD4C1C6760E7A5E999B41
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{2e18322e-2739-47f3-af4a-4b9aa268d6ab}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730462715085,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`680488...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....688517,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032954869157427
Encrypted:	false
SSDEEP:	48:YrSAYKW6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycKWyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	33702DC2E95CB28A0448B73A95C24E97
SHA1:	72FE845CF3D15B199217C73B74047022A919FCA7
SHA-256:	D669A4CE755D061C5F42D012F30E2CB48A30F2BABBF6754A9B37FD353D05D73B
SHA-512:	CB400B71E8C46E9AE788DFF22ADAAE80D3F7FD825333066A96D397A1C3D7BEE6C382BE8CA6519077A88381EE5494CA42C848E32D18313F7476B46B68A32189C2
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-01T12:04:54.302Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032954869157427
Encrypted:	false
SSDEEP:	48:YrSAYKW6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycKWyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	33702DC2E95CB28A0448B73A95C24E97
SHA1:	72FE845CF3D15B199217C73B74047022A919FCA7
SHA-256:	D669A4CE755D061C5F42D012F30E2CB48A30F2BABBF6754A9B37FD353D05D73B
SHA-512:	CB400B71E8C46E9AE788DFF22ADAAE80D3F7FD825333066A96D397A1C3D7BEE6C382BE8CA6519077A88381EE5494CA42C848E32D18313F7476B46B68A32189C2
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-01T12:04:54.302Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5846822413077835
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	47e53a1655bb6d29868f5a784f62177d
SHA1:	132b0df160a02064f3f8e6a506118cd380a3f5ee
SHA256:	06ebef8676c90791d679ecb47b67e33da9908034b529eab7d278530eab431d8b
SHA512:	6a810984b66a70db73fe6548911a3e002a1efc1fce188946c3beb2dda6190b44124a3179379d48032d7b545d1df430531f1d406f4c0af7afbef544c542803ac7
SSDEEP:	12288:rqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T7:rqDEvCTbMWu7rQYlBQcBiT6rprG8ab7
TLSH:	E9159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6724AA39 [Fri Nov 1 10:15:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F9A2C917B13h
jmp 00007F9A2C91741Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9A2C9175FDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F9A2C9175CAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F9A2C91A1BDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F9A2C91A208h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F9A2C91A1F1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	1c623f1e293b4d70c1e8e8a2d780aada	False	0.31561511075949367	data	5.37376986914745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T11:29:47.353868+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49763	TCP
2024-11-01T11:30:25.593404+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49786	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 11:29:34.399861097 CET	49736	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:29:34.399938107 CET	443	49736	35.190.72.216	192.168.2.4
Nov 1, 2024 11:29:34.404109955 CET	49736	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:29:34.411221027 CET	49736	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:29:34.411256075 CET	443	49736	35.190.72.216	192.168.2.4
Nov 1, 2024 11:29:35.032548904 CET	443	49736	35.190.72.216	192.168.2.4
Nov 1, 2024 11:29:35.041232109 CET	49736	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:29:35.050267935 CET	49736	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:29:35.050316095 CET	443	49736	35.190.72.216	192.168.2.4
Nov 1, 2024 11:29:35.050384998 CET	49736	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:29:35.050533056 CET	443	49736	35.190.72.216	192.168.2.4
Nov 1, 2024 11:29:35.052489996 CET	49736	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:29:35.958194971 CET	49738	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:35.958271980 CET	443	49738	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:35.959254980 CET	49738	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:35.960737944 CET	49738	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:35.960757017 CET	443	49738	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:36.126760960 CET	49739	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:36.127955914 CET	49740	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:36.128036976 CET	443	49740	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:36.131740093 CET	80	49739	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:36.138281107 CET	49740	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:36.138300896 CET	49739	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:36.139781952 CET	49740	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:36.139832020 CET	443	49740	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:36.139925957 CET	49739	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:36.144706964 CET	80	49739	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:36.742413044 CET	80	49739	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:36.750447035 CET	49741	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:36.750483036 CET	443	49741	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:36.750688076 CET	49741	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:36.752250910 CET	49741	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:36.752268076 CET	443	49741	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:36.797609091 CET	49739	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:36.853517056 CET	443	49738	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:36.853614092 CET	49738	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:36.854212046 CET	443	49738	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:36.854336023 CET	49738	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:36.967925072 CET	49738	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:36.967957973 CET	443	49738	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:36.968024969 CET	49738	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:36.968250990 CET	443	49738	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:36.968915939 CET	49738	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:36.999573946 CET	443	49740	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:36.999588013 CET	443	49740	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:37.000580072 CET	443	49740	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:37.001446009 CET	49742	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.001483917 CET	443	49742	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.005330086 CET	49740	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:37.005341053 CET	49742	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.005376101 CET	443	49740	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:37.007535934 CET	49742	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.007551908 CET	443	49742	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.009764910 CET	49743	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:37.009773970 CET	443	49743	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:37.009989023 CET	49743	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:37.010528088 CET	49743	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:37.010538101 CET	443	49743	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:37.011921883 CET	49740	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:37.011960983 CET	443	49740	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:37.012003899 CET	49740	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:37.012113094 CET	443	49740	172.217.18.110	192.168.2.4
Nov 1, 2024 11:29:37.013495922 CET	49740	443	192.168.2.4	172.217.18.110
Nov 1, 2024 11:29:37.064817905 CET	49744	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.069760084 CET	80	49744	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:37.071800947 CET	49744	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.071937084 CET	49744	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.076651096 CET	80	49744	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:37.178217888 CET	49745	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.178262949 CET	443	49745	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:37.178478956 CET	49745	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.178627968 CET	49745	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.178641081 CET	443	49745	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:37.383363962 CET	443	49741	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.383480072 CET	49741	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.400202990 CET	49741	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.400223970 CET	443	49741	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.400331974 CET	49741	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.400722980 CET	49747	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.400795937 CET	443	49747	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.400886059 CET	443	49741	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.401364088 CET	49741	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.401460886 CET	49747	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.402806044 CET	49747	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.402823925 CET	443	49747	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.441303968 CET	49739	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.446134090 CET	80	49739	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:37.567182064 CET	80	49739	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:37.608999014 CET	49744	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.614744902 CET	80	49744	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:37.615524054 CET	49739	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.615550041 CET	49744	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.620191097 CET	443	49742	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.631334066 CET	49742	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.633754969 CET	443	49743	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:37.635128021 CET	49743	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:37.637669086 CET	49743	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:37.637677908 CET	443	49743	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:37.637728930 CET	49742	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.637733936 CET	443	49742	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.637938976 CET	443	49742	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.637968063 CET	443	49743	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:37.638096094 CET	49742	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.638106108 CET	443	49742	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.638763905 CET	49748	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.638789892 CET	443	49748	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.638945103 CET	49748	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.640348911 CET	49748	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:37.640364885 CET	443	49748	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.641745090 CET	49743	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:37.641820908 CET	49743	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:37.641891003 CET	443	49743	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:37.641946077 CET	49743	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:37.689462900 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.690352917 CET	49739	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.694442987 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:37.694530010 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.694617987 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.695633888 CET	80	49739	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:37.695693970 CET	49739	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:37.699429989 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:37.794410944 CET	443	49745	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:37.794533968 CET	49745	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.797883034 CET	49745	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.797892094 CET	443	49745	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:37.798121929 CET	443	49745	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:37.800205946 CET	49745	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.800328970 CET	49745	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.800348043 CET	443	49745	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:37.800463915 CET	49745	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.800482988 CET	49745	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.800889015 CET	49750	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.800946951 CET	443	49750	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:37.802572966 CET	49750	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.802756071 CET	49750	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:37.802800894 CET	443	49750	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:37.847341061 CET	443	49742	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:37.847393990 CET	49742	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:38.017858982 CET	443	49747	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:38.017947912 CET	49747	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:38.023037910 CET	49747	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:38.023049116 CET	443	49747	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:38.023128033 CET	49747	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:38.023220062 CET	443	49747	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:38.023282051 CET	49747	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:38.144057035 CET	49751	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:38.149034977 CET	80	49751	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:38.152667046 CET	49751	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:38.254702091 CET	443	49748	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:38.255047083 CET	49748	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:38.260099888 CET	49748	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:38.260118961 CET	443	49748	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:38.260194063 CET	49748	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:38.260328054 CET	443	49748	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:38.260421991 CET	49748	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:38.288974047 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:38.355300903 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:38.403480053 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:38.408368111 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:38.408601999 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:38.408742905 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:38.409451008 CET	443	49750	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:38.410712004 CET	49750	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:38.413742065 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:38.414089918 CET	49750	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:38.414109945 CET	443	49750	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:38.414370060 CET	443	49750	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:38.416749954 CET	49750	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:38.416821003 CET	49750	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:38.416944981 CET	443	49750	34.160.144.191	192.168.2.4
Nov 1, 2024 11:29:38.417061090 CET	49750	443	192.168.2.4	34.160.144.191
Nov 1, 2024 11:29:39.008801937 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:39.051944971 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:39.152848959 CET	49751	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:39.157704115 CET	80	49751	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:39.157793045 CET	49751	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:40.628783941 CET	49754	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:40.628860950 CET	443	49754	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:40.629132986 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:40.633999109 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:40.640891075 CET	49754	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:40.642230988 CET	49754	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:40.642272949 CET	443	49754	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:40.646507025 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:40.651320934 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:40.754062891 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:40.770792007 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:40.800287962 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:40.815962076 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:40.854162931 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:40.859049082 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:40.978374958 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:41.032114029 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:41.064748049 CET	49756	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:41.064779997 CET	443	49756	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:41.068815947 CET	49756	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:41.068929911 CET	49756	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:41.068944931 CET	443	49756	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:41.074006081 CET	49757	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:41.074024916 CET	443	49757	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:41.078130960 CET	49757	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:41.079668045 CET	49757	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:41.079684019 CET	443	49757	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:41.260416031 CET	443	49754	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:41.260432959 CET	443	49754	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:41.260507107 CET	49754	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:41.693454027 CET	443	49756	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:41.693538904 CET	49756	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:41.706229925 CET	443	49757	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:41.706360102 CET	49757	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:41.748828888 CET	49757	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:41.802369118 CET	49756	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:41.802382946 CET	443	49756	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:41.803195953 CET	443	49756	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:41.805768013 CET	49754	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:41.805823088 CET	443	49754	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:41.805986881 CET	443	49754	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:41.805986881 CET	49754	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:41.806020021 CET	443	49754	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:41.806574106 CET	49758	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:41.806648016 CET	443	49758	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:41.808588982 CET	49756	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:41.808635950 CET	49756	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:41.809010029 CET	443	49756	35.244.181.201	192.168.2.4
Nov 1, 2024 11:29:41.809171915 CET	49757	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:41.809180975 CET	443	49757	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:41.809242010 CET	49757	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:41.809334040 CET	443	49757	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:41.811397076 CET	49754	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:41.811404943 CET	49756	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:41.811439037 CET	49757	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:41.811467886 CET	49756	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:29:41.811537027 CET	49758	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:41.812971115 CET	49758	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:41.813021898 CET	443	49758	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:41.825453043 CET	49759	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:41.825556993 CET	443	49759	34.149.100.209	192.168.2.4
Nov 1, 2024 11:29:41.828150034 CET	49759	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:41.829510927 CET	49759	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:41.829547882 CET	443	49759	34.149.100.209	192.168.2.4
Nov 1, 2024 11:29:41.844568968 CET	49760	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:41.844602108 CET	443	49760	34.107.243.93	192.168.2.4
Nov 1, 2024 11:29:41.849174023 CET	49760	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:41.850568056 CET	49760	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:41.850610018 CET	443	49760	34.107.243.93	192.168.2.4
Nov 1, 2024 11:29:42.425757885 CET	443	49758	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:42.425863028 CET	49758	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:42.429864883 CET	49758	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:42.429887056 CET	443	49758	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:42.429968119 CET	49758	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:42.430563927 CET	443	49758	34.117.188.166	192.168.2.4
Nov 1, 2024 11:29:42.430634975 CET	49758	443	192.168.2.4	34.117.188.166
Nov 1, 2024 11:29:42.455961943 CET	443	49759	34.149.100.209	192.168.2.4
Nov 1, 2024 11:29:42.456029892 CET	49759	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:42.459825039 CET	49759	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:42.459832907 CET	443	49759	34.149.100.209	192.168.2.4
Nov 1, 2024 11:29:42.459947109 CET	49759	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:42.460105896 CET	443	49759	34.149.100.209	192.168.2.4
Nov 1, 2024 11:29:42.460330963 CET	49761	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:42.460370064 CET	443	49761	34.149.100.209	192.168.2.4
Nov 1, 2024 11:29:42.460376978 CET	49759	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:42.460499048 CET	49761	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:42.461788893 CET	49761	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:42.461802959 CET	443	49761	34.149.100.209	192.168.2.4
Nov 1, 2024 11:29:42.474395990 CET	443	49760	34.107.243.93	192.168.2.4
Nov 1, 2024 11:29:42.474473000 CET	49760	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:42.478384018 CET	49760	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:42.478401899 CET	443	49760	34.107.243.93	192.168.2.4
Nov 1, 2024 11:29:42.478460073 CET	49760	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:42.478616953 CET	443	49760	34.107.243.93	192.168.2.4
Nov 1, 2024 11:29:42.478682041 CET	49760	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:43.105515957 CET	443	49761	34.149.100.209	192.168.2.4
Nov 1, 2024 11:29:43.105819941 CET	49761	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:43.109843969 CET	49761	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:43.109857082 CET	443	49761	34.149.100.209	192.168.2.4
Nov 1, 2024 11:29:43.109946966 CET	49761	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:43.110095024 CET	443	49761	34.149.100.209	192.168.2.4
Nov 1, 2024 11:29:43.112818003 CET	49761	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:29:44.732789040 CET	49751	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:44.738065958 CET	80	49751	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:44.738152027 CET	49751	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:44.872075081 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:44.876909018 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:44.891711950 CET	49762	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:44.891745090 CET	443	49762	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:44.891819000 CET	49762	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:44.893258095 CET	49762	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:44.893273115 CET	443	49762	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:44.996310949 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:45.048758984 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:45.257891893 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:45.262737036 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:45.384005070 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:45.434993982 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:45.523989916 CET	443	49762	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:45.524187088 CET	49762	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:45.528980970 CET	49762	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:45.528990984 CET	443	49762	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:45.529074907 CET	49762	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:45.529516935 CET	443	49762	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:45.529896975 CET	49762	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:46.544364929 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:46.546320915 CET	49765	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:46.546367884 CET	443	49765	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:46.549201012 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:46.549618006 CET	49765	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:46.553020954 CET	49765	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:46.553061962 CET	443	49765	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:46.591780901 CET	49766	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:46.591819048 CET	443	49766	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:46.596457005 CET	49766	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:46.596649885 CET	49766	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:46.596663952 CET	443	49766	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:46.668421984 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:46.671137094 CET	49767	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:46.671220064 CET	443	49767	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:46.675050974 CET	49767	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:46.675304890 CET	49767	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:46.675354004 CET	443	49767	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:46.723095894 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:46.862046003 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:46.867034912 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:46.986639023 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:47.028862953 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:47.166874886 CET	443	49765	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:47.167756081 CET	49765	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.183665037 CET	49765	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.183712006 CET	443	49765	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:47.183779955 CET	49765	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.183891058 CET	443	49765	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:47.184839010 CET	49765	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.186484098 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:47.192430019 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:47.221726894 CET	443	49766	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:47.222121954 CET	49766	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.279706955 CET	443	49767	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:47.279812098 CET	49767	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.311578989 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:47.351803064 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:47.672806025 CET	49766	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.672837973 CET	443	49766	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:47.673825026 CET	443	49766	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:47.674817085 CET	49767	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.674858093 CET	443	49767	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:47.675148010 CET	443	49767	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:47.717556000 CET	49766	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.717628956 CET	49766	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.718281031 CET	443	49766	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:47.719676018 CET	49767	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.719738960 CET	49767	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.719893932 CET	443	49767	34.120.208.123	192.168.2.4
Nov 1, 2024 11:29:47.720880032 CET	49766	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.720901966 CET	49767	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:29:47.774229050 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:47.779119015 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:47.898345947 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:47.953550100 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:48.536979914 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:48.541975021 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:48.661417007 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:48.702434063 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:49.674444914 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:49.679533005 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:49.798886061 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:49.859147072 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:50.089823008 CET	49772	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:50.089847088 CET	443	49772	34.107.243.93	192.168.2.4
Nov 1, 2024 11:29:50.090322971 CET	49772	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:50.091818094 CET	49772	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:50.091835976 CET	443	49772	34.107.243.93	192.168.2.4
Nov 1, 2024 11:29:50.713479996 CET	443	49772	34.107.243.93	192.168.2.4
Nov 1, 2024 11:29:50.713565111 CET	49772	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:50.717998028 CET	49772	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:50.718010902 CET	443	49772	34.107.243.93	192.168.2.4
Nov 1, 2024 11:29:50.718101978 CET	49772	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:50.718285084 CET	443	49772	34.107.243.93	192.168.2.4
Nov 1, 2024 11:29:50.718790054 CET	49772	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:29:50.720799923 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:50.725574970 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:50.844662905 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:50.847639084 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:50.852648020 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:50.894366026 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:29:50.972059965 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:29:51.018059015 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:00.857530117 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:00.862488031 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:00.973501921 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:00.978394032 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:01.548557043 CET	49773	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:01.548623085 CET	443	49773	34.107.243.93	192.168.2.4
Nov 1, 2024 11:30:01.548924923 CET	49773	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:01.550168037 CET	49773	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:01.550189018 CET	443	49773	34.107.243.93	192.168.2.4
Nov 1, 2024 11:30:02.162450075 CET	443	49773	34.107.243.93	192.168.2.4
Nov 1, 2024 11:30:02.162564993 CET	49773	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:02.166647911 CET	49773	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:02.166659117 CET	443	49773	34.107.243.93	192.168.2.4
Nov 1, 2024 11:30:02.166757107 CET	49773	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:02.167290926 CET	443	49773	34.107.243.93	192.168.2.4
Nov 1, 2024 11:30:02.167351007 CET	49773	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:02.169444084 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:02.174257040 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:02.293663979 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:02.296997070 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:02.301899910 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:02.345868111 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:02.421392918 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:02.461772919 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:02.957237959 CET	49774	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:02.957293987 CET	443	49774	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:02.960062027 CET	49774	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:02.960149050 CET	49774	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:02.960160017 CET	443	49774	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:02.965934992 CET	49775	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:02.965977907 CET	443	49775	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:02.966195107 CET	49775	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:02.978949070 CET	49775	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:02.978965044 CET	443	49775	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:02.979382992 CET	49776	443	192.168.2.4	151.101.129.91
Nov 1, 2024 11:30:02.979418039 CET	443	49776	151.101.129.91	192.168.2.4
Nov 1, 2024 11:30:02.979518890 CET	49776	443	192.168.2.4	151.101.129.91
Nov 1, 2024 11:30:02.979618073 CET	49776	443	192.168.2.4	151.101.129.91
Nov 1, 2024 11:30:02.979631901 CET	443	49776	151.101.129.91	192.168.2.4
Nov 1, 2024 11:30:03.336400032 CET	49777	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:30:03.336440086 CET	443	49777	35.190.72.216	192.168.2.4
Nov 1, 2024 11:30:03.340742111 CET	49777	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:30:03.342236042 CET	49777	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:30:03.342247963 CET	443	49777	35.190.72.216	192.168.2.4
Nov 1, 2024 11:30:03.356549025 CET	49778	443	192.168.2.4	35.201.103.21
Nov 1, 2024 11:30:03.356584072 CET	443	49778	35.201.103.21	192.168.2.4
Nov 1, 2024 11:30:03.364490986 CET	49778	443	192.168.2.4	35.201.103.21
Nov 1, 2024 11:30:03.365871906 CET	49778	443	192.168.2.4	35.201.103.21
Nov 1, 2024 11:30:03.365884066 CET	443	49778	35.201.103.21	192.168.2.4
Nov 1, 2024 11:30:03.602309942 CET	443	49775	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:03.603581905 CET	49775	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:03.606926918 CET	49775	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:03.606937885 CET	443	49775	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:03.607090950 CET	443	49776	151.101.129.91	192.168.2.4
Nov 1, 2024 11:30:03.607208967 CET	49776	443	192.168.2.4	151.101.129.91
Nov 1, 2024 11:30:03.607733011 CET	443	49775	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:03.609755993 CET	49776	443	192.168.2.4	151.101.129.91
Nov 1, 2024 11:30:03.609767914 CET	443	49776	151.101.129.91	192.168.2.4
Nov 1, 2024 11:30:03.610095978 CET	443	49776	151.101.129.91	192.168.2.4
Nov 1, 2024 11:30:03.610338926 CET	443	49774	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:03.610822916 CET	49774	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.613656044 CET	49774	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.613662004 CET	443	49774	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:03.613981009 CET	443	49774	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:03.616364002 CET	49775	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:03.616477966 CET	49775	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:03.616555929 CET	443	49775	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:03.616755009 CET	49776	443	192.168.2.4	151.101.129.91
Nov 1, 2024 11:30:03.616803885 CET	49776	443	192.168.2.4	151.101.129.91
Nov 1, 2024 11:30:03.616996050 CET	443	49776	151.101.129.91	192.168.2.4
Nov 1, 2024 11:30:03.618146896 CET	49774	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.618215084 CET	49774	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.618323088 CET	443	49774	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:03.618453026 CET	49775	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:03.618462086 CET	49776	443	192.168.2.4	151.101.129.91
Nov 1, 2024 11:30:03.618477106 CET	49774	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.626349926 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:03.627731085 CET	49779	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.627772093 CET	443	49779	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:03.628176928 CET	49779	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.628278017 CET	49779	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.628292084 CET	443	49779	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:03.630115986 CET	49780	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.630145073 CET	443	49780	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:03.630594969 CET	49780	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.630722046 CET	49780	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.630739927 CET	443	49780	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:03.631231070 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:03.632684946 CET	49781	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.632702112 CET	443	49781	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:03.632903099 CET	49781	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.633001089 CET	49781	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:03.633013964 CET	443	49781	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:03.750888109 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:03.753921986 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:03.758969069 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:03.796849966 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:03.878540993 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:03.919364929 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:03.961349964 CET	443	49777	35.190.72.216	192.168.2.4
Nov 1, 2024 11:30:03.961469889 CET	49777	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:30:03.965588093 CET	49777	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:30:03.965598106 CET	443	49777	35.190.72.216	192.168.2.4
Nov 1, 2024 11:30:03.965696096 CET	49777	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:30:03.965764046 CET	443	49777	35.190.72.216	192.168.2.4
Nov 1, 2024 11:30:03.966207981 CET	49777	443	192.168.2.4	35.190.72.216
Nov 1, 2024 11:30:03.968733072 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:03.973584890 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:03.979867935 CET	443	49778	35.201.103.21	192.168.2.4
Nov 1, 2024 11:30:03.979882956 CET	443	49778	35.201.103.21	192.168.2.4
Nov 1, 2024 11:30:03.979974031 CET	49778	443	192.168.2.4	35.201.103.21
Nov 1, 2024 11:30:03.984101057 CET	49778	443	192.168.2.4	35.201.103.21
Nov 1, 2024 11:30:03.984118938 CET	443	49778	35.201.103.21	192.168.2.4
Nov 1, 2024 11:30:03.984193087 CET	49778	443	192.168.2.4	35.201.103.21
Nov 1, 2024 11:30:03.984318972 CET	443	49778	35.201.103.21	192.168.2.4
Nov 1, 2024 11:30:03.984580994 CET	49778	443	192.168.2.4	35.201.103.21
Nov 1, 2024 11:30:03.995527029 CET	49782	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:03.995573997 CET	443	49782	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:03.995660067 CET	49782	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:03.995781898 CET	49782	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:03.995795012 CET	443	49782	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:04.093035936 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:04.096875906 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:04.101741076 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:04.135591984 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:04.221990108 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:04.228065014 CET	443	49779	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.229192019 CET	49779	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.231906891 CET	49779	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.231925011 CET	443	49779	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.232279062 CET	443	49779	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.234455109 CET	49779	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.234540939 CET	49779	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.234652996 CET	443	49779	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.234766006 CET	49779	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.237320900 CET	443	49781	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.238823891 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:04.239681005 CET	49781	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.242219925 CET	49781	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.242227077 CET	443	49781	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.242566109 CET	443	49781	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.243233919 CET	443	49780	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.244287014 CET	49781	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.244362116 CET	49781	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.244467974 CET	443	49781	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.244976044 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:04.244995117 CET	49781	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.245008945 CET	49781	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.245033026 CET	49780	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.247572899 CET	49780	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.247596025 CET	443	49780	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.248420000 CET	443	49780	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.250133038 CET	49780	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.250133038 CET	49780	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.250309944 CET	443	49780	35.244.181.201	192.168.2.4
Nov 1, 2024 11:30:04.250570059 CET	49780	443	192.168.2.4	35.244.181.201
Nov 1, 2024 11:30:04.267082930 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:04.364417076 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:04.368880033 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:04.373790026 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:04.420769930 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:04.493486881 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:04.537007093 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:04.603281021 CET	443	49782	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:04.603359938 CET	49782	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:04.606970072 CET	49782	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:04.606990099 CET	443	49782	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:04.607218981 CET	443	49782	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:04.609738111 CET	49782	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:04.609839916 CET	49782	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:04.609905958 CET	443	49782	34.149.100.209	192.168.2.4
Nov 1, 2024 11:30:04.611110926 CET	49782	443	192.168.2.4	34.149.100.209
Nov 1, 2024 11:30:04.612875938 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:04.617949009 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:04.737466097 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:04.741287947 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:04.746189117 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:04.784132957 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:04.865525961 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:04.919658899 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:14.749759912 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:14.754589081 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:14.881323099 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:14.886183977 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:22.237735033 CET	49785	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:22.237772942 CET	443	49785	34.107.243.93	192.168.2.4
Nov 1, 2024 11:30:22.238132954 CET	49785	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:22.239334106 CET	49785	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:22.239342928 CET	443	49785	34.107.243.93	192.168.2.4
Nov 1, 2024 11:30:22.854618073 CET	443	49785	34.107.243.93	192.168.2.4
Nov 1, 2024 11:30:22.854722977 CET	49785	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:22.859147072 CET	49785	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:22.859160900 CET	443	49785	34.107.243.93	192.168.2.4
Nov 1, 2024 11:30:22.859234095 CET	49785	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:22.859415054 CET	443	49785	34.107.243.93	192.168.2.4
Nov 1, 2024 11:30:22.859971046 CET	49785	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:30:22.861722946 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:22.866586924 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:22.987670898 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:22.990770102 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:22.996017933 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:23.029459953 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:23.115727901 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:23.173938990 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:28.796875954 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:28.801722050 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:28.921145916 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:28.925307989 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:28.930417061 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:28.968554020 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:29.057986021 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:29.106640100 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:33.041506052 CET	49804	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.041518927 CET	443	49804	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.041738987 CET	49804	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.041903019 CET	49804	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.041912079 CET	443	49804	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.057760954 CET	49805	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.057777882 CET	443	49805	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.058039904 CET	49806	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.058048964 CET	443	49806	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.059277058 CET	49805	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.059365034 CET	49806	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.059447050 CET	49805	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.059458017 CET	443	49805	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.059571981 CET	49806	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.059581995 CET	443	49806	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.650460958 CET	443	49804	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.652060032 CET	49804	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.654985905 CET	49804	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.654993057 CET	443	49804	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.655328035 CET	443	49804	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.657521009 CET	49804	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.657620907 CET	49804	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.657702923 CET	443	49804	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.658037901 CET	49804	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.670017958 CET	443	49806	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.671211004 CET	49806	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.673286915 CET	49806	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.673291922 CET	443	49806	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.673630953 CET	443	49806	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.674700022 CET	443	49805	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.675765038 CET	49806	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.675841093 CET	49806	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.675967932 CET	443	49806	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.680699110 CET	49806	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.680713892 CET	49805	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.683521032 CET	49805	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.683530092 CET	443	49805	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.683810949 CET	443	49805	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.685863972 CET	49805	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.685945034 CET	49805	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.686018944 CET	443	49805	34.120.208.123	192.168.2.4
Nov 1, 2024 11:30:33.692706108 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:33.695672035 CET	49805	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:30:33.697827101 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:33.817352057 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:33.858979940 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:33.863840103 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:33.870642900 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:33.983237982 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:34.027249098 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:43.833076954 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:43.837918997 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:43.986809015 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:43.991780996 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:53.845705986 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:53.850593090 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:30:53.999430895 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:30:54.004795074 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:03.053317070 CET	49969	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:31:03.053350925 CET	443	49969	34.107.243.93	192.168.2.4
Nov 1, 2024 11:31:03.053453922 CET	49969	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:31:03.054939032 CET	49969	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:31:03.054950953 CET	443	49969	34.107.243.93	192.168.2.4
Nov 1, 2024 11:31:03.660088062 CET	443	49969	34.107.243.93	192.168.2.4
Nov 1, 2024 11:31:03.660212994 CET	49969	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:31:03.666309118 CET	49969	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:31:03.666328907 CET	443	49969	34.107.243.93	192.168.2.4
Nov 1, 2024 11:31:03.666455030 CET	49969	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:31:03.666505098 CET	443	49969	34.107.243.93	192.168.2.4
Nov 1, 2024 11:31:03.667303085 CET	49969	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:31:03.669429064 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:03.674242973 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:03.793962955 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:03.798060894 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:03.802943945 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:03.843718052 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:03.922463894 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:03.975100994 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:13.803178072 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:13.808054924 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:13.941153049 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:13.945971966 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:23.831597090 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:23.836606026 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:23.947397947 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:23.952299118 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:33.843554974 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:33.959472895 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:34.162609100 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:34.162625074 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:44.173038006 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:44.173051119 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:45.175482988 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:45.175501108 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:45.221146107 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:45.221163034 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:45.221172094 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:45.222812891 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:55.233071089 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:55.233110905 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:31:55.238049030 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:31:55.238065004 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:05.246078014 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:32:05.246090889 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:32:05.251224041 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:05.251240015 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:15.259802103 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:32:15.259927034 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:32:15.264677048 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:15.264750004 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:23.795120001 CET	50058	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:32:23.795162916 CET	443	50058	34.107.243.93	192.168.2.4
Nov 1, 2024 11:32:23.795430899 CET	50058	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:32:23.796917915 CET	50058	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:32:23.796936035 CET	443	50058	34.107.243.93	192.168.2.4
Nov 1, 2024 11:32:24.415167093 CET	443	50058	34.107.243.93	192.168.2.4
Nov 1, 2024 11:32:24.415539980 CET	50058	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:32:24.421220064 CET	50058	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:32:24.421236038 CET	443	50058	34.107.243.93	192.168.2.4
Nov 1, 2024 11:32:24.421350002 CET	50058	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:32:24.421386003 CET	443	50058	34.107.243.93	192.168.2.4
Nov 1, 2024 11:32:24.422785997 CET	50058	443	192.168.2.4	34.107.243.93
Nov 1, 2024 11:32:24.424561977 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:32:24.430722952 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:24.550198078 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:24.556193113 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:32:24.561069012 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:24.602782011 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:32:24.690197945 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:24.740896940 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:32:33.834317923 CET	50059	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.834372044 CET	443	50059	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:33.834465027 CET	50060	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.834505081 CET	443	50060	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:33.834660053 CET	50061	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.834723949 CET	443	50061	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:33.834753036 CET	50059	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.834753990 CET	50060	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.834789991 CET	50062	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.834798098 CET	443	50062	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:33.834897995 CET	50059	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.834904909 CET	443	50059	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:33.835005045 CET	50060	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.835020065 CET	443	50060	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:33.835150957 CET	50061	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.835151911 CET	50062	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.835203886 CET	50062	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.835208893 CET	443	50062	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:33.835289955 CET	50061	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:33.835302114 CET	443	50061	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.435098886 CET	443	50059	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.435307026 CET	50059	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.438546896 CET	50059	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.438554049 CET	443	50059	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.438775063 CET	443	50059	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.441091061 CET	50059	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.441211939 CET	50059	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.441231966 CET	443	50059	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.443533897 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:32:34.446053028 CET	50059	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.448354959 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:34.449317932 CET	443	50060	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.449390888 CET	50060	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.449409008 CET	443	50062	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.449469090 CET	50062	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.452275038 CET	50060	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.452281952 CET	443	50060	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.452507019 CET	443	50060	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.454823017 CET	50062	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.454827070 CET	443	50062	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.455046892 CET	443	50062	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.455725908 CET	443	50061	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.456010103 CET	50061	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.458465099 CET	50061	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.458477020 CET	443	50061	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.458792925 CET	443	50061	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.460544109 CET	50060	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.460634947 CET	50060	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.460711956 CET	443	50060	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.461198092 CET	50060	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.461211920 CET	50062	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.461333990 CET	50062	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.461364031 CET	443	50062	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.462402105 CET	50062	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.462924004 CET	50061	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.463021040 CET	50061	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.463097095 CET	443	50061	34.120.208.123	192.168.2.4
Nov 1, 2024 11:32:34.463146925 CET	50061	443	192.168.2.4	34.120.208.123
Nov 1, 2024 11:32:34.567718983 CET	80	49752	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:34.570281982 CET	49749	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:32:34.575087070 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:34.623102903 CET	49752	80	192.168.2.4	34.107.221.82
Nov 1, 2024 11:32:34.695858002 CET	80	49749	34.107.221.82	192.168.2.4
Nov 1, 2024 11:32:34.739001036 CET	49749	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 11:29:34.404094934 CET	57358	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:34.411165953 CET	53	57358	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:34.415340900 CET	63963	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:34.422534943 CET	53	63963	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:35.948968887 CET	58936	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:35.948968887 CET	55481	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:35.955885887 CET	53	58936	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:35.958754063 CET	65140	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:35.958930016 CET	52679	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:35.965401888 CET	53	52679	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:35.965754032 CET	53	65140	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:35.966202974 CET	53224	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:35.966468096 CET	53635	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:35.972735882 CET	53	53224	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:35.973567009 CET	53	53635	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:36.741848946 CET	53219	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:36.748852015 CET	53	53219	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:36.750597954 CET	55447	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:36.757541895 CET	53	55447	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:36.764890909 CET	54085	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:36.771626949 CET	53	54085	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:36.977668047 CET	52864	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:36.978214025 CET	64025	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:36.984558105 CET	53	52864	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:36.984884977 CET	53	64025	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:36.985672951 CET	55771	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:36.992780924 CET	53	55771	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:37.009316921 CET	58011	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:37.009829044 CET	54321	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:37.016102076 CET	53	58011	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:37.016498089 CET	53	54321	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:37.036510944 CET	53627	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:37.037097931 CET	57397	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:37.044037104 CET	53	57397	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:37.044081926 CET	53	53627	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:37.052992105 CET	59338	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:37.170325994 CET	51049	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:37.177192926 CET	53	51049	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:37.178395033 CET	62430	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:37.185209990 CET	53	62430	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:37.188462973 CET	50590	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:37.195216894 CET	53	50590	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:40.649712086 CET	49693	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:40.656924009 CET	53	49693	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:40.657578945 CET	56148	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:40.664726973 CET	53	56148	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:40.665258884 CET	54198	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:40.673144102 CET	53	54198	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:40.931317091 CET	57926	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:40.961869001 CET	53	63384	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:41.075804949 CET	58171	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:41.082685947 CET	53	58171	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:41.083204985 CET	51831	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:41.090600014 CET	53	51831	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:41.120532036 CET	62005	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:41.127003908 CET	53	62005	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:41.133908987 CET	56359	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:41.152652979 CET	53	56359	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:41.174037933 CET	62773	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:41.180921078 CET	53	62773	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:41.816123009 CET	57272	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:41.823191881 CET	53	57272	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:41.825835943 CET	55732	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:41.832717896 CET	53	55732	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:41.835664988 CET	52013	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:41.843475103 CET	53	52013	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:46.561672926 CET	58619	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:46.571424961 CET	53	58619	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.791925907 CET	55587	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.799010992 CET	53	55587	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.807063103 CET	53186	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.814358950 CET	53	53186	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.860435009 CET	57418	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.867496014 CET	53	57418	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.875291109 CET	55122	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.884948015 CET	53	55122	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.895558119 CET	51230	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.902404070 CET	53	51230	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.912492037 CET	58137	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.921746016 CET	53	58137	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.922238111 CET	52126	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.929126978 CET	53	52126	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.937864065 CET	51485	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.945059061 CET	53	51485	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.949901104 CET	50693	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.950445890 CET	50617	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.950464010 CET	59972	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.956955910 CET	53	50693	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.957250118 CET	53	50617	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.957294941 CET	53	59972	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.963401079 CET	63081	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.963535070 CET	55810	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.970374107 CET	53	63081	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.970413923 CET	53	55810	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.970911980 CET	55321	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.970941067 CET	64885	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:49.977706909 CET	53	64885	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:49.977792978 CET	53	55321	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:50.080760956 CET	49528	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:50.087622881 CET	53	49528	1.1.1.1	192.168.2.4
Nov 1, 2024 11:29:50.088628054 CET	60836	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:29:50.095489025 CET	53	60836	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:01.549201012 CET	61124	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:01.556559086 CET	53	61124	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:02.169680119 CET	51114	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:02.957739115 CET	65060	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:02.964234114 CET	63460	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:02.965656996 CET	53	65060	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:02.966599941 CET	63097	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:02.971230984 CET	53	63460	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:02.972349882 CET	54954	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:02.974175930 CET	53	63097	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:02.979798079 CET	53	54954	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:02.980374098 CET	52918	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:02.987410069 CET	53	52918	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:03.344118118 CET	63137	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:03.351861000 CET	53	63137	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:03.356821060 CET	52678	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:03.363735914 CET	53	52678	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:03.366858959 CET	62155	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:03.374155045 CET	53	62155	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:22.238064051 CET	65171	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:22.245043993 CET	53	65171	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:22.861991882 CET	57984	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:33.056091070 CET	61670	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:33.063026905 CET	53	61670	1.1.1.1	192.168.2.4
Nov 1, 2024 11:30:33.694922924 CET	50957	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:30:33.702804089 CET	53	50957	1.1.1.1	192.168.2.4
Nov 1, 2024 11:31:03.045525074 CET	55393	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:31:03.052372932 CET	53	55393	1.1.1.1	192.168.2.4
Nov 1, 2024 11:31:03.053381920 CET	58396	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:31:03.060503006 CET	53	58396	1.1.1.1	192.168.2.4
Nov 1, 2024 11:31:03.669747114 CET	54010	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:32:23.766381025 CET	60220	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:32:23.778371096 CET	53	60220	1.1.1.1	192.168.2.4
Nov 1, 2024 11:32:23.779395103 CET	58115	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:32:23.794305086 CET	53	58115	1.1.1.1	192.168.2.4
Nov 1, 2024 11:32:23.795007944 CET	58539	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:32:23.810089111 CET	53	58539	1.1.1.1	192.168.2.4
Nov 1, 2024 11:32:24.424782991 CET	61464	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:32:33.835719109 CET	54763	53	192.168.2.4	1.1.1.1
Nov 1, 2024 11:32:33.842374086 CET	53	54763	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 11:29:34.404094934 CET	192.168.2.4	1.1.1.1	0x21b	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:34.415340900 CET	192.168.2.4	1.1.1.1	0xb9d5	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 11:29:35.948968887 CET	192.168.2.4	1.1.1.1	0x1ddb	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:35.948968887 CET	192.168.2.4	1.1.1.1	0x8432	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:35.958754063 CET	192.168.2.4	1.1.1.1	0x197c	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:35.958930016 CET	192.168.2.4	1.1.1.1	0xbb	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:35.966202974 CET	192.168.2.4	1.1.1.1	0x462b	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 11:29:35.966468096 CET	192.168.2.4	1.1.1.1	0xe890	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 1, 2024 11:29:36.741848946 CET	192.168.2.4	1.1.1.1	0x6e10	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:36.750597954 CET	192.168.2.4	1.1.1.1	0x40e4	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:36.764890909 CET	192.168.2.4	1.1.1.1	0x5251	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 11:29:36.977668047 CET	192.168.2.4	1.1.1.1	0x3483	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:36.978214025 CET	192.168.2.4	1.1.1.1	0x6984	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:36.985672951 CET	192.168.2.4	1.1.1.1	0xfaa5	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.009316921 CET	192.168.2.4	1.1.1.1	0xb14d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.009829044 CET	192.168.2.4	1.1.1.1	0x68c2	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.036510944 CET	192.168.2.4	1.1.1.1	0xbe1b	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 11:29:37.037097931 CET	192.168.2.4	1.1.1.1	0x62d9	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 11:29:37.052992105 CET	192.168.2.4	1.1.1.1	0xcaa9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.170325994 CET	192.168.2.4	1.1.1.1	0x6c46	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.178395033 CET	192.168.2.4	1.1.1.1	0x7aa3	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.188462973 CET	192.168.2.4	1.1.1.1	0xb620	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 11:29:40.649712086 CET	192.168.2.4	1.1.1.1	0xa729	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:40.657578945 CET	192.168.2.4	1.1.1.1	0xa3ef	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:40.665258884 CET	192.168.2.4	1.1.1.1	0xb3ba	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 11:29:40.931317091 CET	192.168.2.4	1.1.1.1	0x584	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.075804949 CET	192.168.2.4	1.1.1.1	0x4d14	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.083204985 CET	192.168.2.4	1.1.1.1	0xdc57	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 11:29:41.120532036 CET	192.168.2.4	1.1.1.1	0x4a28	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.133908987 CET	192.168.2.4	1.1.1.1	0xfef0	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.174037933 CET	192.168.2.4	1.1.1.1	0xaee2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 11:29:41.816123009 CET	192.168.2.4	1.1.1.1	0x1e86	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.825835943 CET	192.168.2.4	1.1.1.1	0x2e2c	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.835664988 CET	192.168.2.4	1.1.1.1	0x33da	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 11:29:46.561672926 CET	192.168.2.4	1.1.1.1	0xb8c0	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 11:29:49.791925907 CET	192.168.2.4	1.1.1.1	0xe795	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.807063103 CET	192.168.2.4	1.1.1.1	0x3518	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.860435009 CET	192.168.2.4	1.1.1.1	0xe03a	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 1, 2024 11:29:49.875291109 CET	192.168.2.4	1.1.1.1	0xfc44	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.895558119 CET	192.168.2.4	1.1.1.1	0x23fe	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.912492037 CET	192.168.2.4	1.1.1.1	0x2685	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 1, 2024 11:29:49.922238111 CET	192.168.2.4	1.1.1.1	0xe994	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.937864065 CET	192.168.2.4	1.1.1.1	0x8879	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.949901104 CET	192.168.2.4	1.1.1.1	0x1ea3	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 1, 2024 11:29:49.950445890 CET	192.168.2.4	1.1.1.1	0x6915	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.950464010 CET	192.168.2.4	1.1.1.1	0xfe0e	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.963401079 CET	192.168.2.4	1.1.1.1	0xedfd	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.963535070 CET	192.168.2.4	1.1.1.1	0x68d	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970911980 CET	192.168.2.4	1.1.1.1	0xef03	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 1, 2024 11:29:49.970941067 CET	192.168.2.4	1.1.1.1	0x6114	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 1, 2024 11:29:50.080760956 CET	192.168.2.4	1.1.1.1	0xe2a6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:50.088628054 CET	192.168.2.4	1.1.1.1	0xe9f0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 11:30:01.549201012 CET	192.168.2.4	1.1.1.1	0x392e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 11:30:02.169680119 CET	192.168.2.4	1.1.1.1	0xaba9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.957739115 CET	192.168.2.4	1.1.1.1	0x8008	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.964234114 CET	192.168.2.4	1.1.1.1	0xc651	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.966599941 CET	192.168.2.4	1.1.1.1	0xf638	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 11:30:02.972349882 CET	192.168.2.4	1.1.1.1	0xcf26	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.980374098 CET	192.168.2.4	1.1.1.1	0xcbbd	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 1, 2024 11:30:03.344118118 CET	192.168.2.4	1.1.1.1	0xfa90	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:03.356821060 CET	192.168.2.4	1.1.1.1	0xdd59	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:03.366858959 CET	192.168.2.4	1.1.1.1	0x7f88	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 11:30:22.238064051 CET	192.168.2.4	1.1.1.1	0x4224	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 11:30:22.861991882 CET	192.168.2.4	1.1.1.1	0xe128	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:33.056091070 CET	192.168.2.4	1.1.1.1	0xdda4	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 11:30:33.694922924 CET	192.168.2.4	1.1.1.1	0x38c6	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:31:03.045525074 CET	192.168.2.4	1.1.1.1	0xbba9	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:31:03.053381920 CET	192.168.2.4	1.1.1.1	0xf1a5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 11:31:03.669747114 CET	192.168.2.4	1.1.1.1	0x4991	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:32:23.766381025 CET	192.168.2.4	1.1.1.1	0x4d67	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:32:23.779395103 CET	192.168.2.4	1.1.1.1	0x8601	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:32:23.795007944 CET	192.168.2.4	1.1.1.1	0x5bf3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 11:32:24.424782991 CET	192.168.2.4	1.1.1.1	0xdc1c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:32:33.835719109 CET	192.168.2.4	1.1.1.1	0x14e1	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 11:29:34.391360998 CET	1.1.1.1	192.168.2.4	0x74ee	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:34.411165953 CET	1.1.1.1	192.168.2.4	0x21b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:35.955885887 CET	1.1.1.1	192.168.2.4	0x1ddb	No error (0)	youtube.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:35.956062078 CET	1.1.1.1	192.168.2.4	0x8432	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:35.956062078 CET	1.1.1.1	192.168.2.4	0x8432	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:35.965401888 CET	1.1.1.1	192.168.2.4	0xbb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:35.965754032 CET	1.1.1.1	192.168.2.4	0x197c	No error (0)	youtube.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:35.972735882 CET	1.1.1.1	192.168.2.4	0x462b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 1, 2024 11:29:35.973567009 CET	1.1.1.1	192.168.2.4	0xe890	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 1, 2024 11:29:36.748852015 CET	1.1.1.1	192.168.2.4	0x6e10	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:36.757541895 CET	1.1.1.1	192.168.2.4	0x40e4	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:36.984558105 CET	1.1.1.1	192.168.2.4	0x3483	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:36.984884977 CET	1.1.1.1	192.168.2.4	0x6984	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:36.984884977 CET	1.1.1.1	192.168.2.4	0x6984	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:36.992780924 CET	1.1.1.1	192.168.2.4	0xfaa5	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:36.992780924 CET	1.1.1.1	192.168.2.4	0xfaa5	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:36.993267059 CET	1.1.1.1	192.168.2.4	0xc718	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:36.993267059 CET	1.1.1.1	192.168.2.4	0xc718	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.016102076 CET	1.1.1.1	192.168.2.4	0xb14d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.016498089 CET	1.1.1.1	192.168.2.4	0x68c2	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.059619904 CET	1.1.1.1	192.168.2.4	0xcaa9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:37.059619904 CET	1.1.1.1	192.168.2.4	0xcaa9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.177192926 CET	1.1.1.1	192.168.2.4	0x6c46	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:37.177192926 CET	1.1.1.1	192.168.2.4	0x6c46	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:37.177192926 CET	1.1.1.1	192.168.2.4	0x6c46	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.185209990 CET	1.1.1.1	192.168.2.4	0x7aa3	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:37.195216894 CET	1.1.1.1	192.168.2.4	0xb620	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 1, 2024 11:29:40.656924009 CET	1.1.1.1	192.168.2.4	0xa729	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:40.656924009 CET	1.1.1.1	192.168.2.4	0xa729	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:40.656924009 CET	1.1.1.1	192.168.2.4	0xa729	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:40.664726973 CET	1.1.1.1	192.168.2.4	0xa3ef	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:40.938595057 CET	1.1.1.1	192.168.2.4	0x584	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:41.060858011 CET	1.1.1.1	192.168.2.4	0x4c93	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.063147068 CET	1.1.1.1	192.168.2.4	0xcf28	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:41.063147068 CET	1.1.1.1	192.168.2.4	0xcf28	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.082685947 CET	1.1.1.1	192.168.2.4	0x4d14	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.127003908 CET	1.1.1.1	192.168.2.4	0x4a28	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.152652979 CET	1.1.1.1	192.168.2.4	0xfef0	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.823191881 CET	1.1.1.1	192.168.2.4	0x1e86	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:41.823191881 CET	1.1.1.1	192.168.2.4	0x1e86	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:41.832717896 CET	1.1.1.1	192.168.2.4	0x2e2c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:44.880023003 CET	1.1.1.1	192.168.2.4	0xb59e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.799010992 CET	1.1.1.1	192.168.2.4	0xe795	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:49.799010992 CET	1.1.1.1	192.168.2.4	0xe795	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.814358950 CET	1.1.1.1	192.168.2.4	0x3518	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.867496014 CET	1.1.1.1	192.168.2.4	0xe03a	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 1, 2024 11:29:49.884948015 CET	1.1.1.1	192.168.2.4	0xfc44	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:49.884948015 CET	1.1.1.1	192.168.2.4	0xfc44	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.884948015 CET	1.1.1.1	192.168.2.4	0xfc44	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.884948015 CET	1.1.1.1	192.168.2.4	0xfc44	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.884948015 CET	1.1.1.1	192.168.2.4	0xfc44	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.902404070 CET	1.1.1.1	192.168.2.4	0x23fe	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.902404070 CET	1.1.1.1	192.168.2.4	0x23fe	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.902404070 CET	1.1.1.1	192.168.2.4	0x23fe	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.902404070 CET	1.1.1.1	192.168.2.4	0x23fe	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.929126978 CET	1.1.1.1	192.168.2.4	0xe994	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.945059061 CET	1.1.1.1	192.168.2.4	0x8879	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957250118 CET	1.1.1.1	192.168.2.4	0x6915	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957294941 CET	1.1.1.1	192.168.2.4	0xfe0e	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:29:49.957294941 CET	1.1.1.1	192.168.2.4	0xfe0e	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970374107 CET	1.1.1.1	192.168.2.4	0xedfd	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.970413923 CET	1.1.1.1	192.168.2.4	0x68d	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:29:49.977706909 CET	1.1.1.1	192.168.2.4	0x6114	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 11:29:49.977706909 CET	1.1.1.1	192.168.2.4	0x6114	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 11:29:49.977706909 CET	1.1.1.1	192.168.2.4	0x6114	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 11:29:49.977706909 CET	1.1.1.1	192.168.2.4	0x6114	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 11:29:49.977792978 CET	1.1.1.1	192.168.2.4	0xef03	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 1, 2024 11:29:50.087622881 CET	1.1.1.1	192.168.2.4	0xe2a6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.177084923 CET	1.1.1.1	192.168.2.4	0xaba9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:30:02.177084923 CET	1.1.1.1	192.168.2.4	0xaba9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.965656996 CET	1.1.1.1	192.168.2.4	0x8008	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.971230984 CET	1.1.1.1	192.168.2.4	0xc651	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.971230984 CET	1.1.1.1	192.168.2.4	0xc651	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.971230984 CET	1.1.1.1	192.168.2.4	0xc651	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.971230984 CET	1.1.1.1	192.168.2.4	0xc651	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.979798079 CET	1.1.1.1	192.168.2.4	0xcf26	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.979798079 CET	1.1.1.1	192.168.2.4	0xcf26	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.979798079 CET	1.1.1.1	192.168.2.4	0xcf26	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.979798079 CET	1.1.1.1	192.168.2.4	0xcf26	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:02.987410069 CET	1.1.1.1	192.168.2.4	0xcbbd	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 11:30:02.987410069 CET	1.1.1.1	192.168.2.4	0xcbbd	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 11:30:02.987410069 CET	1.1.1.1	192.168.2.4	0xcbbd	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 11:30:02.987410069 CET	1.1.1.1	192.168.2.4	0xcbbd	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 11:30:03.351861000 CET	1.1.1.1	192.168.2.4	0xfa90	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:30:03.351861000 CET	1.1.1.1	192.168.2.4	0xfa90	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:03.363735914 CET	1.1.1.1	192.168.2.4	0xdd59	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:04.258548021 CET	1.1.1.1	192.168.2.4	0xbb8	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:30:04.258548021 CET	1.1.1.1	192.168.2.4	0xbb8	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:30:22.868741035 CET	1.1.1.1	192.168.2.4	0xe128	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:30:22.868741035 CET	1.1.1.1	192.168.2.4	0xe128	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:33.047801971 CET	1.1.1.1	192.168.2.4	0xc211	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:30:33.702804089 CET	1.1.1.1	192.168.2.4	0x38c6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:31:03.052372932 CET	1.1.1.1	192.168.2.4	0xbba9	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:31:03.676476002 CET	1.1.1.1	192.168.2.4	0x4991	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:31:03.676476002 CET	1.1.1.1	192.168.2.4	0x4991	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:32:23.778371096 CET	1.1.1.1	192.168.2.4	0x4d67	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:32:23.794305086 CET	1.1.1.1	192.168.2.4	0x8601	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:32:24.433756113 CET	1.1.1.1	192.168.2.4	0xdc1c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 11:32:24.433756113 CET	1.1.1.1	192.168.2.4	0xdc1c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 11:32:33.833442926 CET	1.1.1.1	192.168.2.4	0x4beb	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	34.107.221.82	80	1700	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 11:29:36.139925957 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:29:36.742413044 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58092 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:29:37.441303968 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:29:37.567182064 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58093 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	34.107.221.82	80	1700	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 11:29:37.071937084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	1700	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 11:29:37.694617987 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:29:38.288974047 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68413 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:29:40.629132986 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:29:40.754062891 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68415 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:29:40.854162931 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:29:40.978374958 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68415 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:29:45.257891893 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:29:45.384005070 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68420 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:29:46.862046003 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:29:46.986639023 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68421 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:29:47.774229050 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:29:47.898345947 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68422 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:29:49.674444914 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:29:49.798886061 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68424 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:29:50.847639084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:29:50.972059965 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68425 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:30:00.973501921 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:30:02.296997070 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:30:02.421392918 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68437 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:30:03.753921986 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:30:03.878540993 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68438 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:30:04.096875906 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:30:04.221990108 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68439 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:30:04.368880033 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:30:04.493486881 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68439 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:30:04.741287947 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:30:04.865525961 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68439 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:30:14.881323099 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:30:22.990770102 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:30:23.115727901 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68458 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:30:28.925307989 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:30:29.057986021 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68463 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:30:33.858979940 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:30:33.983237982 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68468 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:30:43.986809015 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:30:53.999430895 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:03.798060894 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:31:03.922463894 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68498 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:31:13.941153049 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:23.947397947 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:33.959472895 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:44.173038006 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:45.175482988 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:55.233071089 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:32:24.556193113 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:32:24.690197945 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68579 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 11:32:34.570281982 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 11:32:34.695858002 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 68589 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49752	34.107.221.82	80	1700	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 11:29:38.408742905 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:29:39.008801937 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58094 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:29:40.646507025 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:29:40.770792007 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58096 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:29:44.872075081 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:29:44.996310949 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58100 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:29:46.544364929 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:29:46.668421984 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58102 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:29:47.186484098 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:29:47.311578989 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58103 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:29:48.536979914 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:29:48.661417007 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58104 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:29:50.720799923 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:29:50.844662905 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58106 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:30:00.857530117 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:30:02.169444084 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:30:02.293663979 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58118 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:30:03.626349926 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:30:03.750888109 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58119 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:30:03.968733072 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:30:04.093035936 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58120 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:30:04.238823891 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:30:04.364417076 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58120 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:30:04.612875938 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:30:04.737466097 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58120 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:30:14.749759912 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:30:22.861722946 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:30:22.987670898 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58138 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:30:28.796875954 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:30:28.921145916 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58144 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:30:33.692706108 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:30:33.817352057 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58149 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:30:43.833076954 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:30:53.845705986 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:03.669429064 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:31:03.793962955 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58179 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:31:13.803178072 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:23.831597090 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:33.843554974 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:44.173051119 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:45.175501108 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:31:55.233110905 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 11:32:24.424561977 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:32:24.550198078 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58260 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 11:32:34.443533897 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 11:32:34.567718983 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 18:21:24 GMT Age: 58270 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	06:29:27
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x670000
File size:	919'552 bytes
MD5 hash:	47E53A1655BB6D29868F5A784F62177D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:29:27
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xf20000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:29:27
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:29:29
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xf20000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:29:29
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:29:29
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xf20000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:29:30
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:29:30
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xf20000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:29:30
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:29:30
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xf20000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:29:30
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:29:30
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:29:30
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:29:30
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	06:29:31
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7aeda06e-1277-45a8-823c-dc715986717c} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd6816e510 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	06:29:33
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4512 -parentBuildID 20230927232528 -prefsHandle 3876 -prefMapHandle 3120 -prefsLen 26309 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa0e31d-f123-4488-bb82-ef33fd8d5505} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd7a133110 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	06:29:39
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4932 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {478ec684-3c8f-4465-8153-7285f54d1359} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 1dd83b44d10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1549
Total number of Limit Nodes:	66

Executed Functions

Function 006742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0067430D

Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A

GetCurrentProcess.KERNEL32(?,0070CB64,00000000,?,?), ref: 00674422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00674429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00674454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00674466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00674474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0067447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006744A0

Strings

GetNativeSystemInfo, xrefs: 00674460
|O, xrefs: 006B36F8
kernel32.dll, xrefs: 0067444F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 7c17c820c89ce531cc86eefb84a8e054b144d3e397acbd4726a11a2028537fbe
Instruction ID: 52e149f21108ddbf099263fbf9a3d0187ab8dd29004b9816eafda8a823108947
Opcode Fuzzy Hash: 7c17c820c89ce531cc86eefb84a8e054b144d3e397acbd4726a11a2028537fbe
Instruction Fuzzy Hash: CFA1D5BA90A2D0CFC712EF697C441E47FE6AB27340B84C5AAD04593B26E72C45C5DB2D

Function 006742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006750AA,?,?,00000000,00000000), ref: 006742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006750AA,?,?,00000000,00000000), ref: 006742C9
LoadResource.KERNEL32(?,00000000,?,?,006750AA,?,?,00000000,00000000,?,?,?,?,?,?,00674F20), ref: 006B35BE
SizeofResource.KERNEL32(?,00000000,?,?,006750AA,?,?,00000000,00000000,?,?,?,?,?,?,00674F20), ref: 006B35D3
LockResource.KERNEL32(006750AA,?,?,006750AA,?,?,00000000,00000000,?,?,?,?,?,?,00674F20,?), ref: 006B35E6

Strings

SCRIPT, xrefs: 006742BF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 09c22560da4813123edb778686bc1f1086ec5c3f0307fd89e21123ff066955f1
Instruction ID: 9e4b9424ddac63c7398e9c0908acb99ea4d8024a172b5669c6cffd9734dec91b
Opcode Fuzzy Hash: 09c22560da4813123edb778686bc1f1086ec5c3f0307fd89e21123ff066955f1
Instruction Fuzzy Hash: B4117C71200700FFD7228B65DC49F677BBAEFC5B51F208269F41696690DF71D9108A20

Function 006B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00672B6B

Part of subcall function 00673A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00741418,?,00672E7F,?,?,?,00000000), ref: 00673A78

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00732224), ref: 006B2C10
ShellExecuteW.SHELL32(00000000,?,?,00732224), ref: 006B2C17

Strings

runas, xrefs: 006B2C0B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 2fefa127cb9df04fac42a62a94a585efb863aa25d6626e587d5daf311eb707ca
Instruction ID: caf974f5749ec12c22537966149ce0d18662c3108d1e8569ddd835dcc32fab19
Opcode Fuzzy Hash: 2fefa127cb9df04fac42a62a94a585efb863aa25d6626e587d5daf311eb707ca
Instruction Fuzzy Hash: CF113631208382AAC754FF20D862DBE7BE6AF91710F44C52DF08A021A3CF34858AD71A

Function 006DD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 006DD501
Process32FirstW.KERNEL32(00000000,?), ref: 006DD50F
Process32NextW.KERNEL32(00000000,?), ref: 006DD52F
CloseHandle.KERNELBASE(00000000), ref: 006DD5DC

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 6ef44877694d7e01235979bbb21013709340e760973bf120a1ff95e9d0832773
Instruction ID: a5fb10a84d72fb053baad1cdb4e4205b6868bbf83f9ae94bcf6fd3e2293a1f89
Opcode Fuzzy Hash: 6ef44877694d7e01235979bbb21013709340e760973bf120a1ff95e9d0832773
Instruction Fuzzy Hash: 1A31AF710083009FD305EF64D881AAFBBF9EF99354F104A2DF585862A2EB719945CBA3

Function 006DDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,006B5222), ref: 006DDBCE
GetFileAttributesW.KERNELBASE(?), ref: 006DDBDD
FindFirstFileW.KERNEL32(?,?), ref: 006DDBEE
FindClose.KERNEL32(00000000), ref: 006DDBFA

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 387a3348ebbe473b8a6ab47164634f4d3b75fc3def0ce2447272d8a145c8206e
Instruction ID: d9ef9d96400a50b1123b25e674410854f8a248ac0ff477940c2f42bbd0139de6
Opcode Fuzzy Hash: 387a3348ebbe473b8a6ab47164634f4d3b75fc3def0ce2447272d8a145c8206e
Instruction Fuzzy Hash: A1F0A0B082091497D2217B78AC0E8BA376DAE01374F208703F836C22E1EFB459558699

Function 00694CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006A28E9,?,00694CBE,006A28E9,007388B8,0000000C,00694E15,006A28E9,00000002,00000000,?,006A28E9), ref: 00694D09
TerminateProcess.KERNEL32(00000000,?,00694CBE,006A28E9,007388B8,0000000C,00694E15,006A28E9,00000002,00000000,?,006A28E9), ref: 00694D10
ExitProcess.KERNEL32 ref: 00694D22

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 81d29a6bec7a64e00d76646563cf800c31f5a1e426e4fe4410559c3f8be1d9f1
Instruction ID: 93abf86b25240ad99dc6149780b89db51434a33b153d541173bdc78987ee916f
Opcode Fuzzy Hash: 81d29a6bec7a64e00d76646563cf800c31f5a1e426e4fe4410559c3f8be1d9f1
Instruction Fuzzy Hash: ACE0B635010148EBCF16AF54DD09E987B6EFF46785B108218FC058A622CF39DD46CA88

Function 0067BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#t, xrefs: 006C07CE

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#t
API String ID: 3964851224-1114731270
Opcode ID: a6336af2406ce0c7c92579c48590c7c3a647d306b76f0e3e6686adf611f2db10
Instruction ID: 82b749ec3eb11f2f018bebd0de1354f970a53627a208d7d6bf734a9780d76847
Opcode Fuzzy Hash: a6336af2406ce0c7c92579c48590c7c3a647d306b76f0e3e6686adf611f2db10
Instruction Fuzzy Hash: 23A25770608301DFD764DF28C480B6ABBE2FF89314F14896DE99A8B352D771E945CB92

Function 006FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 006FB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006FB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006FB1D4
_wcslen.LIBCMT ref: 006FB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006FB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006FB236
_wcslen.LIBCMT ref: 006FB332

Part of subcall function 006E05A7: GetStdHandle.KERNEL32(000000F6), ref: 006E05C6

_wcslen.LIBCMT ref: 006FB34B
_wcslen.LIBCMT ref: 006FB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006FB3B6
GetLastError.KERNEL32(00000000), ref: 006FB407
CloseHandle.KERNEL32(?), ref: 006FB439
CloseHandle.KERNEL32(00000000), ref: 006FB44A
CloseHandle.KERNEL32(00000000), ref: 006FB45C
CloseHandle.KERNEL32(00000000), ref: 006FB46E
CloseHandle.KERNEL32(?), ref: 006FB4E3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: c3eebc9bb1343763102d94d0bd38e5ed63d0d42095ba68ee68ce02dfe28cf05f
Instruction ID: 53031fc71143cad1ecf6eb795f298e7a4db1b32d07f2927e334e9d183f47b268
Opcode Fuzzy Hash: c3eebc9bb1343763102d94d0bd38e5ed63d0d42095ba68ee68ce02dfe28cf05f
Instruction Fuzzy Hash: C3F198316083049FDB54EF24C891B6EBBE6AF85314F18855DF9898B3A2DB31EC41CB56

Function 0067D730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0067D807
timeGetTime.WINMM ref: 0067DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0067DB28
TranslateMessage.USER32(?), ref: 0067DB7B
DispatchMessageW.USER32(?), ref: 0067DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0067DB9F
Sleep.KERNELBASE(0000000A), ref: 0067DBB1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 38a7d86d5925a09610f9664974012472b580be483f0dcf1fed8c478ef5363259
Instruction ID: 8823c9a292711d681f2be4c5317473d5982b52850e04776ef02f9a26d6165d8b
Opcode Fuzzy Hash: 38a7d86d5925a09610f9664974012472b580be483f0dcf1fed8c478ef5363259
Instruction Fuzzy Hash: 2842EE70604242DFD729DB24C854FBAB7B2FF86304F148A1EE95A87391C774E885CB96

Function 00672CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00672D07
RegisterClassExW.USER32(00000030), ref: 00672D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00672D42
InitCommonControlsEx.COMCTL32(?), ref: 00672D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00672D6F
LoadIconW.USER32(000000A9), ref: 00672D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00672D94

Strings

0, xrefs: 00672CE9
TaskbarCreated, xrefs: 00672D37
+, xrefs: 00672CF0
AutoIt v3 GUI, xrefs: 00672D23

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c6af64556f07bcc3b390e89901f9bce4a967cefee4e0f1052c8a151cf6c21d27
Instruction ID: 0bc84db1221c8c6c3c14aa39828348d366dce0043238d788691fd9088901b950
Opcode Fuzzy Hash: c6af64556f07bcc3b390e89901f9bce4a967cefee4e0f1052c8a151cf6c21d27
Instruction Fuzzy Hash: A321E3B5911248EFDB01EFA4EC49BDDBBB4FB09700F00821AF511A62A0DBB91584CF98

Function 006B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006B039A: CreateFileW.KERNELBASE(00000000,00000000,?,006B0704,?,?,00000000,?,006B0704,00000000,0000000C), ref: 006B03B7

GetLastError.KERNEL32 ref: 006B076F
__dosmaperr.LIBCMT ref: 006B0776
GetFileType.KERNELBASE(00000000), ref: 006B0782
GetLastError.KERNEL32 ref: 006B078C
__dosmaperr.LIBCMT ref: 006B0795
CloseHandle.KERNEL32(00000000), ref: 006B07B5
CloseHandle.KERNEL32(?), ref: 006B08FF
GetLastError.KERNEL32 ref: 006B0931
__dosmaperr.LIBCMT ref: 006B0938

Strings

H, xrefs: 006B08BD

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: f50148262f7b788279c75854cf5b2d6960841e94f13d83ca7d9fa040195d1562
Instruction ID: 989017e28c660199752c160f2dee3dadd58536f147512033f249d9d436477836
Opcode Fuzzy Hash: f50148262f7b788279c75854cf5b2d6960841e94f13d83ca7d9fa040195d1562
Instruction Fuzzy Hash: 15A13772A101048FEF19EF68D851BEE7FA2AB06320F14416EF811DB392DB359D52CB95

Function 0067344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00673A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00741418,?,00672E7F,?,?,?,00000000), ref: 00673A78

Part of subcall function 00673357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00673379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0067356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006B318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006B31CE
RegCloseKey.ADVAPI32(?), ref: 006B3210
_wcslen.LIBCMT ref: 006B3277
_wcslen.LIBCMT ref: 006B3286

Strings

\, xrefs: 006B328C
Software\AutoIt v3\AutoIt, xrefs: 00673560
Include, xrefs: 006B3184, 006B31C5
\Include\, xrefs: 00673527

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 23d58d10f5d706b65d6cb58c375acba12f8607f1a9071f376ebf6d3f2a41132e
Instruction ID: fb31efc19cf1c46f90c08fdf9521502157992ecd0cfcdf9ce527894c4ae45ba8
Opcode Fuzzy Hash: 23d58d10f5d706b65d6cb58c375acba12f8607f1a9071f376ebf6d3f2a41132e
Instruction Fuzzy Hash: 3F71D7B15043009EC354DF65DC428ABBBF9FF86740F80852EF545832B1EB389A59CB6A

Function 00672B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00672B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00672B9D
LoadIconW.USER32(00000063), ref: 00672BB3
LoadIconW.USER32(000000A4), ref: 00672BC5
LoadIconW.USER32(000000A2), ref: 00672BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00672BEF
RegisterClassExW.USER32(?), ref: 00672C40

Part of subcall function 00672CD4: GetSysColorBrush.USER32(0000000F), ref: 00672D07
Part of subcall function 00672CD4: RegisterClassExW.USER32(00000030), ref: 00672D31
Part of subcall function 00672CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00672D42
Part of subcall function 00672CD4: InitCommonControlsEx.COMCTL32(?), ref: 00672D5F
Part of subcall function 00672CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00672D6F
Part of subcall function 00672CD4: LoadIconW.USER32(000000A9), ref: 00672D85
Part of subcall function 00672CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00672D94

Strings

AutoIt v3, xrefs: 00672C2F
#, xrefs: 00672C16
0, xrefs: 00672C0F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: eeed44c612e88440173b995acd4f1735804f1dcc1048018ef4743ea3e574ca23
Instruction ID: 7df356b97d1aa7d96706c668f4a41f56febc562ea5a471db30068d855e4ba59f
Opcode Fuzzy Hash: eeed44c612e88440173b995acd4f1735804f1dcc1048018ef4743ea3e574ca23
Instruction Fuzzy Hash: 6E214C78E40314ABDB11AFA5EC55A997FB4FB09B50F40C11BF500A66A0D7B90580CF98

Function 00673170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0067316A,?,?), ref: 006731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0067316A,?,?), ref: 00673204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00673227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0067316A,?,?), ref: 00673232
CreatePopupMenu.USER32 ref: 00673246
PostQuitMessage.USER32(00000000), ref: 00673267

Strings

TaskbarCreated, xrefs: 0067322D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f9cd330203db420aaff7e4a79456c91ea2f557f63b3c5cd320f12b6acd398f8e
Instruction ID: 8ebb1e45721b707ecfeead1796deda140d09d3abc90b2ddb02a357ca9d79e904
Opcode Fuzzy Hash: f9cd330203db420aaff7e4a79456c91ea2f557f63b3c5cd320f12b6acd398f8e
Instruction Fuzzy Hash: 82416D35250224E7DB152B388C197F9375BE706340F94C22AF519853A2CB799B81A76A

Function 00671410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00671459
CoUninitialize.COMBASE ref: 006714F8
UnregisterHotKey.USER32(?), ref: 006716DD
DestroyWindow.USER32(?), ref: 006B24B9
FreeLibrary.KERNEL32(?), ref: 006B251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 006B254B

Strings

close all, xrefs: 00671454

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d5856dc2ed8dcacb850b2e71d6d42e017364059d6ff69d2533719ebbff4d1297
Instruction ID: 927b685f9bbf8cfe650c89af0845d1b7cbd8d0ad1a0f7164b3d11022540d3d52
Opcode Fuzzy Hash: d5856dc2ed8dcacb850b2e71d6d42e017364059d6ff69d2533719ebbff4d1297
Instruction Fuzzy Hash: 62D18E71701212CFDB29EF18C4A9AA9F7E2BF05700F1482AEE54A6B351DB30AD52CF55

Function 00672C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00672C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00672CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00671CAD,?), ref: 00672CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00671CAD,?), ref: 00672CCF

Strings

AutoIt v3, xrefs: 00672C89, 00672C8E, 00672C8F
edit, xrefs: 00672CAC

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3138124e542219b13b619dcd6c4875a3a3be8c39cfb9a55edc4fb84ea656af7d
Instruction ID: 74c89562dc90a907d3f6e7499ff68f5e0b45982fb14a1c6e3ddba9608e105052
Opcode Fuzzy Hash: 3138124e542219b13b619dcd6c4875a3a3be8c39cfb9a55edc4fb84ea656af7d
Instruction Fuzzy Hash: 09F0DA79540290BAEB322B17AC48E772EBDD7C7F50B41815AF900A25A0C7691894DAB8

Function 00673B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00673B0F,SwapMouseButtons,00000004,?), ref: 00673B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00673B0F,SwapMouseButtons,00000004,?), ref: 00673B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00673B0F,SwapMouseButtons,00000004,?), ref: 00673B83

Strings

Control Panel\Mouse, xrefs: 00673B3E

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4e6e540956636cb99ac5f71540a9b5987a977727d209660e6d2ba9b37d36ab44
Instruction ID: 63cc692715799ec3a825e3731a91e814e915e9b7117598a3362f87abc2a5678a
Opcode Fuzzy Hash: 4e6e540956636cb99ac5f71540a9b5987a977727d209660e6d2ba9b37d36ab44
Instruction Fuzzy Hash: B0112AB5510218FFDB218FA5DC44AEEB7BDEF24B44B10855AA809D7210E6319E40A7A4

Function 00673923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006B33A2

Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00673A04

Strings

Line: , xrefs: 006B33EB

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: c37b288d0d3f25af4309c05db1e4b8cf55e0be4230b78e7d9c6c511e89f7667a
Instruction ID: 83312c4221b95f5740342c8d133f538cc439f169ad144c62c2efdf06ec497d22
Opcode Fuzzy Hash: c37b288d0d3f25af4309c05db1e4b8cf55e0be4230b78e7d9c6c511e89f7667a
Instruction Fuzzy Hash: B631C571508320AEC761EF20DC45BEBB7D9AB41710F00861EF59D83291EF749689C7CA

Function 00672DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 006B2C8C

Part of subcall function 00673AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00673A97,?,?,00672E7F,?,?,?,00000000), ref: 00673AC2

Part of subcall function 00672DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00672DC4

Strings

`es, xrefs: 006B2C85
X, xrefs: 006B2C5A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`es
API String ID: 779396738-2017476410
Opcode ID: 7f415214d1fdfe20ddb54de6ef1af4044109497a86244d0dd15b78539aa09db5
Instruction ID: 22641b3b94c096829976899d882e4851b7d74dafa1fb4b59e36962290dc510ba
Opcode Fuzzy Hash: 7f415214d1fdfe20ddb54de6ef1af4044109497a86244d0dd15b78539aa09db5
Instruction Fuzzy Hash: D4219671A00258ABDB41DF94C8557EE7BFDAF49304F00C05DE509A7241DBB85A898B65

Function 0068FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00690668

Part of subcall function 006932A4: RaiseException.KERNEL32(?,?,?,0069068A,?,00741444,?,?,?,?,?,?,0069068A,00671129,00738738,00671129), ref: 00693304

__CxxThrowException@8.LIBVCRUNTIME ref: 00690685

Strings

Unknown exception, xrefs: 00690692

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: c7e87462b50f60ba1b597f5ee4061d846326553e5eeefe24df497d93d0dbf1ce
Instruction ID: eb83d81bafdd1d4a15241a2dda63b58229d6142cb350c08d601f427f45cfe890
Opcode Fuzzy Hash: c7e87462b50f60ba1b597f5ee4061d846326553e5eeefe24df497d93d0dbf1ce
Instruction Fuzzy Hash: 42F04F34900209ABDF40B7A4D846C9E776E5E40350B604639B924D6ED2EF71EB66C685

Function 006710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00671BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00671BF4
Part of subcall function 00671BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00671BFC
Part of subcall function 00671BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00671C07
Part of subcall function 00671BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00671C12
Part of subcall function 00671BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00671C1A
Part of subcall function 00671BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00671C22

Part of subcall function 00671B4A: RegisterWindowMessageW.USER32(00000004,?,006712C4), ref: 00671BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0067136A
OleInitialize.OLE32 ref: 00671388
CloseHandle.KERNEL32(00000000,00000000), ref: 006B24AB

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 60be978bd76c84799d71f62e8f147643beae938fe3f9c561485d5743ad5e0fce
Instruction ID: ded2b8aa272b74e8623566e161bea691a6512e7fec3cf752715b414cf8d52652
Opcode Fuzzy Hash: 60be978bd76c84799d71f62e8f147643beae938fe3f9c561485d5743ad5e0fce
Instruction Fuzzy Hash: 887199B89112408FC384FF79E845695BAE5AB8A394395C22FD51ACB261EB3C44E0CF5D

Function 006DC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00673923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00673A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006DC259
KillTimer.USER32(?,00000001,?,?), ref: 006DC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006DC270

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 2b82241475eafa98fde9b8f44fefaa82244c9e75cc97d594d041ac6538847971
Instruction ID: a4b5d0e74b576f81b2dbcf0d52354b4e6c6fe54a83268a7c65ce660034a5538a
Opcode Fuzzy Hash: 2b82241475eafa98fde9b8f44fefaa82244c9e75cc97d594d041ac6538847971
Instruction Fuzzy Hash: AE31E370D00348AFEB329F648895BE7BBEDAB02314F00409EE2DA93341C7745A85CB55

Function 006A86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,006A85CC,?,00738CC8,0000000C), ref: 006A8704
GetLastError.KERNEL32(?,006A85CC,?,00738CC8,0000000C), ref: 006A870E
__dosmaperr.LIBCMT ref: 006A8739

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 51d0aa4760f447e1d1072ccbf1286092fe14ba8e9f465c05b37445c277b3bc82
Instruction ID: b8f48747e1b706b225df81947c9e5eccbe475c019a622d0c0f47537b99e501ea
Opcode Fuzzy Hash: 51d0aa4760f447e1d1072ccbf1286092fe14ba8e9f465c05b37445c277b3bc82
Instruction Fuzzy Hash: 6B0148326046202EEAA0B3346845BAE674B4BC3774F39121DE8058B2D2EEA4DC818998

Function 0067DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0067DB7B
DispatchMessageW.USER32(?), ref: 0067DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0067DB9F
Sleep.KERNELBASE(0000000A), ref: 0067DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 006C1CC9

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 1959d3d4473a5c9a50bafa81b215815a8c95c8c40f8cb6589389672888aacbec
Instruction ID: ae2f2fddd2258be9dffaa327468a27827b1aa5a6bf7d2f9b737de702dbde35dc
Opcode Fuzzy Hash: 1959d3d4473a5c9a50bafa81b215815a8c95c8c40f8cb6589389672888aacbec
Instruction Fuzzy Hash: 1EF05E30644340DBE730DB608C49FEA73BEEF46710F508B19F61A971C0DB78A4888B19

Function 00681310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006817F6

Strings

CALL, xrefs: 006817C6

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 104c9d4830ef94b4239937cb64c94fb0fec7fda30ddfef17196883a1791602cb
Instruction ID: 4012f82fe222443142145800400a607e27eb518336bb1fca6f994464abb7b76c
Opcode Fuzzy Hash: 104c9d4830ef94b4239937cb64c94fb0fec7fda30ddfef17196883a1791602cb
Instruction Fuzzy Hash: 5B229CB06082419FC714EF14C484B6ABBF6FF86314F248A6DF49A8B361D771E942CB56

Function 00673837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00673908

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e4f9fc0775f6f7b14eb8f1b57dfca7d7471edb91c3fc3c40da03d6da52049bbc
Instruction ID: e4349a7a8cc215558269212fbd5e34458d51b06071fbe33078e84f04bfc7b0d1
Opcode Fuzzy Hash: e4f9fc0775f6f7b14eb8f1b57dfca7d7471edb91c3fc3c40da03d6da52049bbc
Instruction Fuzzy Hash: C0318EB0A043119FD761EF24D8847D7BBE9FB49708F00492EF69983340E775AA84DB56

Function 0068F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0068F661

Part of subcall function 0067D730: GetInputState.USER32 ref: 0067D807

Sleep.KERNEL32(00000000), ref: 006CF2DE

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: f51d3710f0228d7e3cd9c595ca8e4135bc2fd4625ed270c0a0df4244c1a2126c
Instruction ID: 3fa48b08f024357767692b7162638054f716925011c36fbcad5f9d2502a162ad
Opcode Fuzzy Hash: f51d3710f0228d7e3cd9c595ca8e4135bc2fd4625ed270c0a0df4244c1a2126c
Instruction Fuzzy Hash: 98F08C312402059FD354EF69D44AB6AB7EAEF45761F00822DE85DC72A0EF70A800CB99

Function 00674ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00674E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00674EDD,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E9C
Part of subcall function 00674E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00674EAE
Part of subcall function 00674E90: FreeLibrary.KERNEL32(00000000,?,?,00674EDD,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674EFD

Part of subcall function 00674E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006B3CDE,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E62
Part of subcall function 00674E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00674E74
Part of subcall function 00674E59: FreeLibrary.KERNEL32(00000000,?,?,006B3CDE,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E87

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 066aedc963a80dfb07d249d38190a02c42b8314a0583937d246b5d774ff451c8
Instruction ID: bc8e55a20edfd5cc7418905b90edbb39726f0984e7c78f31f30348d6131bf43d
Opcode Fuzzy Hash: 066aedc963a80dfb07d249d38190a02c42b8314a0583937d246b5d774ff451c8
Instruction Fuzzy Hash: 25110132600205AACB10EB70DC0ABAD77A6AF80710F20C42DF04AA62C1EFB59A459B58

Function 006A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 006A8440

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 18c7c5e38070e748bf528c94747af5ed9f7ac61b695de48ffad83a00653557d1
Instruction ID: 667f006820152c08445e78741083e292dd8cec298d9859e3f09620ec66ff1222
Opcode Fuzzy Hash: 18c7c5e38070e748bf528c94747af5ed9f7ac61b695de48ffad83a00653557d1
Instruction Fuzzy Hash: AD11187590420AAFCB05EF58E9459DA7BF9EF49314F104099F808AB312DB31DE11CBA9

Function 006A5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006A4C7D: RtlAllocateHeap.NTDLL(00000008,00671129,00000000,?,006A2E29,00000001,00000364,?,?,?,0069F2DE,006A3863,00741444,?,0068FDF5,?), ref: 006A4CBE

_free.LIBCMT ref: 006A506C

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: d82d6bc25fdf770cbd58f2d3efcc4b0b2109dabe1f07b165c68829e7b9f0d8ad
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 43012B722047055BE321DE559C41A9AFBEAFB8A370F25051DE18583280EA706C05CA74

Function 0069E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: e576880390945a8185c69933fc946315a5c6ad1811dc10ebe565eac1cba42370
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 1FF0F932510E109ADE717A698C05B96339F9FA3331F10072DF420D7AD2DF75E8028AAD

Function 006A4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00671129,00000000,?,006A2E29,00000001,00000364,?,?,?,0069F2DE,006A3863,00741444,?,0068FDF5,?), ref: 006A4CBE

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e26f8ca24a124d6a16bd6d9459f61ce3a523045fad9693f7e81ac6e3b62023b9
Instruction ID: 37d2a86d78112470aba23c9ed12d2787493bbe291d8656aba9a2cc6c8458b5ed
Opcode Fuzzy Hash: e26f8ca24a124d6a16bd6d9459f61ce3a523045fad9693f7e81ac6e3b62023b9
Instruction Fuzzy Hash: 65F0BB3150612466DB217F619C05F96379BAFC3770B154215B81F96681CEF0DC024A94

Function 006A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6,?,00671129), ref: 006A3852

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dce766c804e5a610ce89067f6f54c050f57fa4878af91cfa172534c4da84492b
Instruction ID: 34cf1e90ee7d562e0188b1f15bf0fb35628ca503a774a351fb680207470bdc78
Opcode Fuzzy Hash: dce766c804e5a610ce89067f6f54c050f57fa4878af91cfa172534c4da84492b
Instruction Fuzzy Hash: CAE0E53110123496DA213B669C05FDA375FAF437B0F054125BC0592B80DF18DE028BE4

Function 00674F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674F6D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 902acb239060c4ff7c26cc52e0eba61e9715dab2d82e0b16f9529d5562951a5d
Instruction ID: 018d4f5e04e57ee8bf7f05736d1874f467be10008c7b4c15726ef8930b6ff7e4
Opcode Fuzzy Hash: 902acb239060c4ff7c26cc52e0eba61e9715dab2d82e0b16f9529d5562951a5d
Instruction Fuzzy Hash: 30F03971105752CFDB349F64D498862FBE6EF55329320CA7EE1EE82621CB3A9884DF10

Function 00702A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00702A66

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 4291adc1cc213187842ec9dbdda5ff96c3270c2b519398b5e9b3218e6de22739
Instruction ID: 95093b0c4e819a62f4d86fb9e0ec0d800c33d9f420e5e6cca553ff5ef9f53c26
Opcode Fuzzy Hash: 4291adc1cc213187842ec9dbdda5ff96c3270c2b519398b5e9b3218e6de22739
Instruction Fuzzy Hash: D1E0DF72740216EAC760EB30DC848FA739CEB10390B10823ABC1BC6241EF38898682A4

Function 006730F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0067314E

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ed0103d5d4a90a59fd182daf1e6de1ad87a8ea9d5f9dfde2cbef7cfbcc123bc0
Instruction ID: c3552c840d8b79fe0adec6342fb9a47f29e6b9f4e1989302d58dbb4179f7b276
Opcode Fuzzy Hash: ed0103d5d4a90a59fd182daf1e6de1ad87a8ea9d5f9dfde2cbef7cfbcc123bc0
Instruction Fuzzy Hash: 6CF0A7709003149FEB62AF24DC457D57BFCA701708F0041EAA14897281DB7447C8CF45

Function 00672DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00672DC4

Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 13ae075d180392f66e479eb7ab4dd4d70e0fbc3501e6ef098c2f01a201e32e7e
Instruction ID: fac7d9ea4ca000afba2744d52f99874480a8ab06c08290aec0d66df7c93c68c3
Opcode Fuzzy Hash: 13ae075d180392f66e479eb7ab4dd4d70e0fbc3501e6ef098c2f01a201e32e7e
Instruction Fuzzy Hash: CAE0CD726001245BC7119358DC05FEA77DDDFC9790F044175FD09D7249D964ADC0C654

Function 00672B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00673837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00673908

Part of subcall function 0067D730: GetInputState.USER32 ref: 0067D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00672B6B

Part of subcall function 006730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0067314E

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 02eeceaf74683cad6ff56d21147e90dd8a81d36e737c54be3364c4d33ea4384a
Instruction ID: 942da974f0d43b4ce66ac9924867db4052046bd4cbca2f0101a584292e8aea8b
Opcode Fuzzy Hash: 02eeceaf74683cad6ff56d21147e90dd8a81d36e737c54be3364c4d33ea4384a
Instruction Fuzzy Hash: 57E0262130025803CA48BB3498124ADA75B8FD2351F40C93EF04A432A3CF284585421A

Function 006B039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,006B0704,?,?,00000000,?,006B0704,00000000,0000000C), ref: 006B03B7

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4cb400460d2b9a1050a37e9ace85d8646f4242149c013e930964876543c7a25b
Instruction ID: 52fddc863a6ef67570f5ece4d21d421bfe67416b24c62a431f372df3433b19ac
Opcode Fuzzy Hash: 4cb400460d2b9a1050a37e9ace85d8646f4242149c013e930964876543c7a25b
Instruction Fuzzy Hash: F3D06C3204010DFBDF028F84DD06EDA3BAAFB48714F018100BE1856020C736E821AB94

Function 00671CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00671CBC

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 2df282f278294eae14db9e2f2a01f1a5a23e7ebe9abbe4da7f7e68e885471b5c
Instruction ID: 9bdd244d0dfb8e2508d5d561569e8caf98d718ec7861b09e325e5d9104724437
Opcode Fuzzy Hash: 2df282f278294eae14db9e2f2a01f1a5a23e7ebe9abbe4da7f7e68e885471b5c
Instruction Fuzzy Hash: ACC09B3D280304DFF2155B80BC5AF107754A349F00F54C102F609555E3C7A51471D658

Non-executed Functions

Function 00709576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0070961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0070965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0070969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007096C9
SendMessageW.USER32 ref: 007096F2
GetKeyState.USER32(00000011), ref: 0070978B
GetKeyState.USER32(00000009), ref: 00709798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007097AE
GetKeyState.USER32(00000010), ref: 007097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007097E9
SendMessageW.USER32 ref: 00709810
SendMessageW.USER32(?,00001030,?,00707E95), ref: 00709918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0070992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00709941
SetCapture.USER32(?), ref: 0070994A
ClientToScreen.USER32(?,?), ref: 007099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007099D6
ReleaseCapture.USER32 ref: 007099E1
GetCursorPos.USER32(?), ref: 00709A19
ScreenToClient.USER32(?,?), ref: 00709A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00709A80
SendMessageW.USER32 ref: 00709AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00709AEB
SendMessageW.USER32 ref: 00709B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00709B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00709B4A
GetCursorPos.USER32(?), ref: 00709B68
ScreenToClient.USER32(?,?), ref: 00709B75
GetParent.USER32(?), ref: 00709B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00709BFA
SendMessageW.USER32 ref: 00709C2B
ClientToScreen.USER32(?,?), ref: 00709C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00709CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00709CDE
SendMessageW.USER32 ref: 00709D01
ClientToScreen.USER32(?,?), ref: 00709D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00709D82

Part of subcall function 00689944: GetWindowLongW.USER32(?,000000EB), ref: 00689952

GetWindowLongW.USER32(?,000000F0), ref: 00709E05

Strings

p#t, xrefs: 00709990
@GUI_DRAGID, xrefs: 0070997D
F, xrefs: 00709D07

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#t
API String ID: 3429851547-3160486056
Opcode ID: ba287b2789b1bb368a1b11bcc457295a5eedc1a5954247d4d6b456e3b5020cda
Instruction ID: f73439ee78c5c09bfa6f29cfaa4a4bea9eed7d8e61574fa83dfb0c8a019218b9
Opcode Fuzzy Hash: ba287b2789b1bb368a1b11bcc457295a5eedc1a5954247d4d6b456e3b5020cda
Instruction Fuzzy Hash: 41428B35208240EFDB25DF24CC44AAABBE5FF49310F144B59F799872E2DB3AA850CB55

Function 00704873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00704908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00704927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0070494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0070495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0070497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00704A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00704A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00704A7E
IsMenu.USER32(?), ref: 00704A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00704AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00704B20
GetWindowLongW.USER32(?,000000F0), ref: 00704B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00704BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00704C82
wsprintfW.USER32 ref: 00704CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00704CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00704CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00704D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00704D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00704D5A

Strings

%d/%02d/%02d, xrefs: 00704CA8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 6893680cbe562a11a573338abd5d5b7fb98cbfdc0f8cea3f970472cf7fcca043
Instruction ID: acc8a79115f567b7d5dada888a52d118fec3c9e5280d4376cd32e1a22de2aa72
Opcode Fuzzy Hash: 6893680cbe562a11a573338abd5d5b7fb98cbfdc0f8cea3f970472cf7fcca043
Instruction Fuzzy Hash: 8812EEB1600205EBEB259F24CC49FAE7BF8FB85310F148369F615DA2E1DB78A941CB54

Function 0068F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0068F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006CF474
IsIconic.USER32(00000000), ref: 006CF47D
ShowWindow.USER32(00000000,00000009), ref: 006CF48A
SetForegroundWindow.USER32(00000000), ref: 006CF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006CF4AA
GetCurrentThreadId.KERNEL32 ref: 006CF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006CF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 006CF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 006CF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 006CF4DE
SetForegroundWindow.USER32(00000000), ref: 006CF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CF4F6
keybd_event.USER32(00000012,00000000), ref: 006CF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CF50B
keybd_event.USER32(00000012,00000000), ref: 006CF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CF519
keybd_event.USER32(00000012,00000000), ref: 006CF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 006CF528
keybd_event.USER32(00000012,00000000), ref: 006CF52D
SetForegroundWindow.USER32(00000000), ref: 006CF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 006CF557

Strings

Shell_TrayWnd, xrefs: 006CF46F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: cef900857a7f2b279a305b14f7dfc7c6ee1a8550b4d087e283c04e37c0d5ae51
Instruction ID: 2dc0414f0b66de784ba09ca6eb3d06c1d99f535678babd13276d6ba2b1a152ca
Opcode Fuzzy Hash: cef900857a7f2b279a305b14f7dfc7c6ee1a8550b4d087e283c04e37c0d5ae51
Instruction Fuzzy Hash: 7731A671A40218BFEB216BB54C4AFBF7E6EEB44B50F104269F700E61D1CBB55D10AA64

Function 006D1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 006D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006D170D
Part of subcall function 006D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006D173A
Part of subcall function 006D16C3: GetLastError.KERNEL32 ref: 006D174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 006D1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 006D12A8
CloseHandle.KERNEL32(?), ref: 006D12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006D12D1
GetProcessWindowStation.USER32 ref: 006D12EA
SetProcessWindowStation.USER32(00000000), ref: 006D12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006D1310

Part of subcall function 006D10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006D11FC), ref: 006D10D4
Part of subcall function 006D10BF: CloseHandle.KERNEL32(?,?,006D11FC), ref: 006D10E9

Strings

Zs, xrefs: 006D1392
default, xrefs: 006D130B
, xrefs: 006D125A
winsta0, xrefs: 006D12CC

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zs
API String ID: 22674027-986068762
Opcode ID: d83aa8074d00345c4dacddaee63d1177dd3a94b2dc6a25e780adbba18be3593b
Instruction ID: f219f42f4d34c3a8b39c8133f37a612f2dfa35a7bffe274c16666085f9821345
Opcode Fuzzy Hash: d83aa8074d00345c4dacddaee63d1177dd3a94b2dc6a25e780adbba18be3593b
Instruction Fuzzy Hash: 2E817171D00209BBDF219FA4DC49FEE7BBAEF09704F14821AF910AA390DBB58945CB55

Function 006D0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006D1114
Part of subcall function 006D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1120
Part of subcall function 006D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D112F
Part of subcall function 006D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1136
Part of subcall function 006D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006D0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006D0C00
GetLengthSid.ADVAPI32(?), ref: 006D0C17
GetAce.ADVAPI32(?,00000000,?), ref: 006D0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006D0C6D
GetLengthSid.ADVAPI32(?), ref: 006D0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 006D0C8C
HeapAlloc.KERNEL32(00000000), ref: 006D0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 006D0CB4
CopySid.ADVAPI32(00000000), ref: 006D0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006D0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006D0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006D0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0D45
HeapFree.KERNEL32(00000000), ref: 006D0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0D55
HeapFree.KERNEL32(00000000), ref: 006D0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0D65
HeapFree.KERNEL32(00000000), ref: 006D0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 006D0D78
HeapFree.KERNEL32(00000000), ref: 006D0D7F

Part of subcall function 006D1193: GetProcessHeap.KERNEL32(00000008,006D0BB1,?,00000000,?,006D0BB1,?), ref: 006D11A1
Part of subcall function 006D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,006D0BB1,?), ref: 006D11A8
Part of subcall function 006D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006D0BB1,?), ref: 006D11B7

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0ab7fe832cd93dc548d1867e6f9bcd8c81369f66bab68225ad1f93d996106a21
Instruction ID: b2ecc0855f7fea8e89ec2fb1f42fa57b029de25a30640d8e6bb27295bff30d4f
Opcode Fuzzy Hash: 0ab7fe832cd93dc548d1867e6f9bcd8c81369f66bab68225ad1f93d996106a21
Instruction Fuzzy Hash: E9715C71D0020AEFEF11DFA4DC45BEEBBBABF09300F148616E914A7291DB75A905CB60

Function 006EEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0070CC08), ref: 006EEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 006EEB37
GetClipboardData.USER32(0000000D), ref: 006EEB43
CloseClipboard.USER32 ref: 006EEB4F
GlobalLock.KERNEL32(00000000), ref: 006EEB87
CloseClipboard.USER32 ref: 006EEB91
GlobalUnlock.KERNEL32(00000000), ref: 006EEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 006EEBC9
GetClipboardData.USER32(00000001), ref: 006EEBD1
GlobalLock.KERNEL32(00000000), ref: 006EEBE2
GlobalUnlock.KERNEL32(00000000), ref: 006EEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 006EEC38
GetClipboardData.USER32(0000000F), ref: 006EEC44
GlobalLock.KERNEL32(00000000), ref: 006EEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 006EEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006EEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006EECD2
GlobalUnlock.KERNEL32(00000000), ref: 006EECF3
CountClipboardFormats.USER32 ref: 006EED14
CloseClipboard.USER32 ref: 006EED59

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 4e828392334873367c1d4b9e7861196ed1fdf1b1f286311f64158f8605f97f30
Instruction ID: 6cc427d6ed7f16289f307b35c373bef45b39d6bb25d64db547404e24c9b901ee
Opcode Fuzzy Hash: 4e828392334873367c1d4b9e7861196ed1fdf1b1f286311f64158f8605f97f30
Instruction Fuzzy Hash: 7B61DD34204341DFD311EF21D889F6A77A6AF84714F14861DF45A872A2DF36DD0ACBA6

Function 006E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006E69BE
FindClose.KERNEL32(00000000), ref: 006E6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006E6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006E6A75

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 006E6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 006E6ADF

Strings

%03d, xrefs: 006E6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 006E6B32
%4d%02d%02d%02d%02d%02d, xrefs: 006E6B6A
%02d, xrefs: 006E6C00, 006E6C0A, 006E6C5A, 006E6CAA, 006E6CFA, 006E6D4A
%4d, xrefs: 006E6BB1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 8f9b26bcd62b35cc50b2f753640a11bd6c1a68c205341568af2d50e305eb9401
Instruction ID: f3a18b76fe98396fd46addc9ce5f8f3f5dd8fcc953bcd0aef9af82756e295b80
Opcode Fuzzy Hash: 8f9b26bcd62b35cc50b2f753640a11bd6c1a68c205341568af2d50e305eb9401
Instruction Fuzzy Hash: 50D150B1508340AFC754EBA5C882EABB7EDAF98704F04891DF589C7191EB74DA44CB62

Function 006E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 006E9663
GetFileAttributesW.KERNEL32(?), ref: 006E96A1
SetFileAttributesW.KERNEL32(?,?), ref: 006E96BB
FindNextFileW.KERNEL32(00000000,?), ref: 006E96D3
FindClose.KERNEL32(00000000), ref: 006E96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 006E96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 006E974A
SetCurrentDirectoryW.KERNEL32(00736B7C), ref: 006E9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 006E9772
FindClose.KERNEL32(00000000), ref: 006E977F
FindClose.KERNEL32(00000000), ref: 006E978F

Strings

*.*, xrefs: 006E96F5

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 17bf6a21cc5282a22df4258f80839232f908f148523922722541f8ecbaeee65e
Instruction ID: 20c67d96976b2a51269e4b700879c4ae0df5f8c58450c7c828a8de8689165e44
Opcode Fuzzy Hash: 17bf6a21cc5282a22df4258f80839232f908f148523922722541f8ecbaeee65e
Instruction Fuzzy Hash: 9331F672501359BAEF15AFB5DC08ADE77ADAF09320F108256F805E2191DB34DE44CE24

Function 006E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 006E97BE
FindNextFileW.KERNEL32(00000000,?), ref: 006E9819
FindClose.KERNEL32(00000000), ref: 006E9824
FindFirstFileW.KERNEL32(*.*,?), ref: 006E9840
SetCurrentDirectoryW.KERNEL32(?), ref: 006E9890
SetCurrentDirectoryW.KERNEL32(00736B7C), ref: 006E98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 006E98B8
FindClose.KERNEL32(00000000), ref: 006E98C5
FindClose.KERNEL32(00000000), ref: 006E98D5

Part of subcall function 006DDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006DDB00

Strings

*.*, xrefs: 006E983B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 770e4fd63fe0b4178ddcfc7af3dd4b08ca75fef4f521bcaa5b7640e8e1f27638
Instruction ID: 22bd66f457236c5d471d2bb3ea4c4f5a1e2ca489a5f37fdda9f8d23264bc1782
Opcode Fuzzy Hash: 770e4fd63fe0b4178ddcfc7af3dd4b08ca75fef4f521bcaa5b7640e8e1f27638
Instruction Fuzzy Hash: 5531C371501359AAEF21AFB5DC48ADF77AEAF06320F248655E810E22E1DB34DE458F34

Function 006FBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006FB6AE,?,?), ref: 006FC9B5
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FC9F1
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA68
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006FBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 006FBFA9
RegCloseKey.ADVAPI32(00000000), ref: 006FBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006FC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006FC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 006FC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 006FC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 006FC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 006FC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006FC382
RegCloseKey.ADVAPI32(00000000), ref: 006FC38F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 655052b728cbe76b672105fe876177bb377dc64237e15157bc0ba3c8a5d203f9
Instruction ID: 24c86791ad28afd4873233da889998ce1f2d8241bf87ac21dead9ff16d40dbbb
Opcode Fuzzy Hash: 655052b728cbe76b672105fe876177bb377dc64237e15157bc0ba3c8a5d203f9
Instruction Fuzzy Hash: C6025B716042049FD714CF28C991E2ABBE6EF89314F18C59DF94ACB2A2DB31ED46CB51

Function 006E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006E8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 006E8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006E8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006E8310
SetCurrentDirectoryW.KERNEL32(?), ref: 006E8324
SetCurrentDirectoryW.KERNEL32(?), ref: 006E8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006E838C
SetCurrentDirectoryW.KERNEL32(?), ref: 006E8395

Strings

*.*, xrefs: 006E839B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 8b8de0d4136bbafba370b92f13ddcedf7fdb087948877f7ac7b0fa76c5a5177c
Instruction ID: b853d72387f06cd189d779f5f7453ed9a5d1df8741c063e7a422ef5aad83057c
Opcode Fuzzy Hash: 8b8de0d4136bbafba370b92f13ddcedf7fdb087948877f7ac7b0fa76c5a5177c
Instruction Fuzzy Hash: DD6199B25043459FDB10EF60C8409AEB3EAFF89310F04892EF989D7251EB35E905CB96

Function 006DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00673AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00673A97,?,?,00672E7F,?,?,?,00000000), ref: 00673AC2

Part of subcall function 006DE199: GetFileAttributesW.KERNEL32(?,006DCF95), ref: 006DE19A

FindFirstFileW.KERNEL32(?,?), ref: 006DD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 006DD1DD
MoveFileW.KERNEL32(?,?), ref: 006DD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 006DD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 006DD237

Part of subcall function 006DD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,006DD21C,?,?), ref: 006DD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 006DD253
FindClose.KERNEL32(00000000), ref: 006DD264

Strings

\*.*, xrefs: 006DD0CD, 006DD0D6, 006DD0EB

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: f9c0c9ef69c26b358b3b499f315c6c0ba9107b1bb9b30405532d2207fc1984ba
Instruction ID: e9f529fbbcb7fb5352d1757a68ebdcf21c579e83b4af8d7e12c1cfe4c1b65562
Opcode Fuzzy Hash: f9c0c9ef69c26b358b3b499f315c6c0ba9107b1bb9b30405532d2207fc1984ba
Instruction Fuzzy Hash: 12616B31C0110DAACF45FBE0CD929EDB7B6AF55300F20816AE50677292EB316F09DB65

Function 006EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 006EED91
EmptyClipboard.USER32 ref: 006EED97
GlobalAlloc.KERNEL32(00000002,?), ref: 006EEDAC
CloseClipboard.USER32 ref: 006EEEA3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 136a5ebdae6fa69646af7d0fa64bc2c21e102aae9d458688fda8cd0cd11fdfba
Instruction ID: cddb172760195b49120c1a2467fe503b62a1a082c5ed0a8eb6b3cb8507732c5e
Opcode Fuzzy Hash: 136a5ebdae6fa69646af7d0fa64bc2c21e102aae9d458688fda8cd0cd11fdfba
Instruction Fuzzy Hash: 1C41AE35605651DFD321DF16D888B59BBE2AF44328F14C19DE4198B762CB3AEC42CB94

Function 006DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006D170D
Part of subcall function 006D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006D173A
Part of subcall function 006D16C3: GetLastError.KERNEL32 ref: 006D174A

ExitWindowsEx.USER32(?,00000000), ref: 006DE932

Strings

@, xrefs: 006DE925
SeShutdownPrivilege, xrefs: 006DE902
, xrefs: 006DE920
, xrefs: 006DE95C

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 1aca90c1b1e47b4b57c182915b0e0c4f023caee6c1eebb8a295e37c8b27c2b79
Instruction ID: 5562bd69912778cf7366de2ab0df999eddd90f450109cb4fb003810c2ef300f6
Opcode Fuzzy Hash: 1aca90c1b1e47b4b57c182915b0e0c4f023caee6c1eebb8a295e37c8b27c2b79
Instruction Fuzzy Hash: C4012672E11211BBEB6433B49C96BFF725EA714751F144A27F802EE3D2D9A65C4081D8

Function 006F1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006F1276
WSAGetLastError.WSOCK32 ref: 006F1283
bind.WSOCK32(00000000,?,00000010), ref: 006F12BA
WSAGetLastError.WSOCK32 ref: 006F12C5
closesocket.WSOCK32(00000000), ref: 006F12F4
listen.WSOCK32(00000000,00000005), ref: 006F1303
WSAGetLastError.WSOCK32 ref: 006F130D
closesocket.WSOCK32(00000000), ref: 006F133C

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: a6658d01a6af8b077fc057d2a55ab530ca441f8ac4169ff3692543f33035e2a7
Instruction ID: 3d55cfb0f8244361cff729ddf5695f704b3d066c55ce5bd5e05f3a0915c084f8
Opcode Fuzzy Hash: a6658d01a6af8b077fc057d2a55ab530ca441f8ac4169ff3692543f33035e2a7
Instruction Fuzzy Hash: DE418E31600104DFD710DF68C488B69BBE6AF86358F18C288E9568F3D6C775ED82CBA1

Function 006DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00673AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00673A97,?,?,00672E7F,?,?,?,00000000), ref: 00673AC2

Part of subcall function 006DE199: GetFileAttributesW.KERNEL32(?,006DCF95), ref: 006DE19A

FindFirstFileW.KERNEL32(?,?), ref: 006DD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 006DD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 006DD481
FindClose.KERNEL32(00000000), ref: 006DD498
FindClose.KERNEL32(00000000), ref: 006DD4A1

Strings

\*.*, xrefs: 006DD3F2

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: cb39b012187ff99155685d01939049f6067920b9c86065e0aa3f5c0e3d894c18
Instruction ID: 24791777c7ffc95319ea8e0d775872d117a8ed6c902c85c5392d792c7a2ce394
Opcode Fuzzy Hash: cb39b012187ff99155685d01939049f6067920b9c86065e0aa3f5c0e3d894c18
Instruction Fuzzy Hash: AB31A2314183459BC305FF60C8528AFB7E9BE91314F408E1EF4D593291EB30AA09C767

Function 006AE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006AE645

Strings

1#SNAN, xrefs: 006AF844
1#QNAN, xrefs: 006AF84B
1#IND, xrefs: 006AF83D
1#INF, xrefs: 006AF852

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f7c9018dbdbc54740ff5642e56ba9fcb6258ccce58bf01fd4c1282e482846d3e
Instruction ID: 10b98cb7c29874ad2b9a587640f1c2cd3644f299ab2ed589c17f7062b66805ce
Opcode Fuzzy Hash: f7c9018dbdbc54740ff5642e56ba9fcb6258ccce58bf01fd4c1282e482846d3e
Instruction Fuzzy Hash: F7C26C71E046288FDB25EF68DD407EAB7B6EB4A304F1441EAD40DE7241E779AE818F41

Function 006E648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006E64DC
CoInitialize.OLE32(00000000), ref: 006E6639
CoCreateInstance.OLE32(0070FCF8,00000000,00000001,0070FB68,?), ref: 006E6650
CoUninitialize.OLE32 ref: 006E68D4

Strings

.lnk, xrefs: 006E64BA, 006E6524, 006E65E0

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: bf9d3e1638532914707d9943ff5b3d7627e2f1bfa0d8e145be9c8fb0bb994f97
Instruction ID: fed576bfd9cbd975b43de1f6c6e79af97ef63fea6e5ff102e723cee70b5b728a
Opcode Fuzzy Hash: bf9d3e1638532914707d9943ff5b3d7627e2f1bfa0d8e145be9c8fb0bb994f97
Instruction Fuzzy Hash: B4D14A71608341AFC354DF24C881D6BB7EAFF94344F00896DF5998B2A1EB70E905CBA6

Function 006F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 006F22E8

Part of subcall function 006EE4EC: GetWindowRect.USER32(?,?), ref: 006EE504

GetDesktopWindow.USER32 ref: 006F2312
GetWindowRect.USER32(00000000), ref: 006F2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 006F2355
GetCursorPos.USER32(?), ref: 006F2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006F23DF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 0cc57a22fd8f21895618049e74d37942d6e4808d21f4edc464790fe62ab78141
Instruction ID: 8deb49fdbc37799ae53a44d2f186a2d12077973a595391fe23ecf8aa4e25621f
Opcode Fuzzy Hash: 0cc57a22fd8f21895618049e74d37942d6e4808d21f4edc464790fe62ab78141
Instruction Fuzzy Hash: F431D2B250531A9FC721DF14C845FABBBAAFF84314F000A1DF5859B291DB75E908CB95

Function 006E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 006E9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 006E9C8B

Part of subcall function 006E3874: GetInputState.USER32 ref: 006E38CB
Part of subcall function 006E3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 006E9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 006E9C75

Strings

*.*, xrefs: 006E9B5D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: c86ffaa851573963ba89729e1b2959f1459cb9c2eb7119501f18e569fc440677
Instruction ID: eeeb063f53ac07b99c96f0261408bce4bd4238404140a650bc9d1c167257b33c
Opcode Fuzzy Hash: c86ffaa851573963ba89729e1b2959f1459cb9c2eb7119501f18e569fc440677
Instruction Fuzzy Hash: DB419371901249AFDF55EF65C845AEEBBFAEF05710F208159E405A3291EB309E84CF64

Function 0068997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00689A4E
GetSysColor.USER32(0000000F), ref: 00689B23
SetBkColor.GDI32(?,00000000), ref: 00689B36

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 7c4b9c2b492edfe163904c8f6e15f0956cba7603c6b5d2f6c1b5292e8416aabf
Instruction ID: 849fa6ebcf95dd1eddf0c0323367ef2450a02327bb6b7b48874c10d218a443cd
Opcode Fuzzy Hash: 7c4b9c2b492edfe163904c8f6e15f0956cba7603c6b5d2f6c1b5292e8416aabf
Instruction Fuzzy Hash: 14A10870208444FEE72DBA2D8C59EBB269FEB42350B18430DF502D6BD2CA299D42DB75

Function 006F1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006F307A
Part of subcall function 006F304E: _wcslen.LIBCMT ref: 006F309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006F185D
WSAGetLastError.WSOCK32 ref: 006F1884
bind.WSOCK32(00000000,?,00000010), ref: 006F18DB
WSAGetLastError.WSOCK32 ref: 006F18E6
closesocket.WSOCK32(00000000), ref: 006F1915

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 24c376d6215201500c6c98c4b5576e96f5dd09b9a8ebc6e1983d76855e3524c3
Instruction ID: 1576cd9913819ef752b4d1f4778e1a4e250d51e194e23c64c4b95dd89af1c5b8
Opcode Fuzzy Hash: 24c376d6215201500c6c98c4b5576e96f5dd09b9a8ebc6e1983d76855e3524c3
Instruction Fuzzy Hash: 0E51E271A00200AFEB50AF24C886F7A77E6AB45758F04C55CFA1A5F3C3CB75AD418BA5

Function 00701C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00701CC0
IsWindowEnabled.USER32 ref: 00701CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00701CDB
IsIconic.USER32 ref: 00701CE9
IsZoomed.USER32 ref: 00701CF7

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c9afc20cab51e189007caa8f328c4403182c75576f598decd523c5fc2e71f2a7
Instruction ID: da8419712f0c3f54af8432e90d41146b280fde2b7da59fefe4e45d5e1d503c99
Opcode Fuzzy Hash: c9afc20cab51e189007caa8f328c4403182c75576f598decd523c5fc2e71f2a7
Instruction Fuzzy Hash: 09219431740211DFE7218F2AC884B5B7BE5AF85324F59825CE8468B391DB79DC42CBA4

Function 00678060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0067813C
VUUU, xrefs: 0067843C
VUUU, xrefs: 006B5DF0
VUUU, xrefs: 006783FA
VUUU, xrefs: 006783E8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: f2196a70a0cdd221ab29ea0aeb651d65c63b4fed6ee129ab56fd7a3a01620663
Instruction ID: 38ebf0cc22cf6e9fdb2dce523df1a7c834876fe5191706fab05b717d9fb44a9d
Opcode Fuzzy Hash: f2196a70a0cdd221ab29ea0aeb651d65c63b4fed6ee129ab56fd7a3a01620663
Instruction Fuzzy Hash: 83A24BB1A4061ACFDF24CF58C9447EDB7B3BB54314F2481A9E81AA7385DB749EC18B90

Function 006D8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006D82AA

Strings

(, xrefs: 006D82F0
|, xrefs: 006D82DA
tbs, xrefs: 006D84F4

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbs$|
API String ID: 1659193697-2660408474
Opcode ID: 9ef993e27ce8db2561044c07018c07bfce65be0c4a8defff8f40b08045caa4cc
Instruction ID: e9873711f6f4e30f295321e42ded264d2b1c84f4b251ba7e683acc0911f62ad1
Opcode Fuzzy Hash: 9ef993e27ce8db2561044c07018c07bfce65be0c4a8defff8f40b08045caa4cc
Instruction Fuzzy Hash: 7E322474A007059FCB28CF59C485AAAB7F1FF48720B15C56EE49ADB3A1EB70E941CB44

Function 006DAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 006DAAAC
SetKeyboardState.USER32(00000080), ref: 006DAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 006DAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 006DAB88

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1995eeea4ad40a99f5ae8413a17eb99e02871c66991037560c604fade7f72cf0
Instruction ID: 58486ae467673966998d6f03328183cc9acf913d69c57ab4bef0b7e504b2ece3
Opcode Fuzzy Hash: 1995eeea4ad40a99f5ae8413a17eb99e02871c66991037560c604fade7f72cf0
Instruction Fuzzy Hash: 0731E730E48248AFFB358BA5CC05BFA7BA7AB45310F14431BF581963D1D7758982C766

Function 006ABB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006ABB7F

Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0

GetTimeZoneInformation.KERNEL32 ref: 006ABB91
WideCharToMultiByte.KERNEL32(00000000,?,0074121C,000000FF,?,0000003F,?,?), ref: 006ABC09
WideCharToMultiByte.KERNEL32(00000000,?,00741270,000000FF,?,0000003F,?,?,?,0074121C,000000FF,?,0000003F,?,?), ref: 006ABC36

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: f3815ff91f7ef741057eb0e4555b7079335ded36f2bde2ad071e6b518124fc91
Instruction ID: 8471b122e039c71fc29d8952c8cd48ef44994fe5c2e1ea3bc3647b0a0db14495
Opcode Fuzzy Hash: f3815ff91f7ef741057eb0e4555b7079335ded36f2bde2ad071e6b518124fc91
Instruction Fuzzy Hash: 3931C070A44205DFCB11FF69DC8086DBBB9BF47720B1492AAE011D72A2DB749D41CF64

Function 006ECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 006ECE89
GetLastError.KERNEL32(?,00000000), ref: 006ECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 006ECEFE

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: b2ffe914a763c5988e9f2095f8132fdc78e68aabc52a1f20988c15275910e3ed
Instruction ID: beccdf7b0771cf83dae1778141de482a57092e864e234e7d8cfbb0764150f822
Opcode Fuzzy Hash: b2ffe914a763c5988e9f2095f8132fdc78e68aabc52a1f20988c15275910e3ed
Instruction Fuzzy Hash: 7221B0B1501305EFDB20DF66C945BAA77FEEF00324F10851EE54692251EB74ED069B54

Function 006E5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006E5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 006E5D17
FindClose.KERNEL32(?), ref: 006E5D5F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 4b10e91cb12b86418642ee0a1c50223a6ac5742243baed17a45887a2562dbdf6
Instruction ID: 01f369dbd617776453441e3792ef8d231b2a13272959ccd2234f6cebe810475c
Opcode Fuzzy Hash: 4b10e91cb12b86418642ee0a1c50223a6ac5742243baed17a45887a2562dbdf6
Instruction Fuzzy Hash: A451BA34604B419FC704CF28C894A9AB7E5FF49328F14865DE95A8B3A2CB30ED05CF95

Function 006A2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 006A271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006A2724
UnhandledExceptionFilter.KERNEL32(?), ref: 006A2731

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d3348355d6e18502bbb5dd6322ce06f5e816aa6eafaa56b3b965b821f23820f8
Instruction ID: d2b009685461924580e4b70c4c33b10c02de2a464d0e23a43245530dbcb9a5a6
Opcode Fuzzy Hash: d3348355d6e18502bbb5dd6322ce06f5e816aa6eafaa56b3b965b821f23820f8
Instruction Fuzzy Hash: 7F31D774951219ABCB61DF68DC887DCBBB9AF08310F5042DAE80CA7261E7349F818F49

Function 006E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006E51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006E5238
SetErrorMode.KERNEL32(00000000), ref: 006E52A1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9ea81d06aeeefc7403cfbb504ee987f737237546cd24e7f373bfb11163164737
Instruction ID: 0f364f34a23409a382a79674e78f54d2ff343e8c67cc0e3b7b7e3e621861286c
Opcode Fuzzy Hash: 9ea81d06aeeefc7403cfbb504ee987f737237546cd24e7f373bfb11163164737
Instruction Fuzzy Hash: 16318175A00608DFDB00DF54D884EADBBF5FF49318F088099E9099B392CB35E945CB94

Function 006D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0068FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00690668
Part of subcall function 0068FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00690685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006D170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006D173A
GetLastError.KERNEL32 ref: 006D174A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 849258106d651d047a246ef10e03314937dcfc37b0198ae01661888e272aefac
Instruction ID: 901ff2b4a00147bf0e894986316c313451e61d11619324c0806f005a7761f49d
Opcode Fuzzy Hash: 849258106d651d047a246ef10e03314937dcfc37b0198ae01661888e272aefac
Instruction Fuzzy Hash: 281191B2814304FFD728AF54DC86D6AB7BEEF45714B20862EE45657251EB70FC418B24

Function 006DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006DD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 006DD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006DD650

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 174a0019e6b69f8a491b7e6e6f0c9d5d4dd787377cf3c4a67f09a06c26004bd5
Instruction ID: cd0c6f456e9e0cb191867f646fa1e1fb1ece7a8943de78b0fb7741584d07a6c6
Opcode Fuzzy Hash: 174a0019e6b69f8a491b7e6e6f0c9d5d4dd787377cf3c4a67f09a06c26004bd5
Instruction Fuzzy Hash: B3117C71E01228BBDB108F949C44FAFBBBCEB45B50F108252F904E7290D6704A018BE1

Function 006D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006D168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006D16A1
FreeSid.ADVAPI32(?), ref: 006D16B1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: daad593da668e68418c9e35de6ab4f7bdd38a1a66766d9f5df7f30488e8198af
Instruction ID: 17bfc7f825cb7c6243d9534415fe044ec6d0eb72a0690e8c13bd19921f51aa8b
Opcode Fuzzy Hash: daad593da668e68418c9e35de6ab4f7bdd38a1a66766d9f5df7f30488e8198af
Instruction Fuzzy Hash: C1F0F471950309FBEB00DFE49D89AAEBBBDEB08604F508665E601E2181E774AA448A54

Function 006CD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 006CD28C

Strings

X64, xrefs: 006CD2A8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8333d096d98187048731626b2ffcf5f083eaf4eba3e5bdeda648990237d3d822
Instruction ID: 6c5b9659df5c06ee589bf171a83f080a7d45e13bd226e594cca04ace2cb1a11a
Opcode Fuzzy Hash: 8333d096d98187048731626b2ffcf5f083eaf4eba3e5bdeda648990237d3d822
Instruction Fuzzy Hash: 32D0C9B480111DEACB94DB90DC88DE9B37CFB04305F104355F106A2040DB34964A8F20

Function 0069CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: ef17894b82aab676bba5a325d0665c010ce4505b213c050d981308eac1509cdd
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: FF022C71E002199FDF14CFA9C8806EDBBF6EF48324F254169D819EB784D730AA41CB94

Function 0067CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#t, xrefs: 0067CF7F
Variable is not of type 'Object'., xrefs: 006C0C40

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#t
API String ID: 0-112919048
Opcode ID: 8255c00cfdc4631dc6cb8eb4fbab8b244d74fc1b51460e5d09bb7ddde7775f37
Instruction ID: 5c358c0bde1d87c5ad2e844dd3a3b34c08961f7f11cff5613dd334bfb29043bb
Opcode Fuzzy Hash: 8255c00cfdc4631dc6cb8eb4fbab8b244d74fc1b51460e5d09bb7ddde7775f37
Instruction Fuzzy Hash: AD326970900218DBEF14DF94C895BEDB7B6FF09314F24815DE80AAB292D735AE46CB64

Function 006E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006E6918
FindClose.KERNEL32(00000000), ref: 006E6961

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 947c7f8642ad9866c01d330701340da41102521c1e6da6f487cfe699ed890afc
Instruction ID: 1b9463302de2485d3907a102fffbfdd6c914e729aa7d7b7fde63a429195b95c5
Opcode Fuzzy Hash: 947c7f8642ad9866c01d330701340da41102521c1e6da6f487cfe699ed890afc
Instruction Fuzzy Hash: C2116A316042419FD710DF2AD484A1ABBE6AF85328F14C69DF4698B6A2CB34EC05CB91

Function 006E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,006F4891,?,?,00000035,?), ref: 006E37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,006F4891,?,?,00000035,?), ref: 006E37F4

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b3d482402e347a3ad7039301f5be15c8bcd9f198e88cb264628df3165dce336e
Instruction ID: 841a68f8be6b43a45c35a8c1dd8d04264626ad3b85127f94749b657472215f5f
Opcode Fuzzy Hash: b3d482402e347a3ad7039301f5be15c8bcd9f198e88cb264628df3165dce336e
Instruction Fuzzy Hash: D2F0E5B06053286AEB6117678C4DFEB7AAFEFC5761F004269F509D3281D9609944C7B4

Function 006DB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 006DB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 006DB270

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: f16b53f4834e38bb762124d329ed94b5624a7d2192897313c29e0cd199999b38
Instruction ID: 3cc6a68b199da0e745ca464219dc43af8d6e9d5d1054a5db623073dbf490d5c8
Opcode Fuzzy Hash: f16b53f4834e38bb762124d329ed94b5624a7d2192897313c29e0cd199999b38
Instruction Fuzzy Hash: EAF01D7580424DEBDB059FA0C805BFE7BB4FF04305F10910AF955A5291C77986119F94

Function 006D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006D11FC), ref: 006D10D4
CloseHandle.KERNEL32(?,?,006D11FC), ref: 006D10E9

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 0b315729956cfa26d69f90e15d303ba09adde8a33bf2ca4a2d5fd0efd71fd683
Instruction ID: 46c20c320bde43a41f00bd585bb5258cbb47b8c40dd3fcf1a1b9cf8e938daa8d
Opcode Fuzzy Hash: 0b315729956cfa26d69f90e15d303ba09adde8a33bf2ca4a2d5fd0efd71fd683
Instruction Fuzzy Hash: 96E04F32014600FEE7262B11FC09E7377AAEF04310B10CA2EF5A5805B1DF626CA0DB14

Function 006A676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006A6766,?,?,00000008,?,?,006AFEFE,00000000), ref: 006A6998

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6156ebac41bace9312e5be4c7ba5ec063e0e231092e7ab685d31402e8cdbe0a9
Instruction ID: a3ca89041be8c11858654c7a76362106a3e7d4cef5c5d9f9e0c7f2ac6c431539
Opcode Fuzzy Hash: 6156ebac41bace9312e5be4c7ba5ec063e0e231092e7ab685d31402e8cdbe0a9
Instruction Fuzzy Hash: 2BB15C316106098FD715DF28C486BA57BA1FF06364F298658F99ACF2A2C335ED92CF40

Function 0068B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 006C851F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0861548fc4884e8a698b3d0a22a660f25ba03ebfa5b899b735fc9bcde5ae1598
Instruction ID: e69f43b6e120bdf9817a736dfeee9b3e4354293545ea1bd70e4222b4c2b54f61
Opcode Fuzzy Hash: 0861548fc4884e8a698b3d0a22a660f25ba03ebfa5b899b735fc9bcde5ae1598
Instruction Fuzzy Hash: D8123F719002299FCB64DF58C881BFEB7F6EF48710F14819AE849EB255DB749E81CB90

Function 006EEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 006EEABD

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fad790f1eedf0c97eec1df6c1d2801c7f9b7f122c009dbc64d81dec9eaf2fc94
Instruction ID: 45ac511ce3d4a0d1413732f225b13d166eacafc852b1020274d23a73c4bd95a6
Opcode Fuzzy Hash: fad790f1eedf0c97eec1df6c1d2801c7f9b7f122c009dbc64d81dec9eaf2fc94
Instruction Fuzzy Hash: 36E01A312002049FD710EF6AD804E9AB7EAAF98764F00C42AFC49C7391DB75A8418B94

Function 006909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006903EE), ref: 006909DA

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fee48fc4bb3d385b3742698177ea594db40dbc20c562a15dca8d526a750de7de
Instruction ID: d2c6353d11635bc6c6f2afbf2921a28eac48b3cf7e29d5e049570d608fc08f07
Opcode Fuzzy Hash: fee48fc4bb3d385b3742698177ea594db40dbc20c562a15dca8d526a750de7de
Instruction Fuzzy Hash:

Function 0069781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0069798B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 600c706b53c8cec7f464b991d299d74476c2c35dfbbeff719d537747ed4a440a
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 3151577163C7055BDF3885688A5E7FE638FDB12344F18052AE886DBF82CA15DE02D35A

Function 006E2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&t, xrefs: 006E2053

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID: 0&t
API String ID: 0-1335626371
Opcode ID: 4657106a671a6def841a96fbbe330a846b32f089605168d712d58f073b94582e
Instruction ID: 4ec33d8b717dd6125ef4a60a41261e9c190e7d244f0790750704d9f64913e49f
Opcode Fuzzy Hash: 4657106a671a6def841a96fbbe330a846b32f089605168d712d58f073b94582e
Instruction Fuzzy Hash: 7821BB326216158BD728CF79C82367E73EAA754310F55862EE4A7C37D1DE39A904C784

Function 006A6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbda54e2d29ed2c1884433e812c8764dc29c0a0602ae28f83afedd32b6f4fce
Instruction ID: 5b6a5d6654ec4945f997715164e40fccf062fc6d88736be5ee3fca1c2b66cce0
Opcode Fuzzy Hash: 3fbda54e2d29ed2c1884433e812c8764dc29c0a0602ae28f83afedd32b6f4fce
Instruction Fuzzy Hash: CE325921D29F014DD723A638DC26375A68AAFB73C5F15D737F816B5AA6EF28C8834500

Function 0068CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc2448083a78cc00330a842726dacf61094dd738fd114faff188bb2f699d05f
Instruction ID: 60a55a3ee363cf6663528ece8625731bc0976a63cfbf76cf9513c98cac361142
Opcode Fuzzy Hash: 4fc2448083a78cc00330a842726dacf61094dd738fd114faff188bb2f699d05f
Instruction Fuzzy Hash: 4532E232A001558BDF28DB69C494FBD7BA3EB45330F28866ED44E9B391D234DD82DB61

Function 00677920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644eb066146cc9f28eee2217082b7bc771c5aca43783857e9f6a94a5c9495533
Instruction ID: d3f57010b662a4be628a147a0843fd6e7c937cc9414a0d9e0e713b0e991656e5
Opcode Fuzzy Hash: 644eb066146cc9f28eee2217082b7bc771c5aca43783857e9f6a94a5c9495533
Instruction Fuzzy Hash: 08228EB0A0460ADFDF14DF64C881AEEB7F6FF48300F148629E816A7391EB359955CB54

Function 006791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfff817f865cf836fabe5ae48076ca8caaacaca641b03a74b409f5be034e203
Instruction ID: a3c890dde3c21c41461adf0e3ccecc95703a6402574fe2987d90f492986be7b9
Opcode Fuzzy Hash: bbfff817f865cf836fabe5ae48076ca8caaacaca641b03a74b409f5be034e203
Instruction Fuzzy Hash: E902A5B1E00109EBDF14DF64D881AEDB7B6FF44300F118169E81A9B391EB35AE51CB95

Function 006A9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a4cd3327060804704114bf9089d1894ae95f21c641e64fc2a32ecf08e937a8
Instruction ID: f4df13926aaf7999d7c5856c359dc5cb7ef1b6eabd757b245d608e0c6a71ab50
Opcode Fuzzy Hash: 65a4cd3327060804704114bf9089d1894ae95f21c641e64fc2a32ecf08e937a8
Instruction Fuzzy Hash: A0B1F030D2AF404DD623A6398831336FA5CAFBB6D5F91D31BFC2674D62EB2686834144

Function 00691C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a52cfb231aa27ea4c209388ee7e5182872beaf421288c2eba11ff32aae04676e
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 109188726080A34ADF2D463A853407DFFE65E533B132A079ED4F2CEAC5EE24C559D620

Function 00691F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 90b7a4937d58f92f9143587e0408dab045c3c05faed9a4c220f118a1840e8b9e
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: A39177726090A35ADF2D4239857407EFFE75A923B131A079DD4F2CFAC5EE24C564E620

Function 006919B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 30acc038b4d9680d7fc67dbd61ba7563b6961a83360091eb32513305232dfdf5
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: FF9164722090A34ADF29427A857407DFFEB5A933B232A079ED4F2CEAC5FD1489559620

Function 00697A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf119e018fb6a221f6d94768c3021512bc0ee05773571fca7f8348e6f58aff4
Instruction ID: b3ae5705654a454ec745c634d1ed06598ddf214b30b1f92e97f8ae441431c2ee
Opcode Fuzzy Hash: dcf119e018fb6a221f6d94768c3021512bc0ee05773571fca7f8348e6f58aff4
Instruction Fuzzy Hash: 186199312383099ADE389E2C8C91BFE238FDF51710F14091EE842DBF85D611AE42C359

Function 00697CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5066f3db103f61d8a55cc2df8cca03e798b91673c0e30b78e484cc5aacf937be
Instruction ID: 6118ea6ef6b52f0e5ccc0ed6463b15aaf693085dcec4b92c70b48a5e77c52f9e
Opcode Fuzzy Hash: 5066f3db103f61d8a55cc2df8cca03e798b91673c0e30b78e484cc5aacf937be
Instruction Fuzzy Hash: D161897123870997DE384A288852BFF338FEF42704F14095EE842DBF81DA129D4A9359

Function 00691706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 0bfcca08c61f153fac9b42c5937d3911dc71e439eb7a09d9997846dc7bdf0204
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 948176726090A30ADF6D427985340BEFFE75A933A132A079DD4F2CFAC1EE24C554E620

Function 0068D065 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c9eed2c04aca1725ffcbd979b223e08e69ffb947ffda22a5b8dce636f02a93
Instruction ID: 2c4fdb82f27f25bc8f9f9796138d48d0707a8a3709e0bb7b8329e984bf41a198
Opcode Fuzzy Hash: 63c9eed2c04aca1725ffcbd979b223e08e69ffb947ffda22a5b8dce636f02a93
Instruction Fuzzy Hash: C051437154E7C0CFE73AAB258446D347F70EE62A1434A86CEC4814B8BBEB71951ECB85

Function 006F2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006F2B30
DeleteObject.GDI32(00000000), ref: 006F2B43
DestroyWindow.USER32 ref: 006F2B52
GetDesktopWindow.USER32 ref: 006F2B6D
GetWindowRect.USER32(00000000), ref: 006F2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 006F2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 006F2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2CF8
GetClientRect.USER32(00000000,?), ref: 006F2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006F2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2D80
GlobalLock.KERNEL32(00000000), ref: 006F2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2D98
GlobalUnlock.KERNEL32(00000000), ref: 006F2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2DA8
GlobalFree.KERNEL32(00000000), ref: 006F2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0070FC38,00000000), ref: 006F2DDB
GlobalFree.KERNEL32(00000000), ref: 006F2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 006F2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 006F2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006F303F

Strings

, xrefs: 006F2FC5
AutoIt v3, xrefs: 006F2CF2
static, xrefs: 006F2D3A, 006F2E91
DISPLAY, xrefs: 006F2EA2

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 1ade0377f288c2048322b36008c67b5e41035751701883a41b1b10854ffb0b84
Instruction ID: 0f00116804fe1d30e79d9c51df982502eeb2e4742594fa67a58e7ff4abc2e69b
Opcode Fuzzy Hash: 1ade0377f288c2048322b36008c67b5e41035751701883a41b1b10854ffb0b84
Instruction Fuzzy Hash: 41028C71500209EFDB15DFA4CC89EAE7BBAFB49714F008258F915AB2A1DB74AD01CF64

Function 007070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0070712F
GetSysColorBrush.USER32(0000000F), ref: 00707160
GetSysColor.USER32(0000000F), ref: 0070716C
SetBkColor.GDI32(?,000000FF), ref: 00707186
SelectObject.GDI32(?,?), ref: 00707195
InflateRect.USER32(?,000000FF,000000FF), ref: 007071C0
GetSysColor.USER32(00000010), ref: 007071C8
CreateSolidBrush.GDI32(00000000), ref: 007071CF
FrameRect.USER32(?,?,00000000), ref: 007071DE
DeleteObject.GDI32(00000000), ref: 007071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00707230
FillRect.USER32(?,?,?), ref: 00707262
GetWindowLongW.USER32(?,000000F0), ref: 00707284

Part of subcall function 007073E8: GetSysColor.USER32(00000012), ref: 00707421
Part of subcall function 007073E8: SetTextColor.GDI32(?,?), ref: 00707425
Part of subcall function 007073E8: GetSysColorBrush.USER32(0000000F), ref: 0070743B
Part of subcall function 007073E8: GetSysColor.USER32(0000000F), ref: 00707446
Part of subcall function 007073E8: GetSysColor.USER32(00000011), ref: 00707463
Part of subcall function 007073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00707471
Part of subcall function 007073E8: SelectObject.GDI32(?,00000000), ref: 00707482
Part of subcall function 007073E8: SetBkColor.GDI32(?,00000000), ref: 0070748B
Part of subcall function 007073E8: SelectObject.GDI32(?,?), ref: 00707498
Part of subcall function 007073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007074B7
Part of subcall function 007073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007074CE
Part of subcall function 007073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007074DB

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 2ded2df15f0aac0b2f594427e7397f188fb396ee192850657b4994546f84cc1e
Instruction ID: a2427c9073794a6c3147dce035c03abd1dd55eb120b2e2d7b6067401a511f742
Opcode Fuzzy Hash: 2ded2df15f0aac0b2f594427e7397f188fb396ee192850657b4994546f84cc1e
Instruction Fuzzy Hash: 4BA1C072408301EFD7029F60DC48A5BBBE9FF89320F108B19F962961E0DB78E850CB51

Function 00688D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00688E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 006C6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006C6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006C6F43

Part of subcall function 00688F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00688BE8,?,00000000,?,?,?,?,00688BBA,00000000,?), ref: 00688FC5

SendMessageW.USER32(?,00001053), ref: 006C6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006C6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 006C6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 006C6FB7

Strings

0, xrefs: 006C6DCF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: d170739995704483a597b7aacaabb31daf33ffabfe69df646786994baee41b59
Instruction ID: f988ef7456915119be41adc5b25143620da2f5b67fa974698144abb4eaf252b4
Opcode Fuzzy Hash: d170739995704483a597b7aacaabb31daf33ffabfe69df646786994baee41b59
Instruction Fuzzy Hash: 76128A34204241DFDB25EF14C848FB5B7A6FB49300F94866EF5958B261CB35EC92CB99

Function 006F2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006F273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006F286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006F28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006F28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 006F2900
GetClientRect.USER32(00000000,?), ref: 006F290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 006F2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006F2964
GetStockObject.GDI32(00000011), ref: 006F2974
SelectObject.GDI32(00000000,00000000), ref: 006F2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 006F2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006F2991
DeleteDC.GDI32(00000000), ref: 006F299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006F29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 006F29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 006F2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006F2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 006F2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 006F2A77
GetStockObject.GDI32(00000011), ref: 006F2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006F2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 006F2A97

Strings

AutoIt v3, xrefs: 006F28F8
msctls_progress32, xrefs: 006F2A13
static, xrefs: 006F294F, 006F2A71
DISPLAY, xrefs: 006F295A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 696f3e0107f4fc7b76ac07c2351ef2b14acd9523eb28f22d6df584193ee07d2d
Instruction ID: 35ed174138669326dddc4491227292bb579106d225a59dbbcebefca7269b22d0
Opcode Fuzzy Hash: 696f3e0107f4fc7b76ac07c2351ef2b14acd9523eb28f22d6df584193ee07d2d
Instruction Fuzzy Hash: 11B15FB5A40209AFEB14DF68CC45FAE7BA9EB05710F108255FA14E7290DB74ED40CB94

Function 006E4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006E4AED
GetDriveTypeW.KERNEL32(?,0070CB68,?,\\.\,0070CC08), ref: 006E4BCA
SetErrorMode.KERNEL32(00000000,0070CB68,?,\\.\,0070CC08), ref: 006E4D36

Strings

SCSI, xrefs: 006E4C8A
FileBackedVirtual, xrefs: 006E4CEC
\\.\, xrefs: 006E4B3F
Network, xrefs: 006E4C02
Virtual, xrefs: 006E4CE5
MMC, xrefs: 006E4CDE
CDROM, xrefs: 006E4BFB
PhysicalDrive, xrefs: 006E4B76
ATA, xrefs: 006E4C98
Unknown, xrefs: 006E4BED, 006E4C83
Fibre, xrefs: 006E4CAD
SSA, xrefs: 006E4CA6
SSD, xrefs: 006E4C4A
ATAPI, xrefs: 006E4C91
RAID, xrefs: 006E4CBB
Fixed, xrefs: 006E4C09
Removable, xrefs: 006E4C10, 006E4C15
iSCSI, xrefs: 006E4CC2
USB, xrefs: 006E4CB4
SATA, xrefs: 006E4CD0
SAS, xrefs: 006E4CC9
1394, xrefs: 006E4C9F
RAMDisk, xrefs: 006E4BF4

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c7e6caea054d39fba99a6d7fc18fb41c87f8d5b3d1fcf8a0facc0f1bcca0d96e
Instruction ID: b188f6abcccd14c55385fd8d1d9e04df31f4f0fc1e9dd5011be44d9d4b8afc6c
Opcode Fuzzy Hash: c7e6caea054d39fba99a6d7fc18fb41c87f8d5b3d1fcf8a0facc0f1bcca0d96e
Instruction Fuzzy Hash: 37618F70707385ABDB04DF35C9829A977A2AB04B00B34C519F80AAB792DF29ED42DB55

Function 007073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00707421
SetTextColor.GDI32(?,?), ref: 00707425
GetSysColorBrush.USER32(0000000F), ref: 0070743B
GetSysColor.USER32(0000000F), ref: 00707446
CreateSolidBrush.GDI32(?), ref: 0070744B
GetSysColor.USER32(00000011), ref: 00707463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00707471
SelectObject.GDI32(?,00000000), ref: 00707482
SetBkColor.GDI32(?,00000000), ref: 0070748B
SelectObject.GDI32(?,?), ref: 00707498
InflateRect.USER32(?,000000FF,000000FF), ref: 007074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0070752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00707554
InflateRect.USER32(?,000000FD,000000FD), ref: 00707572
DrawFocusRect.USER32(?,?), ref: 0070757D
GetSysColor.USER32(00000011), ref: 0070758E
SetTextColor.GDI32(?,00000000), ref: 00707596
DrawTextW.USER32(?,007070F5,000000FF,?,00000000), ref: 007075A8
SelectObject.GDI32(?,?), ref: 007075BF
DeleteObject.GDI32(?), ref: 007075CA
SelectObject.GDI32(?,?), ref: 007075D0
DeleteObject.GDI32(?), ref: 007075D5
SetTextColor.GDI32(?,?), ref: 007075DB
SetBkColor.GDI32(?,?), ref: 007075E5

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1bf4a5549b39140caf2e3f3875a1addb710a12dddd02422871d1d7e07f217974
Instruction ID: 4c698fd6d2f536f6d0fd030573a2f09124f4ace0c535c9791a85ade6c55e9d71
Opcode Fuzzy Hash: 1bf4a5549b39140caf2e3f3875a1addb710a12dddd02422871d1d7e07f217974
Instruction Fuzzy Hash: 38616175D00218EFDB059FA4DC49ADE7FB9EB09320F108315F911A72E1DB79A950CB94

Function 00700FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00701128
GetDesktopWindow.USER32 ref: 0070113D
GetWindowRect.USER32(00000000), ref: 00701144
GetWindowLongW.USER32(?,000000F0), ref: 00701199
DestroyWindow.USER32(?), ref: 007011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0070120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0070121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00701232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00701245
IsWindowVisible.USER32(00000000), ref: 007012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007012D0
GetWindowRect.USER32(00000000,?), ref: 007012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0070130E
GetMonitorInfoW.USER32(00000000,?), ref: 00701328
CopyRect.USER32(?,?), ref: 0070133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007013AA

Strings

tooltips_class32, xrefs: 007011E6
(, xrefs: 0070131B
0, xrefs: 007010D3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 20895521438700935bae97159d7ecc6596d2146e130dcf14b68f99af15ef36bc
Instruction ID: eac9baa84f8ec238a7903e951229ccf19310ddb58f817442a7291fa91a529a1c
Opcode Fuzzy Hash: 20895521438700935bae97159d7ecc6596d2146e130dcf14b68f99af15ef36bc
Instruction Fuzzy Hash: 6CB19A71604341EFD714DF64C884B6ABBE5FF84704F408A1CF9999B2A1DB35E844CBA6

Function 00688891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00688968
GetSystemMetrics.USER32(00000007), ref: 00688970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0068899B
GetSystemMetrics.USER32(00000008), ref: 006889A3
GetSystemMetrics.USER32(00000004), ref: 006889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00688A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00688A3C
GetClientRect.USER32(00000000,000000FF), ref: 00688A5A
GetStockObject.GDI32(00000011), ref: 00688A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00688A81

Part of subcall function 0068912D: GetCursorPos.USER32(?), ref: 00689141
Part of subcall function 0068912D: ScreenToClient.USER32(00000000,?), ref: 0068915E
Part of subcall function 0068912D: GetAsyncKeyState.USER32(00000001), ref: 00689183
Part of subcall function 0068912D: GetAsyncKeyState.USER32(00000002), ref: 0068919D

SetTimer.USER32(00000000,00000000,00000028,006890FC), ref: 00688AA8

Strings

AutoIt v3 GUI, xrefs: 00688A20

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 61338292481aef746c7e72d701ec70210a9702501efe43bbd8a30b504a3a4b72
Instruction ID: e292f0fe049c92a77113830cafe8063d66d9b63c768a3dd094945118f36f81da
Opcode Fuzzy Hash: 61338292481aef746c7e72d701ec70210a9702501efe43bbd8a30b504a3a4b72
Instruction Fuzzy Hash: 6CB15D75A00209DFDF14EF68CC45BEE3BB6FB48314F508229FA15AB290DB74A841CB59

Function 006D0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006D1114
Part of subcall function 006D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1120
Part of subcall function 006D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D112F
Part of subcall function 006D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1136
Part of subcall function 006D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006D0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006D0E29
GetLengthSid.ADVAPI32(?), ref: 006D0E40
GetAce.ADVAPI32(?,00000000,?), ref: 006D0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006D0E96
GetLengthSid.ADVAPI32(?), ref: 006D0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 006D0EB5
HeapAlloc.KERNEL32(00000000), ref: 006D0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 006D0EDD
CopySid.ADVAPI32(00000000), ref: 006D0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006D0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006D0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006D0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0F6E
HeapFree.KERNEL32(00000000), ref: 006D0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0F7E
HeapFree.KERNEL32(00000000), ref: 006D0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D0F8E
HeapFree.KERNEL32(00000000), ref: 006D0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 006D0FA1
HeapFree.KERNEL32(00000000), ref: 006D0FA8

Part of subcall function 006D1193: GetProcessHeap.KERNEL32(00000008,006D0BB1,?,00000000,?,006D0BB1,?), ref: 006D11A1
Part of subcall function 006D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,006D0BB1,?), ref: 006D11A8
Part of subcall function 006D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006D0BB1,?), ref: 006D11B7

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 928871adc3f51b7526fb8d6638c58b74363bd9261a757b87d7939d2bfc9b4315
Instruction ID: 836f0e3bb80143aba7e723c97debb08c8034f8066f5400fb9399bd3ebf8f046e
Opcode Fuzzy Hash: 928871adc3f51b7526fb8d6638c58b74363bd9261a757b87d7939d2bfc9b4315
Instruction Fuzzy Hash: D8716F72D0020AEBEF21DFA4DC49FEEBBB9BF05300F148216F915A6291DB759905CB60

Function 006FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006FC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0070CC08,00000000,?,00000000,?,?), ref: 006FC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 006FC5A4
_wcslen.LIBCMT ref: 006FC5F4
_wcslen.LIBCMT ref: 006FC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 006FC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 006FC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 006FC84D
RegCloseKey.ADVAPI32(?), ref: 006FC881
RegCloseKey.ADVAPI32(00000000), ref: 006FC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 006FC960

Strings

REG_QWORD, xrefs: 006FC8C3
REG_DWORD, xrefs: 006FC804
REG_BINARY, xrefs: 006FC913
REG_SZ, xrefs: 006FC644
REG_MULTI_SZ, xrefs: 006FC6F5
REG_EXPAND_SZ, xrefs: 006FC5CD

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ce35851c7c11348a5c76d58cba7b8c88b45f02bfecc547c81e016c01b90ee9e4
Instruction ID: d502c211b537eb71d196fb8d3a3192a2754ec1e8f5f39ec74323159bec38a47e
Opcode Fuzzy Hash: ce35851c7c11348a5c76d58cba7b8c88b45f02bfecc547c81e016c01b90ee9e4
Instruction Fuzzy Hash: C3127A352042059FDB54DF24C981E6ABBE6FF88724F14885CF95A9B3A2DB31EC41CB85

Function 0070091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007009C6
_wcslen.LIBCMT ref: 00700A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00700A54
_wcslen.LIBCMT ref: 00700A8A
_wcslen.LIBCMT ref: 00700B06
_wcslen.LIBCMT ref: 00700B81

Part of subcall function 0068F9F2: _wcslen.LIBCMT ref: 0068F9FD

Part of subcall function 006D2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006D2BFA

Strings

GETSELECTED, xrefs: 00700C4E
GETITEMCOUNT, xrefs: 00700C1E
EXPAND, xrefs: 00700BF8
EXISTS, xrefs: 00700B7C, 00700B97
GETTOTALCOUNT, xrefs: 007009F2, 00700A17
UNCHECK, xrefs: 00700D3E
COLLAPSE, xrefs: 00700B01, 00700B1C
GETTEXT, xrefs: 00700C97
SELECT, xrefs: 00700D11
CHECK, xrefs: 00700A85, 00700AA0
ISCHECKED, xrefs: 00700CE1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 12fa7edd9e623404519a0025117f33da2dbd51a880fec528de1c63e729ff74b1
Instruction ID: 306b09a6e2f24b963d4c380a53561e7afd80b490e0f28e1792780382172332dd
Opcode Fuzzy Hash: 12fa7edd9e623404519a0025117f33da2dbd51a880fec528de1c63e729ff74b1
Instruction Fuzzy Hash: 07E1AE71208301DFC754DF24C450A2AB7E2BF98324F148A5DF89A9B3A2DB38ED45CB95

Function 006FC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,006FB6AE,?,?), ref: 006FC9B5
_wcslen.LIBCMT ref: 006FC9F1
_wcslen.LIBCMT ref: 006FCA68
_wcslen.LIBCMT ref: 006FCA9E
_wcslen.LIBCMT ref: 006FCAF9
_wcslen.LIBCMT ref: 006FCB2F
_wcslen.LIBCMT ref: 006FCB7F

Strings

HKCR, xrefs: 006FCB29, 006FCB2E
HKEY_CURRENT_USER, xrefs: 006FCBBD
HKCU, xrefs: 006FCBCE
HKLM, xrefs: 006FCA98, 006FCA9D
HKEY_CLASSES_ROOT, xrefs: 006FCAF3, 006FCAF8
HKEY_CURRENT_CONFIG, xrefs: 006FCB79, 006FCB7E
HKU, xrefs: 006FCBF0
HKCC, xrefs: 006FCBAC
HKEY_USERS, xrefs: 006FCBDF
HKEY_LOCAL_MACHINE, xrefs: 006FCA62, 006FCA67

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 15a59103e9784133d0b0560c6d09221a85c2b49145686ff508be85c978b66bd0
Instruction ID: a3196f16ff9bd80926c90e57bcc90088531d5bdbd10ef4fbc72a38f88ea86990
Opcode Fuzzy Hash: 15a59103e9784133d0b0560c6d09221a85c2b49145686ff508be85c978b66bd0
Instruction Fuzzy Hash: AB71F27260012E8BCB20DE7CCA519FA3397AFA0774F214528FA6697385EA35DD45C3A0

Function 0070833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0070835A
_wcslen.LIBCMT ref: 0070836E
_wcslen.LIBCMT ref: 00708391
_wcslen.LIBCMT ref: 007083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0070361A,?), ref: 0070844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00708487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00708501
FreeLibrary.KERNEL32(?), ref: 0070850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0070851D
DestroyIcon.USER32(?), ref: 0070852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00708549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00708555

Strings

.icl, xrefs: 00708368
.exe, xrefs: 00708388
.dll, xrefs: 007083AB

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 0e057f0269ad623b7d87102cfe6b77bb6ba620d822a9fd106360663c0cebab71
Instruction ID: 678b275b1f108bc1f449337ece912b9545d1d8d8ddda8db9439918338ec9ad86
Opcode Fuzzy Hash: 0e057f0269ad623b7d87102cfe6b77bb6ba620d822a9fd106360663c0cebab71
Instruction Fuzzy Hash: C461EE71500219FAEB54CF64CC81BBE77ACBB08B21F108709F855D61D1DFB8AA91CBA0

Function 00677778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 006778ED
#OnAutoItStartRegister, xrefs: 00677817
#comments-end, xrefs: 006778D9
#requireadmin, xrefs: 006777FF
', xrefs: 006B5169
Cannot parse #include, xrefs: 006B5279
#notrayicon, xrefs: 006777E7
#include-once, xrefs: 0067782F
#include, xrefs: 00677847
Bad directive syntax error, xrefs: 006B519A
Unterminated group of comments, xrefs: 006B528C
#cs, xrefs: 00677873, 006778C5
#comments-start, xrefs: 0067785F, 006778B1
#pragma compile, xrefs: 006777D3
", xrefs: 006B5153

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 9a570e6c3bcbfbf950867a571d14f7a7113df7d016354cbaa1003711eb3e7251
Instruction ID: 6b6594b348eb29eb1a123d16122a5f32f511e989c3067384951d0f3350905454
Opcode Fuzzy Hash: 9a570e6c3bcbfbf950867a571d14f7a7113df7d016354cbaa1003711eb3e7251
Instruction Fuzzy Hash: C181FBB1604205BFDF65AF64CC42FEE37ABAF15300F048128F909AB296EB74D951C7A5

Function 006E3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 006E3EF8
_wcslen.LIBCMT ref: 006E3F03
_wcslen.LIBCMT ref: 006E3F5A
_wcslen.LIBCMT ref: 006E3F98
GetDriveTypeW.KERNEL32(?), ref: 006E3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006E401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006E4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006E4087

Strings

wait, xrefs: 006E4044
open, xrefs: 006E3F54, 006E3F59
type cdaudio alias cd wait, xrefs: 006E4001
close, xrefs: 006E3EFE, 006E3F18
closed, xrefs: 006E3F08, 006E3F2D, 006E3F46, 006E3F7E, 006E3F97
close cd wait, xrefs: 006E4072
set cd door , xrefs: 006E4028
open , xrefs: 006E3FE5

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: b54e610ddbc1b67b9316d47bc3ea972f60fa4207f80a4133035bbcee42265d12
Instruction ID: 2d463102e9bd5cef0979dfdc3b8419afeea0fd2f75e2c5c1695b5c6f99e86a54
Opcode Fuzzy Hash: b54e610ddbc1b67b9316d47bc3ea972f60fa4207f80a4133035bbcee42265d12
Instruction Fuzzy Hash: 1371BD716043119FC710EF35C8818AAB7E6EF94764F10892DF89997352EB34EE46CB91

Function 006D5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 006D5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006D5A40
SetWindowTextW.USER32(?,?), ref: 006D5A57
GetDlgItem.USER32(?,000003EA), ref: 006D5A6C
SetWindowTextW.USER32(00000000,?), ref: 006D5A72
GetDlgItem.USER32(?,000003E9), ref: 006D5A82
SetWindowTextW.USER32(00000000,?), ref: 006D5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 006D5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 006D5AC3
GetWindowRect.USER32(?,?), ref: 006D5ACC
_wcslen.LIBCMT ref: 006D5B33
SetWindowTextW.USER32(?,?), ref: 006D5B6F
GetDesktopWindow.USER32 ref: 006D5B75
GetWindowRect.USER32(00000000), ref: 006D5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 006D5BD3
GetClientRect.USER32(?,?), ref: 006D5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 006D5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 006D5C2F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: e9071c0ca5da6a311cfe11efd4aabf59db701a3367422df5f83f2defa766695e
Instruction ID: 549e0144f63d7bafb84393e0ce737fe214a942d5bd8d3b4d97ef366b97106a79
Opcode Fuzzy Hash: e9071c0ca5da6a311cfe11efd4aabf59db701a3367422df5f83f2defa766695e
Instruction Fuzzy Hash: 7C716F31900B05DFDB21DFA8CD55AAEBBF6FF48704F10461AE143A66A0DB75E940CB54

Function 006EFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 006EFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 006EFE32
LoadCursorW.USER32(00000000,00007F00), ref: 006EFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 006EFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 006EFE53
LoadCursorW.USER32(00000000,00007F01), ref: 006EFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 006EFE69
LoadCursorW.USER32(00000000,00007F88), ref: 006EFE74
LoadCursorW.USER32(00000000,00007F80), ref: 006EFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 006EFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 006EFE95
LoadCursorW.USER32(00000000,00007F85), ref: 006EFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 006EFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 006EFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 006EFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 006EFECC
GetCursorInfo.USER32(?), ref: 006EFEDC
GetLastError.KERNEL32 ref: 006EFF1E

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 916acd391170319f0c7041251a67c1c2c1c785ef4497605f8109e0dc08626229
Instruction ID: b8315bfb69088aae335dc11454b16c62138156da475d2e6d407e69ea57b67cf4
Opcode Fuzzy Hash: 916acd391170319f0c7041251a67c1c2c1c785ef4497605f8109e0dc08626229
Instruction Fuzzy Hash: DB4152B0D05359ABDB109FBA8C8985EBFE9FF04354B50852AF11DE7281DB78A901CE91

Function 006D30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006D318D
_wcslen.LIBCMT ref: 006D31F8

Strings

REGEXPCLASS, xrefs: 006D3255, 006D3266
CLASSNN, xrefs: 006D31F3, 006D3204
CLASS, xrefs: 006D3188, 006D31A5
INSTANCE, xrefs: 006D3453
NAME, xrefs: 006D3335, 006D3346
[s, xrefs: 006D339A
TEXT, xrefs: 006D347C

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[s
API String ID: 176396367-691173368
Opcode ID: 0b5aa5d379020f217f10e730503a8d7b32d94c198a049fe518ac63ea10c8066a
Instruction ID: f7a017c7ccd8b3f7d290792f94386030da3c90c0fc6ab691979c92c368197316
Opcode Fuzzy Hash: 0b5aa5d379020f217f10e730503a8d7b32d94c198a049fe518ac63ea10c8066a
Instruction Fuzzy Hash: 7FE1D432E00626ABCF549FA4C8516EEFBB6BF54710F54822BE456E7340DB30AF4587A1

Function 006900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006900C6

Part of subcall function 006900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0074070C,00000FA0,A12262EA,?,?,?,?,006B23B3,000000FF), ref: 0069011C
Part of subcall function 006900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006B23B3,000000FF), ref: 00690127
Part of subcall function 006900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006B23B3,000000FF), ref: 00690138
Part of subcall function 006900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0069014E
Part of subcall function 006900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0069015C
Part of subcall function 006900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0069016A
Part of subcall function 006900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00690195
Part of subcall function 006900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006901A0

___scrt_fastfail.LIBCMT ref: 006900E7

Part of subcall function 006900A3: __onexit.LIBCMT ref: 006900A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00690122
SleepConditionVariableCS, xrefs: 00690154
InitializeConditionVariable, xrefs: 00690148
kernel32.dll, xrefs: 00690133
WakeAllConditionVariable, xrefs: 00690162

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 28104ff3620a2ec61c26e1337d78d4201518cc95c3e35147db0697054c875466
Instruction ID: 1d74f1f66d9a00a7c08c56f118d28354d55c5a508f631c4209af495d7c6e6e32
Opcode Fuzzy Hash: 28104ff3620a2ec61c26e1337d78d4201518cc95c3e35147db0697054c875466
Instruction Fuzzy Hash: 7821DA72644710EFFF225BB4AC09B6937D9DB05B61F14432AF901A2AD1DF7858008A99

Function 006E44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0070CC08), ref: 006E4527
_wcslen.LIBCMT ref: 006E453B
_wcslen.LIBCMT ref: 006E4599
_wcslen.LIBCMT ref: 006E45F4
_wcslen.LIBCMT ref: 006E463F
_wcslen.LIBCMT ref: 006E46A7

Part of subcall function 0068F9F2: _wcslen.LIBCMT ref: 0068F9FD

GetDriveTypeW.KERNEL32(?,00736BF0,00000061), ref: 006E4743

Strings

all, xrefs: 006E4531, 006E4536
removable, xrefs: 006E45EA, 006E45EF
cdrom, xrefs: 006E458F, 006E4594
network, xrefs: 006E469D, 006E46A2
unknown, xrefs: 006E4708
fixed, xrefs: 006E4635, 006E463A
ramdisk, xrefs: 006E46F1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 613d9d7945c2115d3bc0e90f52539de0c36061d26d02d59e7663851585464bb6
Instruction ID: 4358a9c1b0e613d9d106cf324919749ce16a9b165629012781b1015b8fac889d
Opcode Fuzzy Hash: 613d9d7945c2115d3bc0e90f52539de0c36061d26d02d59e7663851585464bb6
Instruction Fuzzy Hash: 8AB1F4716093429FC710DF39C8909AAB7E6BFA5720F508A1DF496C7391EB30D845CBA2

Function 0070911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2

DragQueryPoint.SHELL32(?,?), ref: 00709147

Part of subcall function 00707674: ClientToScreen.USER32(?,?), ref: 0070769A
Part of subcall function 00707674: GetWindowRect.USER32(?,?), ref: 00707710
Part of subcall function 00707674: PtInRect.USER32(?,?,00708B89), ref: 00707720

SendMessageW.USER32(?,000000B0,?,?), ref: 007091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00709225
SendMessageW.USER32(?,000000B0,?,?), ref: 0070923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00709255
SendMessageW.USER32(?,000000B1,?,?), ref: 00709277
DragFinish.SHELL32(?), ref: 0070927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00709371

Strings

p#t, xrefs: 007092BB
@GUI_DRAGID, xrefs: 007092E9
@GUI_DRAGFILE, xrefs: 00709320
@GUI_DROPID, xrefs: 0070929E

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#t
API String ID: 221274066-656513400
Opcode ID: 67ce6ce8b5cc8b056e8e51924178e265540037d1a7b518aa2544676f3d593a84
Instruction ID: 95bea6864283e363dce9de3e3acc54390e6fdf14af80ede72e1f12f808a41909
Opcode Fuzzy Hash: 67ce6ce8b5cc8b056e8e51924178e265540037d1a7b518aa2544676f3d593a84
Instruction Fuzzy Hash: 1B618871108301AFD701EF60CC85DAFBBE9EF89350F004A2EF695921A1DB349A49CB66

Function 006F3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0070CC08), ref: 006F40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006F40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0070CC08), ref: 006F40F2
FreeLibrary.KERNEL32(00000000,?,0070CC08), ref: 006F413E
StringFromGUID2.OLE32(?,?,00000028,?,0070CC08), ref: 006F41A8
SysFreeString.OLEAUT32(00000009), ref: 006F4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006F42C8
SysFreeString.OLEAUT32(?), ref: 006F42F2

Strings

kernel32.dll, xrefs: 006F40B6
GetModuleHandleExW, xrefs: 006F40C7

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: de15c42fc967c3893e8f588bcfdce2a7a4ef08a2748807edaae65ff66c80e6cb
Instruction ID: 7d030751cfae88ca603975749aa821b91b43e975042b913fdee59db4f07fee0c
Opcode Fuzzy Hash: de15c42fc967c3893e8f588bcfdce2a7a4ef08a2748807edaae65ff66c80e6cb
Instruction Fuzzy Hash: 08124B75A00109EFDB14DF94C884EBEB7B6FF45318F248198EA05AB651DB31ED46CBA0

Function 0067326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00741990), ref: 006B2F8D
GetMenuItemCount.USER32(00741990), ref: 006B303D
GetCursorPos.USER32(?), ref: 006B3081
SetForegroundWindow.USER32(00000000), ref: 006B308A
TrackPopupMenuEx.USER32(00741990,00000000,?,00000000,00000000,00000000), ref: 006B309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006B30A9

Strings

0, xrefs: 0067327D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 12036b50c64eac29de874c2a50156011d723d7acc710ec84ad9717acb091a029
Instruction ID: ffc8fd55a0e9d98331ce6de9ee6d22408742d87410d5ca3fa520ceb991968e97
Opcode Fuzzy Hash: 12036b50c64eac29de874c2a50156011d723d7acc710ec84ad9717acb091a029
Instruction Fuzzy Hash: CB710AB0640216BEEB219F25CC59FEABFAAFF04364F204306F5246A3D1C7B19950D754

Function 00706CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00706DEB

Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00706E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00706E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00706E94
DestroyWindow.USER32(?), ref: 00706EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00670000,00000000), ref: 00706EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00706EFD
GetDesktopWindow.USER32 ref: 00706F16
GetWindowRect.USER32(00000000), ref: 00706F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00706F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00706F4D

Part of subcall function 00689944: GetWindowLongW.USER32(?,000000EB), ref: 00689952

Strings

tooltips_class32, xrefs: 00706E58, 00706EDD
0, xrefs: 00706D98

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 1e43481e1d4e52d8b9d93997ab649c74df8d4334a4e4260234bada270ad0445c
Instruction ID: db5c046a0f1a0c83a11a0a61f0605d3c5278f525b9ac6afd20dd6fce8de2f7e7
Opcode Fuzzy Hash: 1e43481e1d4e52d8b9d93997ab649c74df8d4334a4e4260234bada270ad0445c
Instruction Fuzzy Hash: C2719974100341EFDB21DF18DC54EAABBE9FB89300F444A1EF989872A1CB79E956CB15

Function 006EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006EC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006EC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006EC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 006EC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 006EC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 006EC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006EC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006EC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006EC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006EC5F0
InternetCloseHandle.WININET(00000000), ref: 006EC5FB

Strings

, xrefs: 006EC575

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 89c763eb7f0c2b632a4f80c5030ca9aec357e0616ee0081af24e7dd655ebf6c2
Instruction ID: aa9acb23e9a288607340cac32de04122cec3343b3b36e12a8487a0869bb40499
Opcode Fuzzy Hash: 89c763eb7f0c2b632a4f80c5030ca9aec357e0616ee0081af24e7dd655ebf6c2
Instruction Fuzzy Hash: 1B518DB1101348FFDB229F62C948AAB7BFDFF08364F00861AF94596250DB34E9159F60

Function 0070856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00708592
GetFileSize.KERNEL32(00000000,00000000), ref: 007085A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 007085AD
CloseHandle.KERNEL32(00000000), ref: 007085BA
GlobalLock.KERNEL32(00000000), ref: 007085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007085D7
GlobalUnlock.KERNEL32(00000000), ref: 007085E0
CloseHandle.KERNEL32(00000000), ref: 007085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007085F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0070FC38,?), ref: 00708611
GlobalFree.KERNEL32(00000000), ref: 00708621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00708641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00708671
DeleteObject.GDI32(00000000), ref: 00708699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007086AF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: bd0e34d7fe67fee954d1bf3dc07806171dc1f8214affd4601dd70fe6ccade01d
Instruction ID: fef4db96f3d22c5dd1d29420dca76733941e1e89e767fbb7e12b8582f661bc8b
Opcode Fuzzy Hash: bd0e34d7fe67fee954d1bf3dc07806171dc1f8214affd4601dd70fe6ccade01d
Instruction Fuzzy Hash: DF414C71600208EFDB119FA5CC88EAE7BB8FF89715F108258F905E72A0DB399D01CB25

Function 006E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 006E1502
VariantCopy.OLEAUT32(?,?), ref: 006E150B
VariantClear.OLEAUT32(?), ref: 006E1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006E15FB
VarR8FromDec.OLEAUT32(?,?), ref: 006E1657
VariantInit.OLEAUT32(?), ref: 006E1708
SysFreeString.OLEAUT32(?), ref: 006E178C
VariantClear.OLEAUT32(?), ref: 006E17D8
VariantClear.OLEAUT32(?), ref: 006E17E7
VariantInit.OLEAUT32(00000000), ref: 006E1823

Strings

Default, xrefs: 006E16AF
%4d%02d%02d%02d%02d%02d, xrefs: 006E1625

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 708879b31da9878fa87ca624a4ba9716e8cc5a7be22c473cf5cd522d65247c70
Instruction ID: 1748d6fa86bf9f3c57b8d25920ec8c0bebbea06af2582455468cdccb3c13bd9f
Opcode Fuzzy Hash: 708879b31da9878fa87ca624a4ba9716e8cc5a7be22c473cf5cd522d65247c70
Instruction Fuzzy Hash: 90D1F6B1601245DBDB00AF66D889BBDB7B7BF46700F10815AF846AF285DB34DC42EB61

Function 006FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Part of subcall function 006FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006FB6AE,?,?), ref: 006FC9B5
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FC9F1
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA68
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006FB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006FB772
RegDeleteValueW.ADVAPI32(?,?), ref: 006FB80A
RegCloseKey.ADVAPI32(?), ref: 006FB87E
RegCloseKey.ADVAPI32(?), ref: 006FB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 006FB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006FB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 006FB922
FreeLibrary.KERNEL32(00000000), ref: 006FB983
RegCloseKey.ADVAPI32(00000000), ref: 006FB994

Strings

RegDeleteKeyExW, xrefs: 006FB8FE
advapi32.dll, xrefs: 006FB8ED

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 278804df9edef6401e6fd5adbf2cba1a0fba2392d8a962e81b86961715fc708e
Instruction ID: 863cce5a82a7463230aece935edf4af96cefc5f8ac0337b68c279ca6daa6dafd
Opcode Fuzzy Hash: 278804df9edef6401e6fd5adbf2cba1a0fba2392d8a962e81b86961715fc708e
Instruction Fuzzy Hash: 61C19B30208205EFD710DF24C495F6ABBE6BF85318F14D55CE6AA8B3A2CB75E845CB91

Function 006F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006F25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006F25E8
CreateCompatibleDC.GDI32(?), ref: 006F25F4
SelectObject.GDI32(00000000,?), ref: 006F2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 006F266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006F26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006F26D0
SelectObject.GDI32(?,?), ref: 006F26D8
DeleteObject.GDI32(?), ref: 006F26E1
DeleteDC.GDI32(?), ref: 006F26E8
ReleaseDC.USER32(00000000,?), ref: 006F26F3

Strings

(, xrefs: 006F268D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 1ac46d8e243ab571dfede82b0b266182d73f279823f1f1a85ecfeb7a04abd8e8
Instruction ID: 54db8824486c2797e9829b2e7b455b45d54158bae1769e59836f914865038e97
Opcode Fuzzy Hash: 1ac46d8e243ab571dfede82b0b266182d73f279823f1f1a85ecfeb7a04abd8e8
Instruction Fuzzy Hash: 596102B5D00219EFCF05CFA4D884AAEBBF6FF48310F208629EA55A7250D774A951CF54

Function 006ADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006ADAA1

Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD659
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD66B
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD67D
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD68F
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6A1
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6B3
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6C5
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6D7
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6E9
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD6FB
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD70D
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD71F
Part of subcall function 006AD63C: _free.LIBCMT ref: 006AD731

_free.LIBCMT ref: 006ADA96

Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0

_free.LIBCMT ref: 006ADAB8
_free.LIBCMT ref: 006ADACD
_free.LIBCMT ref: 006ADAD8
_free.LIBCMT ref: 006ADAFA
_free.LIBCMT ref: 006ADB0D
_free.LIBCMT ref: 006ADB1B
_free.LIBCMT ref: 006ADB26
_free.LIBCMT ref: 006ADB5E
_free.LIBCMT ref: 006ADB65
_free.LIBCMT ref: 006ADB82
_free.LIBCMT ref: 006ADB9A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 70c4333d9b0fda56b661903dcec1ea116630b195453d43c24483f06b4a5941f2
Instruction ID: 1ebd3fb5c79a634863c6bc585441c4c363ad43937f4dce768ced554f2dc7d1a4
Opcode Fuzzy Hash: 70c4333d9b0fda56b661903dcec1ea116630b195453d43c24483f06b4a5941f2
Instruction Fuzzy Hash: 30315C716442069FEBA1BA39E845B9BB7EAFF02B10F11442DE44AD7691DA30BC408F25

Function 006D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006D369C
_wcslen.LIBCMT ref: 006D36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006D3797
GetClassNameW.USER32(?,?,00000400), ref: 006D380C
GetDlgCtrlID.USER32(?), ref: 006D385D
GetWindowRect.USER32(?,?), ref: 006D3882
GetParent.USER32(?), ref: 006D38A0
ScreenToClient.USER32(00000000), ref: 006D38A7
GetClassNameW.USER32(?,?,00000100), ref: 006D3921
GetWindowTextW.USER32(?,?,00000400), ref: 006D395D

Strings

%s%u, xrefs: 006D3734

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 472d3d753beb559b23184a643ef1a5508fef0de3aca4e324bfcf0d679ba89dea
Instruction ID: 63149561687df5882569f05b0d7f50496c3859f4612485d26879a620cabb4fb2
Opcode Fuzzy Hash: 472d3d753beb559b23184a643ef1a5508fef0de3aca4e324bfcf0d679ba89dea
Instruction Fuzzy Hash: E491D771600616EFD715DF24C895FEAB7AAFF44350F00861AF999C6390EB30EA45CB92

Function 006D4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 006D4994
GetWindowTextW.USER32(?,?,00000400), ref: 006D49DA
_wcslen.LIBCMT ref: 006D49EB
CharUpperBuffW.USER32(?,00000000), ref: 006D49F7
_wcsstr.LIBVCRUNTIME ref: 006D4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 006D4A64
GetWindowTextW.USER32(?,?,00000400), ref: 006D4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 006D4AE6
GetClassNameW.USER32(?,?,00000400), ref: 006D4B20
GetWindowRect.USER32(?,?), ref: 006D4B8B

Strings

ThumbnailClass, xrefs: 006D4A6F, 006D4AF1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 2a97f58f14057c472e584355c894eff02500db627c4879966750a178325df52a
Instruction ID: a98f9e25d6cf7a22c60696f235545f149ec19f354c600e9561211ab150df462c
Opcode Fuzzy Hash: 2a97f58f14057c472e584355c894eff02500db627c4879966750a178325df52a
Instruction Fuzzy Hash: 4E91DC318082059FDB05CF10C985BAA77EAFF94304F04856BFD8A9A296DF34ED45CBA1

Function 006DBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00741990,000000FF,00000000,00000030), ref: 006DBFAC
SetMenuItemInfoW.USER32(00741990,00000004,00000000,00000030), ref: 006DBFE1
Sleep.KERNEL32(000001F4), ref: 006DBFF3
GetMenuItemCount.USER32(?), ref: 006DC039
GetMenuItemID.USER32(?,00000000), ref: 006DC056
GetMenuItemID.USER32(?,-00000001), ref: 006DC082
GetMenuItemID.USER32(?,?), ref: 006DC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006DC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006DC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006DC145

Strings

0, xrefs: 006DBF3D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: f1d2f1ac9335f9f9ec787058e0c9c2016fe32ebccda287b39544055e74480fbb
Instruction ID: 153343a011e6e77b54570858d2473dd232f205001f5cd734ad22784b1f5ad953
Opcode Fuzzy Hash: f1d2f1ac9335f9f9ec787058e0c9c2016fe32ebccda287b39544055e74480fbb
Instruction Fuzzy Hash: 80617FB0D0025AEFDF21CF64DD88AEE7BBAEB05354F10425AE911A3391CB35AD55CB60

Function 006FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006FCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 006FCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006FCD48

Part of subcall function 006FCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 006FCCAA
Part of subcall function 006FCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 006FCCBD
Part of subcall function 006FCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006FCCCF
Part of subcall function 006FCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006FCD05
Part of subcall function 006FCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006FCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 006FCCF3

Strings

RegDeleteKeyExW, xrefs: 006FCCC9
advapi32.dll, xrefs: 006FCCB8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f7674d3f8ee197b39b3cdfaa5254bbff9e690a10a737bc635b382cc58d56e17b
Instruction ID: 447dacb32c4b7b5dc55ce00c400781d541affac7b0b29563d51eac4516926066
Opcode Fuzzy Hash: f7674d3f8ee197b39b3cdfaa5254bbff9e690a10a737bc635b382cc58d56e17b
Instruction Fuzzy Hash: 64318FB190112CFBDB218B50DD88EFFBB7DEF45760F004265BA06E2240DB349A45DAA4

Function 006E3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006E3D40
_wcslen.LIBCMT ref: 006E3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 006E3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006E3DBE
RemoveDirectoryW.KERNEL32(?), ref: 006E3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006E3E55
CloseHandle.KERNEL32(00000000), ref: 006E3E60
CloseHandle.KERNEL32(00000000), ref: 006E3E6B

Strings

\??\%s, xrefs: 006E3D5B
:, xrefs: 006E3D82
\, xrefs: 006E3D77

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: d97649fa51398dc549cb72d7ea99e6f51181aacec8146217ff7204e1a5db10f0
Instruction ID: 833cecc144a123bdd6d70af2b15b7ec6fcfef3e9e4f05c6d11be08a3b3e600d9
Opcode Fuzzy Hash: d97649fa51398dc549cb72d7ea99e6f51181aacec8146217ff7204e1a5db10f0
Instruction Fuzzy Hash: 7431C671900259ABDB219FA1DC49FEF37BDEF88700F5082B5F605D6250EB7497448B28

Function 006DE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006DE6B4

Part of subcall function 0068E551: timeGetTime.WINMM(?,?,006DE6D4), ref: 0068E555

Sleep.KERNEL32(0000000A), ref: 006DE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 006DE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006DE727
SetActiveWindow.USER32 ref: 006DE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006DE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 006DE773
Sleep.KERNEL32(000000FA), ref: 006DE77E
IsWindow.USER32 ref: 006DE78A
EndDialog.USER32(00000000), ref: 006DE79B

Strings

BUTTON, xrefs: 006DE719

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 262f18fa949fe684f5aae555c054d75495ecfa1341515ff92f1469c0e097e107
Instruction ID: 050a483cf642a69000bafb7abe46d150fe8b6c33a3453b5634a3619e15c583ae
Opcode Fuzzy Hash: 262f18fa949fe684f5aae555c054d75495ecfa1341515ff92f1469c0e097e107
Instruction Fuzzy Hash: BD21C5B8740244EFEB116F20EC89E363B6AE756348F508627F405857A2DF7B9C11CA1D

Function 006DE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006DEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006DEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006DEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006DEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006DEAA7

Strings

play PlayMe wait, xrefs: 006DEA91
play PlayMe, xrefs: 006DEAA2
alias PlayMe, xrefs: 006DEA36
close PlayMe, xrefs: 006DEA6E, 006DEA9B
status PlayMe mode, xrefs: 006DEA58
open , xrefs: 006DEA0C

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 476e65c7ed42a4627f93ee45605f253c6f43f440b7114ccf25ff2635b5d3e1d7
Instruction ID: 1436753c3632b2f9b69f81b0a54a1e02250c22f4f3f7e8b10628e3fbd05cbe9c
Opcode Fuzzy Hash: 476e65c7ed42a4627f93ee45605f253c6f43f440b7114ccf25ff2635b5d3e1d7
Instruction Fuzzy Hash: 1B11A371A90269B9E720F7A1DC4AEFF6B7DEBD1B00F04842E7415A61D1EE701905C5B0

Function 006D5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 006D5CE2
GetWindowRect.USER32(00000000,?), ref: 006D5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 006D5D59
GetDlgItem.USER32(?,00000002), ref: 006D5D69
GetWindowRect.USER32(00000000,?), ref: 006D5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 006D5DCF
GetDlgItem.USER32(?,000003E9), ref: 006D5DDD
GetWindowRect.USER32(00000000,?), ref: 006D5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 006D5E31
GetDlgItem.USER32(?,000003EA), ref: 006D5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006D5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 006D5E67

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 98bfd2f5e22b1f88b17dc59e569d18dbe3f6f7626d0d65b8cd3548bd52bf3ed1
Instruction ID: b8890e923de6b125a03da367865ef3d5df263d0e8778939ca38c849b01d291c1
Opcode Fuzzy Hash: 98bfd2f5e22b1f88b17dc59e569d18dbe3f6f7626d0d65b8cd3548bd52bf3ed1
Instruction Fuzzy Hash: F8510F71E00605AFDB19DF68DD89AAE7BB6EF48300F148229F516E6790DB749E00CB64

Function 00688BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00688F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00688BE8,?,00000000,?,?,?,?,00688BBA,00000000,?), ref: 00688FC5

DestroyWindow.USER32(?), ref: 00688C81
KillTimer.USER32(00000000,?,?,?,?,00688BBA,00000000,?), ref: 00688D1B
DestroyAcceleratorTable.USER32(00000000), ref: 006C6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00688BBA,00000000,?), ref: 006C69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00688BBA,00000000,?), ref: 006C69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00688BBA,00000000), ref: 006C69D4
DeleteObject.GDI32(00000000), ref: 006C69E6

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: aaf47ed9c6cc6f320251c6b64ddc872e59e06962512f3fb33fec506f31cb1681
Instruction ID: 1ca89b431d50c5069f4d831457f0a260187e184a06f5488fdec6be964d5a07eb
Opcode Fuzzy Hash: aaf47ed9c6cc6f320251c6b64ddc872e59e06962512f3fb33fec506f31cb1681
Instruction Fuzzy Hash: BB618A34502701DFDB22AF18DA48B6577F2FB41312F94861DE0429B6A4CB79B9C1CF98

Function 00689838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00689944: GetWindowLongW.USER32(?,000000EB), ref: 00689952

GetSysColor.USER32(0000000F), ref: 00689862

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 328cb60297e60e9bf15300406d301148116d0df6aa026a30e1c8f777823848aa
Instruction ID: e52e004d583642cb01283189c00defd61ce432b574e60e9f3f89c614e2938649
Opcode Fuzzy Hash: 328cb60297e60e9bf15300406d301148116d0df6aa026a30e1c8f777823848aa
Instruction Fuzzy Hash: F0419671104645EFDB216F389C44BB93766EB06334F188B19F9A28B2E1DB759C42DB20

Function 006A8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.i, xrefs: 006A903A, 006A8FD0, 006A8FF2

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID: .i
API String ID: 0-2647164722
Opcode ID: 1b14888ffa7fd3247c819b13f1829bcb15691249795c54fbf02785fbe466236f
Instruction ID: 961b7e7fbb97fe650085df5b5cc1538ef016e3655e26618a537898f926b2ee69
Opcode Fuzzy Hash: 1b14888ffa7fd3247c819b13f1829bcb15691249795c54fbf02785fbe466236f
Instruction Fuzzy Hash: ECC1BE74904249AFDF11EFA8C841BEDBBB6AF0A350F244199E914A7392CB349E41CF65

Function 006D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,006BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 006D9717
LoadStringW.USER32(00000000,?,006BF7F8,00000001), ref: 006D9720

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,006BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 006D9742
LoadStringW.USER32(00000000,?,006BF7F8,00000001), ref: 006D9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 006D9866

Strings

Line %d (File "%s"):, xrefs: 006D978F
Line %d:, xrefs: 006D97A0
%s (%d) : ==> %s: %s %s, xrefs: 006D984A
^ ERROR, xrefs: 006D97FB
Error: , xrefs: 006D981D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 0a7ea43bb1d54b172ae17a86b866e66076228e8f664058fbf908c0abc6f624bd
Instruction ID: e88a33200d289d6c6b95c8ef20e301fcce249961e015a2614b5129aea5058c98
Opcode Fuzzy Hash: 0a7ea43bb1d54b172ae17a86b866e66076228e8f664058fbf908c0abc6f624bd
Instruction Fuzzy Hash: 90416C72C00219AADF44EBE0CD82DEEB37AAF15300F108529F60972192EB356F48CB75

Function 006D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006D07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006D07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006D07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 006D0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 006D082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006D0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006D083C

Strings

\IPC$, xrefs: 006D0784
SOFTWARE\Classes\, xrefs: 006D070E
\CLSID, xrefs: 006D0724

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: a9881d0144a0a05913e14e8e5d124ddd87658b370fac4669da6d6e9cfdd7caaf
Instruction ID: 0ed36880d66cbd24368fc716ecac9dd041d006da39c4ec6a8097c00d51165bd1
Opcode Fuzzy Hash: a9881d0144a0a05913e14e8e5d124ddd87658b370fac4669da6d6e9cfdd7caaf
Instruction Fuzzy Hash: 08410A72C10229EBDF15EBA4DC95DEDB779BF44350F048229E905A72A1EB346E04CBA4

Function 006F3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006F3C5C
CoInitialize.OLE32(00000000), ref: 006F3C8A
CoUninitialize.OLE32 ref: 006F3C94
_wcslen.LIBCMT ref: 006F3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 006F3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 006F3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 006F3F0E
CoGetObject.OLE32(?,00000000,0070FB98,?), ref: 006F3F2D
SetErrorMode.KERNEL32(00000000), ref: 006F3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006F3FC4
VariantClear.OLEAUT32(?), ref: 006F3FD8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 12c4439d26d736bc30bed016d242f205dbeacd21f68ec14685d377ec7dcc396c
Instruction ID: 4a8118ed2c5f70a036d2bd05c45ab184e61aff1f501f153b86f7dfccd54ccecf
Opcode Fuzzy Hash: 12c4439d26d736bc30bed016d242f205dbeacd21f68ec14685d377ec7dcc396c
Instruction Fuzzy Hash: 50C134716082199FD700DF68C88496BB7EAFF89744F104A1DFA8A9B350DB30EE45CB52

Function 006E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006E7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006E7B8F
SHGetDesktopFolder.SHELL32(?), ref: 006E7BA3
CoCreateInstance.OLE32(0070FD08,00000000,00000001,00736E6C,?), ref: 006E7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006E7C74
CoTaskMemFree.OLE32(?,?), ref: 006E7CCC
SHBrowseForFolderW.SHELL32(?), ref: 006E7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006E7D7A
CoTaskMemFree.OLE32(00000000), ref: 006E7D81
CoTaskMemFree.OLE32(00000000), ref: 006E7DD6
CoUninitialize.OLE32 ref: 006E7DDC

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 434e9edfd6bb889d17161b9986d74ef86421ad737a6574d297188be07bf23eb1
Instruction ID: 74d85b28364ef1653eaa2a56cf05f6dde8a0b73ccb3bd0f83c222d77a08fedef
Opcode Fuzzy Hash: 434e9edfd6bb889d17161b9986d74ef86421ad737a6574d297188be07bf23eb1
Instruction Fuzzy Hash: E6C12B75A04249EFDB14DFA5C884DAEBBFAFF48304B148598E4199B361DB30ED41CB94

Function 0070541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00705504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00705515
CharNextW.USER32(00000158), ref: 00705544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00705585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0070559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007055AC

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 327be51e2c9e1a74ccf626f39fd0134430ecbab8084fce7a0057384488596e6b
Instruction ID: a734c807abe54dd48093e0c75fb0ce57bfccc1ba558619dafd82c643c879ed4c
Opcode Fuzzy Hash: 327be51e2c9e1a74ccf626f39fd0134430ecbab8084fce7a0057384488596e6b
Instruction Fuzzy Hash: 13615B74900608EBDF219F54CC84DFF7BB9EB05720F108245F925AA2D0DB799A81DF60

Function 006CFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006CFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 006CFB08
VariantInit.OLEAUT32(?), ref: 006CFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 006CFB3A
VariantCopy.OLEAUT32(?,?), ref: 006CFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 006CFBA1
VariantClear.OLEAUT32(?), ref: 006CFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 006CFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006CFBCC
VariantClear.OLEAUT32(?), ref: 006CFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006CFBE9

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 57ab6e5875efb83cf7ff0572f58bac005fb5340e0f5dd77bfef27b310f1f8488
Instruction ID: 181a7d2077082db62aa23a4df02752fdf68bbdb2603554ef9a56183b50353b3c
Opcode Fuzzy Hash: 57ab6e5875efb83cf7ff0572f58bac005fb5340e0f5dd77bfef27b310f1f8488
Instruction Fuzzy Hash: 0C412D35A00219DFCB01DFA4C854EAEBBBAFF48354F008169F945A7261CB34A945CBA4

Function 006D9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006D9CA1
GetAsyncKeyState.USER32(000000A0), ref: 006D9D22
GetKeyState.USER32(000000A0), ref: 006D9D3D
GetAsyncKeyState.USER32(000000A1), ref: 006D9D57
GetKeyState.USER32(000000A1), ref: 006D9D6C
GetAsyncKeyState.USER32(00000011), ref: 006D9D84
GetKeyState.USER32(00000011), ref: 006D9D96
GetAsyncKeyState.USER32(00000012), ref: 006D9DAE
GetKeyState.USER32(00000012), ref: 006D9DC0
GetAsyncKeyState.USER32(0000005B), ref: 006D9DD8
GetKeyState.USER32(0000005B), ref: 006D9DEA

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ffc35d464b064dcc2fe2f3f342ab2ee89f0ae8e065074cc6c9abd8e13ad10c8b
Instruction ID: 5a30da5daaa968037de1f73e417270c2614892c234c451546d896a52e3368c9e
Opcode Fuzzy Hash: ffc35d464b064dcc2fe2f3f342ab2ee89f0ae8e065074cc6c9abd8e13ad10c8b
Instruction Fuzzy Hash: B641C634D04BC969FF31976088043F5BEA3AF12344F04815BDAC6567C2EBA599C8CBB2

Function 006F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006F05BC
inet_addr.WSOCK32(?), ref: 006F061C
gethostbyname.WSOCK32(?), ref: 006F0628
IcmpCreateFile.IPHLPAPI ref: 006F0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006F06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006F06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 006F07B9
WSACleanup.WSOCK32 ref: 006F07BF

Strings

Ping, xrefs: 006F0676

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: fac4678f6b78a95326b707c3dbec2f26d95f231993ad342993e2b190df826a21
Instruction ID: d1b404af06126d7a71fa56de53c2b067b551c47ffdcd0e2d3ac908411c2ffa36
Opcode Fuzzy Hash: fac4678f6b78a95326b707c3dbec2f26d95f231993ad342993e2b190df826a21
Instruction Fuzzy Hash: C3918E75608205EFE720DF15C488F6ABBE2AF44318F1486A9F5698B7A2C774EC41CF91

Function 006F8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 006F8CF3

Part of subcall function 006D8E54: _wcslen.LIBCMT ref: 006D8E77

_wcslen.LIBCMT ref: 006F8D4E
_wcslen.LIBCMT ref: 006F8D9C
_wcslen.LIBCMT ref: 006F8DDC
_wcslen.LIBCMT ref: 006F8E6E

Strings

stdcall, xrefs: 006F8DD6, 006F8DDB
none, xrefs: 006F8E65, 006F8E6A
cdecl, xrefs: 006F8D48, 006F8D4D
winapi, xrefs: 006F8D96, 006F8D9B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b61a649eb86b0846f53e913e0a36edb375c92a6729bcc895bbb516ab15cda69e
Instruction ID: b0d4fb03cef16580cd8028ebff4218d2a3d975d9bd7987a602127c064e313e1b
Opcode Fuzzy Hash: b61a649eb86b0846f53e913e0a36edb375c92a6729bcc895bbb516ab15cda69e
Instruction Fuzzy Hash: 6B519E32A0451A9FCF24DF68C9518FEB7A7AF64320B2042A9E626E7385DB34DD41C790

Function 006F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 006F3774
CoUninitialize.OLE32 ref: 006F377F
CoCreateInstance.OLE32(?,00000000,00000017,0070FB78,?), ref: 006F37D9
IIDFromString.OLE32(?,?), ref: 006F384C
VariantInit.OLEAUT32(?), ref: 006F38E4
VariantClear.OLEAUT32(?), ref: 006F3936

Strings

NULL Pointer assignment, xrefs: 006F381E
Failed to create object, xrefs: 006F37E4, 006F389A
Invalid parameter, xrefs: 006F3865

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: b54d963b6cc7451d21c5bd8f893fa6fc150c8964f470c89cb7bfd77f6da8f53a
Instruction ID: 728f2c91f1d38496da38f506c30bada1fc0b5692b257b17e82ad5021262fc189
Opcode Fuzzy Hash: b54d963b6cc7451d21c5bd8f893fa6fc150c8964f470c89cb7bfd77f6da8f53a
Instruction Fuzzy Hash: 2E61D1B0608315AFD310EF54C849BAAB7E6EF48740F10490DFA959B391C774EE49CB9A

Function 006E3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006E33CF

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006E33F0

Strings

Line %d (File "%s"):, xrefs: 006E3443, 006E345C
Incorrect parameters to object property !, xrefs: 006E34AB
^ ERROR , xrefs: 006E349E
"%s" (%d) : ==> %s:%s%s, xrefs: 006E3504
"%s" (%d) : ==> %s:, xrefs: 006E3522
Error: , xrefs: 006E34D1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 914ee0225153708be1f30a3218153586735e62053c173846205b4c464a2cb66d
Instruction ID: 6332a1571332a80c1a12b0048c682531dd1445d6e6c6d1eb5d57d30b44fc5816
Opcode Fuzzy Hash: 914ee0225153708be1f30a3218153586735e62053c173846205b4c464a2cb66d
Instruction Fuzzy Hash: 8D51B371C00259BADF15EBA0CD46DEEB7BAAF04300F108169F10973292EB352F58DB65

Function 006DB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006DB5FC
_wcslen.LIBCMT ref: 006DB608
_wcslen.LIBCMT ref: 006DB64D
_wcslen.LIBCMT ref: 006DB68C
_wcslen.LIBCMT ref: 006DB6C7

Strings

REMOVE, xrefs: 006DB602, 006DB607
EXISTS, xrefs: 006DB686, 006DB68B
KEYS, xrefs: 006DB647, 006DB64C
APPEND, xrefs: 006DB6C1, 006DB6C6

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d0dd55cb5235c66e5266a18c2eaf958ac2582ca189e5d53547ca5e023834583b
Instruction ID: c07c7f91aa5c155e24574400f58cf3a28726ab3745187b0d98c3348f4dea4880
Opcode Fuzzy Hash: d0dd55cb5235c66e5266a18c2eaf958ac2582ca189e5d53547ca5e023834583b
Instruction Fuzzy Hash: A841D632E00066DBCB205F7D88905FE77A7AFA5B54B26522BE425D7388E735CD82C790

Function 006E5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006E53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006E5416
GetLastError.KERNEL32 ref: 006E5420
SetErrorMode.KERNEL32(00000000,READY), ref: 006E54A7

Strings

NOTREADY, xrefs: 006E544B
INVALID, xrefs: 006E5459
UNKNOWN, xrefs: 006E5444
READONLY, xrefs: 006E5452
READY, xrefs: 006E5460, 006E5468

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 137c6b1f4c97a972b94867157da81f31cc24563ba5cdc47bbb07ecf85cce6d39
Instruction ID: ac43dc98e7e11303504f6328590e8d4bdc9b4bfb5596be3d7344ed7217b4b1ad
Opcode Fuzzy Hash: 137c6b1f4c97a972b94867157da81f31cc24563ba5cdc47bbb07ecf85cce6d39
Instruction Fuzzy Hash: C731AC35A01244DFDB11DF69C484AEABBF6EB04309F14C069E406CB392DB74DD86CBA1

Function 00703C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00703C79
SetMenu.USER32(?,00000000), ref: 00703C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00703D10
IsMenu.USER32(?), ref: 00703D24
CreatePopupMenu.USER32 ref: 00703D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00703D5B
DrawMenuBar.USER32 ref: 00703D63

Strings

F, xrefs: 00703D4E
0, xrefs: 00703C54

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b6137f507a5e15da5d220fe19247360a4d3aaf24f2c28cfb71b214849973b37c
Instruction ID: 8c8d0fcb77cd4084e3e267be4c64758d3de50dd981e6d71230554a24ea59f265
Opcode Fuzzy Hash: b6137f507a5e15da5d220fe19247360a4d3aaf24f2c28cfb71b214849973b37c
Instruction Fuzzy Hash: 1D417C79A01209EFDB14CF64D844EAA7BF9FF49350F144229F946973A0D738AA10DF94

Function 006D1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Part of subcall function 006D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006D3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 006D1F64
GetDlgCtrlID.USER32 ref: 006D1F6F
GetParent.USER32 ref: 006D1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 006D1F8E
GetDlgCtrlID.USER32(?), ref: 006D1F97
GetParent.USER32(?), ref: 006D1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 006D1FAE

Strings

ListBox, xrefs: 006D1F21
ComboBox, xrefs: 006D1EEC

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 3afa8df542178b19a6d8cdab710f94cec3589e1588ba86ced6a8e7efcd7965e6
Instruction ID: a367620d9de245bfce990756722d9a0b27eca724011541078f6b8650cf6c7268
Opcode Fuzzy Hash: 3afa8df542178b19a6d8cdab710f94cec3589e1588ba86ced6a8e7efcd7965e6
Instruction Fuzzy Hash: AC21D370E00114FBCF15AFA0CC45DEEBBB9EF06300F00464AB95567391CB7949058B64

Function 006D1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Part of subcall function 006D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006D3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 006D2043
GetDlgCtrlID.USER32 ref: 006D204E
GetParent.USER32 ref: 006D206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 006D206D
GetDlgCtrlID.USER32(?), ref: 006D2076
GetParent.USER32(?), ref: 006D208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 006D208D

Strings

ListBox, xrefs: 006D2002
ComboBox, xrefs: 006D1FCD

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 1af28a092e074d33d7ede632936f1573605f1fba1bedbedc59467033346575da
Instruction ID: deddfad48bfcc169bd57c1cade314af9b67c54158b59cad9671575a9d5eefa9a
Opcode Fuzzy Hash: 1af28a092e074d33d7ede632936f1573605f1fba1bedbedc59467033346575da
Instruction Fuzzy Hash: C521D1B1E00218FBDF15AFA0CC85EEEBBB9EF15300F00854AB955A72A1CA794915DB74

Function 00703A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00703A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00703AA0
GetWindowLongW.USER32(?,000000F0), ref: 00703AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00703AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00703B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00703BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00703BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00703BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00703BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00703C13

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 80e6f623b977867c3f8ceacc3ee196842cc9995b33ddcde4c2c7264bf7cafc8e
Instruction ID: 269b861bf384352031b736c45742c4dfefb650575eecca30bf3f780f22a4608e
Opcode Fuzzy Hash: 80e6f623b977867c3f8ceacc3ee196842cc9995b33ddcde4c2c7264bf7cafc8e
Instruction Fuzzy Hash: F7616975900248EFDB10DFA8CC81EEE77F8AB09704F10419AFA15E72D1D778AA81DB64

Function 006DB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006DB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB165
GetWindowThreadProcessId.USER32(00000000), ref: 006DB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 006DB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,006DA1E1,?,00000001), ref: 006DB21D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 709db3c2d605a110ee1de1f72972df33dfe07301fd35ddd4137e5bcf8a55d026
Instruction ID: 4d44701a26dec6edc523765ff71ca5aaf90a7c126363c9b605291b6250ed83b5
Opcode Fuzzy Hash: 709db3c2d605a110ee1de1f72972df33dfe07301fd35ddd4137e5bcf8a55d026
Instruction Fuzzy Hash: A331D476900204FFDB219F24EC84BBD7B7BBB11355F159206F904CA360C7B99A008F28

Function 006A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006A2C94

Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0

_free.LIBCMT ref: 006A2CA0
_free.LIBCMT ref: 006A2CAB
_free.LIBCMT ref: 006A2CB6
_free.LIBCMT ref: 006A2CC1
_free.LIBCMT ref: 006A2CCC
_free.LIBCMT ref: 006A2CD7
_free.LIBCMT ref: 006A2CE2
_free.LIBCMT ref: 006A2CED
_free.LIBCMT ref: 006A2CFB

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 16eb800bdcc9db27220e0630d8d83e263acc969aadf3040afade471a50d397ef
Instruction ID: 2480636e62e1127ee3153409c0342597b5ae6d768a43d625537857cd2ceee47b
Opcode Fuzzy Hash: 16eb800bdcc9db27220e0630d8d83e263acc969aadf3040afade471a50d397ef
Instruction Fuzzy Hash: DA11B476140109AFCB82FF59D852CDE3BA6BF06B50F4144A8FA485B222D631FE509F95

Function 006E7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006E7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 006E7FC1
GetFileAttributesW.KERNEL32(?), ref: 006E7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 006E8005
SetCurrentDirectoryW.KERNEL32(?), ref: 006E8017
SetCurrentDirectoryW.KERNEL32(?), ref: 006E8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006E80B0

Strings

*.*, xrefs: 006E8066

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: ea1fb8a427bbd280875c441f645f6807894e8ab4c160180e2e96391ddea93168
Instruction ID: f18544ce89351031662530dfd0ae15cc40581e9edfe3b537ba800938a8d4aa94
Opcode Fuzzy Hash: ea1fb8a427bbd280875c441f645f6807894e8ab4c160180e2e96391ddea93168
Instruction Fuzzy Hash: 5581B0725093859FCB24EF16C8449AEB3EABF88310F148C5EF889D7251EB35DD498B52

Function 00675BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00675C7A

Part of subcall function 00675D0A: GetClientRect.USER32(?,?), ref: 00675D30
Part of subcall function 00675D0A: GetWindowRect.USER32(?,?), ref: 00675D71
Part of subcall function 00675D0A: ScreenToClient.USER32(?,?), ref: 00675D99

GetDC.USER32 ref: 006B46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006B4708
SelectObject.GDI32(00000000,00000000), ref: 006B4716
SelectObject.GDI32(00000000,00000000), ref: 006B472B
ReleaseDC.USER32(?,00000000), ref: 006B4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006B47C4

Strings

U, xrefs: 006B4693

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ff04cab823feff746b34d3623d4e0730097820abae555fc08eb0b52d3d73e30c
Instruction ID: 56a4a7f4c551402d30aa8a1c753861c8eb8c94e1a921f43753e733e01f9e371b
Opcode Fuzzy Hash: ff04cab823feff746b34d3623d4e0730097820abae555fc08eb0b52d3d73e30c
Instruction Fuzzy Hash: 4971E274400205DFCF228F64C984AFA3BB7FF4A320F148269E9565A2A7DF359881DF50

Function 006E359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006E35E4

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

LoadStringW.USER32(00742390,?,00000FFF,?), ref: 006E360A

Strings

Line %d (File "%s"):, xrefs: 006E366B
^ ERROR, xrefs: 006E36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 006E3724
"%s" (%d) : ==> %s:, xrefs: 006E3742
Error: , xrefs: 006E36EF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: cdc57023362fe5a18ff10077f2502dee27b35ade4aade72b6731eaa45ebea60f
Instruction ID: 289bf1b2a2f7ef3a4ab94a7f569c0a6635afa9856c27148bfbcd2b5301964a42
Opcode Fuzzy Hash: cdc57023362fe5a18ff10077f2502dee27b35ade4aade72b6731eaa45ebea60f
Instruction Fuzzy Hash: B6519171C00259BADF15EBA0CC46EEEBB76AF14300F148129F10972292EB355B99DF69

Function 006EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006EC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006EC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006EC2CA
GetLastError.KERNEL32 ref: 006EC322
SetEvent.KERNEL32(?), ref: 006EC336
InternetCloseHandle.WININET(00000000), ref: 006EC341

Strings

, xrefs: 006EC2BB

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 534321841cdee73a0bd96cbf20d4494e9afd67dbf064f1bc0ad7a32b2873500a
Instruction ID: 6b8dc29ae11dd4f7baabd4194764310d4b09079b7dc793e85ce2b8364c37bc74
Opcode Fuzzy Hash: 534321841cdee73a0bd96cbf20d4494e9afd67dbf064f1bc0ad7a32b2873500a
Instruction Fuzzy Hash: 4231A0B1501344AFD7229F66CC88AAB7BFEEB49760F14861DF446D3200DB34DD069B65

Function 006D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006B3AAF,?,?,Bad directive syntax error,0070CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 006D98BC
LoadStringW.USER32(00000000,?,006B3AAF,?), ref: 006D98C3

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006D9987

Strings

Line %d (File "%s"):, xrefs: 006D992D
., xrefs: 006D996D
%s (%d) : ==> %s.: %s %s, xrefs: 006D98F1
Line %d:, xrefs: 006D9912
Error: , xrefs: 006D9955

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: bdf7c62a71b00a9612c58ca43504a61b9cebf297fd6fb4b0da608edf8f7e6c4a
Instruction ID: f0ee5a71202398247aa237a0f0fe28285e375a8d004a621424737556ab49968c
Opcode Fuzzy Hash: bdf7c62a71b00a9612c58ca43504a61b9cebf297fd6fb4b0da608edf8f7e6c4a
Instruction Fuzzy Hash: 94219171C0021AFBDF26AF90CC16EEE777AFF18300F04851AF519661A2EB359618DB25

Function 006D209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006D20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 006D20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006D214D

Strings

largeicons, xrefs: 006D20E1
smallicons, xrefs: 006D2115
SHELLDLL_DefView, xrefs: 006D20CC
details, xrefs: 006D20FB
list, xrefs: 006D212F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: b41218cc65bf28b62434a9ab74909b6c7e2e0f6123a34fe110dccd862d7c2bd5
Instruction ID: 68ed46c8bfa399d94d3b2bc990430dafc8b527ab5ceaa0c4279dfb5e14adf831
Opcode Fuzzy Hash: b41218cc65bf28b62434a9ab74909b6c7e2e0f6123a34fe110dccd862d7c2bd5
Instruction Fuzzy Hash: 6D110AB6A84707B9FA112221DC17DE6779DCF25724F20821BF704A52D2EE6558435618

Function 006ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 006ACEB7
_free.LIBCMT ref: 006ACF22
_free.LIBCMT ref: 006ACF48
_free.LIBCMT ref: 006ACF71
_free.LIBCMT ref: 006ACFA9
_free.LIBCMT ref: 006ACFDA
_free.LIBCMT ref: 006AD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 006AD09C
_free.LIBCMT ref: 006AD0B5

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 133253ee5374471779c4172d7abc5b92c3ba4258a56ac5eefa124f9cd37f2f61
Instruction ID: a5c455049e7455b1a96b77c536fd450dc88ee893fd5376cb2bc9e6dd28625f22
Opcode Fuzzy Hash: 133253ee5374471779c4172d7abc5b92c3ba4258a56ac5eefa124f9cd37f2f61
Instruction Fuzzy Hash: 4E6159B2A04301AFDF21BFB89851AAA7B97AF03730F04416EFA5597381D7359D018FA5

Function 007050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00705186
ShowWindow.USER32(?,00000000), ref: 007051C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007051CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007051D1

Part of subcall function 00706FBA: DeleteObject.GDI32(00000000), ref: 00706FE6

GetWindowLongW.USER32(?,000000F0), ref: 0070520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0070521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0070524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00705287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00705296

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 13a5069e973a49cdbb1f52b41b4e2ef9b8201fb5861d674d9071d545811cda96
Instruction ID: b55219d3064e295784a008a0e40e111670cd3c32dbd18cd714c80928bc60ec33
Opcode Fuzzy Hash: 13a5069e973a49cdbb1f52b41b4e2ef9b8201fb5861d674d9071d545811cda96
Instruction Fuzzy Hash: FF516D70A50A08FEEF209F28CC49B9A3BE5BF05321F148315F615962E1C779A990DF55

Function 00688B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 006C6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006C68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006C68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006C68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006C68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00688874,00000000,00000000,00000000,000000FF,00000000), ref: 006C6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006C691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00688874,00000000,00000000,00000000,000000FF,00000000), ref: 006C692D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 83eee9bb4338ece1ca243d5ade8f9222c247673d17612b82696b385c777376f1
Instruction ID: 11c1b7d6e4c4fd7440daaefc27349bbe68ec01c10865dc60e74c4faa74f3f2c3
Opcode Fuzzy Hash: 83eee9bb4338ece1ca243d5ade8f9222c247673d17612b82696b385c777376f1
Instruction Fuzzy Hash: 73518A70600209EFDB20EF24CC95FAA7BB6FB98750F10861CF906972A0DB75E991DB54

Function 006EC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006EC182
GetLastError.KERNEL32 ref: 006EC195
SetEvent.KERNEL32(?), ref: 006EC1A9

Part of subcall function 006EC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006EC272
Part of subcall function 006EC253: GetLastError.KERNEL32 ref: 006EC322
Part of subcall function 006EC253: SetEvent.KERNEL32(?), ref: 006EC336
Part of subcall function 006EC253: InternetCloseHandle.WININET(00000000), ref: 006EC341

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4bde984bd5a0a5102e1fa382b73acccb489b9f2b38515589985090938373ffef
Instruction ID: 3f852aab8c719eeacf9336fcba470bb4d767cc59c85f59e8b132b2dc38c49155
Opcode Fuzzy Hash: 4bde984bd5a0a5102e1fa382b73acccb489b9f2b38515589985090938373ffef
Instruction Fuzzy Hash: 7E31A371101781EFDB219FA6DC04AA6BBFAFF14320B00861DFA5683610DB34E9169B64

Function 006D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006D3A57
Part of subcall function 006D3A3D: GetCurrentThreadId.KERNEL32 ref: 006D3A5E
Part of subcall function 006D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006D25B3), ref: 006D3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 006D25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006D25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 006D25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 006D25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006D2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 006D2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 006D260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006D2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 006D2627

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 42bcdcc8216e6f440b01744f77bfa3ac36723d3d482e0630b665d0cd65ee62ee
Instruction ID: 78124d093e3c95c5c994b836859b608e8672a83bf00d1a3de96a0930037dff10
Opcode Fuzzy Hash: 42bcdcc8216e6f440b01744f77bfa3ac36723d3d482e0630b665d0cd65ee62ee
Instruction Fuzzy Hash: 5301D870790214FBFB2167689C8AF593F59DB5EB11F104246F314AF1D1CDE258448AAE

Function 006D1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,006D1449,?,?,00000000), ref: 006D180C
HeapAlloc.KERNEL32(00000000,?,006D1449,?,?,00000000), ref: 006D1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006D1449,?,?,00000000), ref: 006D1828
GetCurrentProcess.KERNEL32(?,00000000,?,006D1449,?,?,00000000), ref: 006D1830
DuplicateHandle.KERNEL32(00000000,?,006D1449,?,?,00000000), ref: 006D1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006D1449,?,?,00000000), ref: 006D1843
GetCurrentProcess.KERNEL32(006D1449,00000000,?,006D1449,?,?,00000000), ref: 006D184B
DuplicateHandle.KERNEL32(00000000,?,006D1449,?,?,00000000), ref: 006D184E
CreateThread.KERNEL32(00000000,00000000,006D1874,00000000,00000000,00000000), ref: 006D1868

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ef672dc6a7adb94e9f1a8c74c72bb4892f120e7c400fedcefb95a5c3decefa95
Instruction ID: eb80c960bd1e4e1e56d19bb185b584f443b2bd7f861571f33673b222af157613
Opcode Fuzzy Hash: ef672dc6a7adb94e9f1a8c74c72bb4892f120e7c400fedcefb95a5c3decefa95
Instruction Fuzzy Hash: 1E01ACB5640308FFE611EB65DC4AF577B6CEB89B11F018611FA05DB191CA749800CB24

Function 006A3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006A3F0B
__alldvrm.LIBCMT ref: 006A410C
__alldvrm.LIBCMT ref: 006A412E

Strings

}}i, xrefs: 006A3E96, 006A3EF1, 006A3F0A, 006A4090
}}i, xrefs: 006A3E8A
}}i, xrefs: 006A40CD

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}i$}}i$}}i
API String ID: 1036877536-2749193350
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 09862110ecb17950e8c3f21835a265b2b7b2fc0569b60dd21effbf29a2ed4e93
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 18A13671D102969FDB11AF18CC917FABBE6EFA3350F1441ADE5859B381CAB48D81CB50

Function 006FA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 006DD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 006DD501
Part of subcall function 006DD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 006DD50F
Part of subcall function 006DD4DC: CloseHandle.KERNELBASE(00000000), ref: 006DD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 006FA16D
GetLastError.KERNEL32 ref: 006FA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 006FA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 006FA268
GetLastError.KERNEL32(00000000), ref: 006FA273
CloseHandle.KERNEL32(00000000), ref: 006FA2C4

Strings

SeDebugPrivilege, xrefs: 006FA18F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b63b76156d641080ffb7930d799455b8103ac52e8299e6aae97cf7642896fe16
Instruction ID: 5aff731c2cb228ab64cf7577421d54f0aa21ffd12b1a4c9f7018611e4f2106aa
Opcode Fuzzy Hash: b63b76156d641080ffb7930d799455b8103ac52e8299e6aae97cf7642896fe16
Instruction Fuzzy Hash: 7D61B0B02042429FD710DF58C494F69BBE2AF44318F18C58CE56A4B7A3C776ED45CB96

Function 00703886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00703925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0070393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00703954
_wcslen.LIBCMT ref: 00703999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007039F4

Strings

SysListView32, xrefs: 007038F7

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 45b8f4a1b36e9b1665477addd177c8265be09fd54c07bac0a3de18a97d0a1e0d
Instruction ID: 6a04596dacc7579b1bf9a65f365954b6a0a13a3359edfcdffeb357a65b6c391e
Opcode Fuzzy Hash: 45b8f4a1b36e9b1665477addd177c8265be09fd54c07bac0a3de18a97d0a1e0d
Instruction Fuzzy Hash: 3241B271A00219EBEF219F64CC49BEA77EDEF08354F10426AF958E72C1D7799980CB94

Function 006DBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006DBCFD
IsMenu.USER32(00000000), ref: 006DBD1D
CreatePopupMenu.USER32 ref: 006DBD53
GetMenuItemCount.USER32(01615628), ref: 006DBDA4
InsertMenuItemW.USER32(01615628,?,00000001,00000030), ref: 006DBDCC

Strings

2, xrefs: 006DBD37
0, xrefs: 006DBCA8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f02747dc1e7ad89c70dae8c27a68677f28f715c5778d199a7794ffdf1d1114ea
Instruction ID: 67e2e791c30c30440180751ad8677cd07bd525d73a6c99bf25441ff0efcd3803
Opcode Fuzzy Hash: f02747dc1e7ad89c70dae8c27a68677f28f715c5778d199a7794ffdf1d1114ea
Instruction Fuzzy Hash: 3751AC70E00209EBDB21CFA8D884BEEBBF7AF49314F25921AE441D7398D7709941CB65

Function 00692D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00692D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00692D53
_ValidateLocalCookies.LIBCMT ref: 00692DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00692E0C
_ValidateLocalCookies.LIBCMT ref: 00692E61

Strings

csm, xrefs: 00692DF6
&Hi, xrefs: 00692DFE, 00692E07, 00692E18

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hi$csm
API String ID: 1170836740-3182968335
Opcode ID: 909f681e87e1e587ee92a4b9eb82afdf5526e11797724bdb8d726598732fcb99
Instruction ID: 3205d1a90cf8b17c2e74eb8b6ecceb0443587f409363a963727d850fb2be1d8c
Opcode Fuzzy Hash: 909f681e87e1e587ee92a4b9eb82afdf5526e11797724bdb8d726598732fcb99
Instruction Fuzzy Hash: A941A434A0121AABCF10DF68C855ADEBBBABF44324F148159E8146B792D7359A45CBD0

Function 006DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006DC913

Strings

blank, xrefs: 006DC895
question, xrefs: 006DC8CC
stop, xrefs: 006DC8E4
warning, xrefs: 006DC8FC
info, xrefs: 006DC8B4

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e9d624c311c0e71f7b73fe18215acae04106180f67581b12c18cb07225661f46
Instruction ID: 52e4f56932625c58140859cf7a9a9701aba3c97470f322aa8a4e4dc35698d684
Opcode Fuzzy Hash: e9d624c311c0e71f7b73fe18215acae04106180f67581b12c18cb07225661f46
Instruction Fuzzy Hash: AA110D31E8930FBAEB015B55DC93CEA679DDF15374B50412FF504AA382EF745D029268

Function 006DDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006DDE42
gethostname.WSOCK32(?,00000100), ref: 006DDE5C
gethostbyname.WSOCK32(?), ref: 006DDE69
inet_ntoa.WSOCK32(?), ref: 006DDEAB
_strcat.LIBCMT ref: 006DDEB9
WSACleanup.WSOCK32 ref: 006DDEDE

Strings

0.0.0.0, xrefs: 006DDE87

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 20e042183425df6bade0258144522f480b72338cbb935a9c3b49321a602ef9db
Instruction ID: 0c3aa70b762fc6c38f43c21fab94aa46a1ab6fbb5100208900ccf749663aa930
Opcode Fuzzy Hash: 20e042183425df6bade0258144522f480b72338cbb935a9c3b49321a602ef9db
Instruction Fuzzy Hash: 0711E471904104BBDB61BB64DC0AEEE77AEDB50711F00426AF4059A291EF758A828B64

Function 006DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 006DED2A
_wcslen.LIBCMT ref: 006DED3B
_wcslen.LIBCMT ref: 006DED79
_wcslen.LIBCMT ref: 006DEDAF
_wcslen.LIBCMT ref: 006DEDDF
_wcslen.LIBCMT ref: 006DEDEF
_wcslen.LIBCMT ref: 006DEE2B
_wcslen.LIBCMT ref: 006DEE5A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 93a89ff810cfe9e4dbb9530c6e21bfcad32dad85b7d329cf7135e2ac6aefaef2
Instruction ID: 6f74209bb422ebd463b90c110a7ff70d944093fd40f6959a18d3bd15cc6144fb
Opcode Fuzzy Hash: 93a89ff810cfe9e4dbb9530c6e21bfcad32dad85b7d329cf7135e2ac6aefaef2
Instruction Fuzzy Hash: DD418E65C1021865CF51EBB4C88A9CFB7AEAF45710F50856BF518E3622EB34E345C3E9

Function 0068F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006C682C,00000004,00000000,00000000), ref: 0068F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,006C682C,00000004,00000000,00000000), ref: 006CF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,006C682C,00000004,00000000,00000000), ref: 006CF454

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ca43b4238af6012c062c7364d1455d49cb1c7e6e58f5f5f1de72d825ec9d365b
Instruction ID: 4761b7dd533359bf66a192223f631e206caa7a11c7099864f218f7b46d230085
Opcode Fuzzy Hash: ca43b4238af6012c062c7364d1455d49cb1c7e6e58f5f5f1de72d825ec9d365b
Instruction Fuzzy Hash: F8410B31604680FACF39AB29C888BBA7BD7EB56310F14873DF14756661CA3AA881C751

Function 00702D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00702D1B
GetDC.USER32(00000000), ref: 00702D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00702D2E
ReleaseDC.USER32(00000000,00000000), ref: 00702D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00702D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00702D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00705A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00702DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00702DE1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5c46a6ed5478c71badfeb5d148e0a94dbef7f655205e1987a8c25bde12ca5f6f
Instruction ID: 18cb79cbd0deb4d6c4d8faab1d6acae193abd08c1e2e90dfddf28b907ba514ef
Opcode Fuzzy Hash: 5c46a6ed5478c71badfeb5d148e0a94dbef7f655205e1987a8c25bde12ca5f6f
Instruction Fuzzy Hash: DE316D72201214BBEB254F50CC89FEB3BADEB09715F048255FE089A2D1CA799C51C7A4

Function 006D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 006D5637
_memcmp.LIBVCRUNTIME ref: 006D5659
_memcmp.LIBVCRUNTIME ref: 006D5671
_memcmp.LIBVCRUNTIME ref: 006D5684
_memcmp.LIBVCRUNTIME ref: 006D569E
_memcmp.LIBVCRUNTIME ref: 006D56B1
_memcmp.LIBVCRUNTIME ref: 006D56C9
_memcmp.LIBVCRUNTIME ref: 006D56E4

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7df87ae49d766603cf6a19365a65cd6d9f1030a32d5bc69e109d775fbe36b23f
Instruction ID: 9c42e6554a52075350f9fe4fb24d8afaf7adb4879f997c180c38f0434f5be617
Opcode Fuzzy Hash: 7df87ae49d766603cf6a19365a65cd6d9f1030a32d5bc69e109d775fbe36b23f
Instruction Fuzzy Hash: 78213AA1E40A09F7E61456208DA2FFB33AFAF11384F640026FD065EF81FB24ED1181A8

Function 006F4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 006F502E, 006F5383
Not an Object type, xrefs: 006F5007

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f308a529f0c3ff8f102c794adf61c903a67a4c8123a64d517643f4ef13d98016
Instruction ID: 71a0a4d318dd0594008c0298ac2c4c7607c3ed9f5874e6f9424cdcab5b8d76f8
Opcode Fuzzy Hash: f308a529f0c3ff8f102c794adf61c903a67a4c8123a64d517643f4ef13d98016
Instruction Fuzzy Hash: 5AD18071A0060AAFDB14DF98C881BFEB7B6BF48344F148169EA16AB281E771DD45CB50

Function 006B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 006B15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 006B1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006B16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 006B16FB

Part of subcall function 006A3820: RtlAllocateHeap.NTDLL(00000000,?,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6,?,00671129), ref: 006A3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006B1777
__freea.LIBCMT ref: 006B17A2
__freea.LIBCMT ref: 006B17AE

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: fbda61ab4bf939caf0dbc5d51a61adcd8fb8a223ebdb97ea10148ecbd8e86301
Instruction ID: ab08c8e059c0d446a027033824565beb3ada17191038664e6749f4d833db0e0f
Opcode Fuzzy Hash: fbda61ab4bf939caf0dbc5d51a61adcd8fb8a223ebdb97ea10148ecbd8e86301
Instruction Fuzzy Hash: 1B91A7F2E10216BADF219F64C861AEE7BB79F46310F944669E801EF241DB35DD81CB60

Function 006F4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006F4648
VariantInit.OLEAUT32(?), ref: 006F4749
VariantClear.OLEAUT32(?), ref: 006F4753
VariantClear.OLEAUT32(?), ref: 006F47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 006F45D8, 006F4706, 006F47BE
Incorrect Object type in FOR..IN loop, xrefs: 006F472C

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 22a7352f80b31378b485737d058ffed73ac8ea9af20f5dc60fba81a2becb1e18
Instruction ID: ccafdae2eaa156d9244f70069079c10319f6425691eccd07fed930571519d92a
Opcode Fuzzy Hash: 22a7352f80b31378b485737d058ffed73ac8ea9af20f5dc60fba81a2becb1e18
Instruction Fuzzy Hash: A3919171A00219ABDF24DFA5C884FEF7BBAEF45710F108559F605AB280DB709941CFA0

Function 006E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 006E125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 006E1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 006E12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006E12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006E135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006E13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006E1430

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a4fa3d0794b88038bc4cac9b31f5ccedcfd883489f6bef8dd392247a15b201d1
Instruction ID: ee3364e34539cad95b8ae3c80cd2547d54f0e75e349922a3cbed448b5a3df7cd
Opcode Fuzzy Hash: a4fa3d0794b88038bc4cac9b31f5ccedcfd883489f6bef8dd392247a15b201d1
Instruction Fuzzy Hash: EC91CE71A013499FDB019FA5C884BFEB7B6FF46314F148129EA00EB291D774A981DB94

Function 0068948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8591dfef9a5a902f2cab8b6d58c38f83a6a6b79bed83c862ad59c1bc14455917
Instruction ID: dc2012e2870f37fbf3d9463bcf97227a1db985ade4a88fc053a53e675483b50e
Opcode Fuzzy Hash: 8591dfef9a5a902f2cab8b6d58c38f83a6a6b79bed83c862ad59c1bc14455917
Instruction Fuzzy Hash: A7912871900219EFCB11DFA9CC84AEEBBB9FF49320F148259E515B7251D778AA42CF60

Function 006F3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006F396B
CharUpperBuffW.USER32(?,?), ref: 006F3A7A
_wcslen.LIBCMT ref: 006F3A8A
VariantClear.OLEAUT32(?), ref: 006F3C1F

Part of subcall function 006E0CDF: VariantInit.OLEAUT32(00000000), ref: 006E0D1F
Part of subcall function 006E0CDF: VariantCopy.OLEAUT32(?,?), ref: 006E0D28
Part of subcall function 006E0CDF: VariantClear.OLEAUT32(?), ref: 006E0D34

Strings

Incorrect Parameter format, xrefs: 006F39A6, 006F3BA1
AUTOIT.ERROR, xrefs: 006F3A80, 006F3A85

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: e18b947eaa557e24c874f2ab203c954f8e7893d2a3ab9a18dcf62e43cf850b8e
Instruction ID: 5a028cc8bece9984f7a8d3b7f64f13a1693ac79d1b269c990f76979706ca671d
Opcode Fuzzy Hash: e18b947eaa557e24c874f2ab203c954f8e7893d2a3ab9a18dcf62e43cf850b8e
Instruction Fuzzy Hash: 4A919A746083059FC744EF24C49186AB7E6FF88314F14892DF98A9B351DB31EE46CB96

Function 006F4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 006D000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?,?,006D035E), ref: 006D002B
Part of subcall function 006D000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?), ref: 006D0046
Part of subcall function 006D000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?), ref: 006D0054
Part of subcall function 006D000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?), ref: 006D0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 006F4C51
_wcslen.LIBCMT ref: 006F4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 006F4DCF
CoTaskMemFree.OLE32(?), ref: 006F4DDA

Strings

NULL Pointer assignment, xrefs: 006F4E23, 006F4E52

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: bc0f47f79175b9ea75e6bd5d76fc8e258bee3a4f75774733753b778523d4fa87
Instruction ID: ab5772f8b430c3d32abf7a4a95d494ba78dbc0cd82398f652e193c267042c56a
Opcode Fuzzy Hash: bc0f47f79175b9ea75e6bd5d76fc8e258bee3a4f75774733753b778523d4fa87
Instruction Fuzzy Hash: 12912971D0021DEFDF14DFA4C891AEEB7BABF48310F10816AE519A7251EB345A45CFA4

Function 007020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00702183
GetMenuItemCount.USER32(00000000), ref: 007021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007021DD
_wcslen.LIBCMT ref: 00702213
GetMenuItemID.USER32(?,?), ref: 0070224D
GetSubMenu.USER32(?,?), ref: 0070225B

Part of subcall function 006D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006D3A57
Part of subcall function 006D3A3D: GetCurrentThreadId.KERNEL32 ref: 006D3A5E
Part of subcall function 006D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006D25B3), ref: 006D3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007022E3

Part of subcall function 006DE97B: Sleep.KERNEL32 ref: 006DE9F3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 0ebe7acc976201495d12b8596abaca4d481d29662a81bccbe46992554958cd44
Instruction ID: 9c9a81992fed742fddc66f718af10f91ba5d456708ba18accb8b395fc1e3456c
Opcode Fuzzy Hash: 0ebe7acc976201495d12b8596abaca4d481d29662a81bccbe46992554958cd44
Instruction Fuzzy Hash: E8717376E00205EFCB51DFA4C845AAEB7F5FF48310F158559E816EB392DB38AD428B90

Function 00707E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01615678), ref: 00707F37
IsWindowEnabled.USER32(01615678), ref: 00707F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0070801E
SendMessageW.USER32(01615678,000000B0,?,?), ref: 00708051
IsDlgButtonChecked.USER32(?,?), ref: 00708089
GetWindowLongW.USER32(01615678,000000EC), ref: 007080AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007080C3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b7ced1fdc22eea0dc27669285e6d99ac8aa7ee2b3fdd9410fb00c7a57ce4e723
Instruction ID: dccb6cddaeb5bef29584e9c325d418a81e1e8c59f32d78eb2671a22585cb2432
Opcode Fuzzy Hash: b7ced1fdc22eea0dc27669285e6d99ac8aa7ee2b3fdd9410fb00c7a57ce4e723
Instruction Fuzzy Hash: C9718034A08209EFEF25DF54C884FAA7BF5EF09300F144659E945972E1CB39B946CB21

Function 006DAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 006DAEF9
GetKeyboardState.USER32(?), ref: 006DAF0E
SetKeyboardState.USER32(?), ref: 006DAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 006DAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 006DAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 006DAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006DB020

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 043af0cb1be4700f9fe427f778701e8547483125b6af02a8bf9c2a297f7fabc5
Instruction ID: 2b0489891ab7864c9d52ffbce37fd8ca7648c4fd1601cba0003b2506cd738a61
Opcode Fuzzy Hash: 043af0cb1be4700f9fe427f778701e8547483125b6af02a8bf9c2a297f7fabc5
Instruction Fuzzy Hash: 2A51E1A1E083D17DFB3643748845BFBBEAA5B06304F08858AE1D985AC2C399A9C8D751

Function 006DACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006DAD19
GetKeyboardState.USER32(?), ref: 006DAD2E
SetKeyboardState.USER32(?), ref: 006DAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006DADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006DADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006DAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006DAE38

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c54d3b21f73a98c052cdd55a403d0c1d1d514e8f54e158fe3b728a14135bdf79
Instruction ID: 218ac6f0fbc4ace1fb4c08258d0be01ac91a568c254b1f1694179c89aa322723
Opcode Fuzzy Hash: c54d3b21f73a98c052cdd55a403d0c1d1d514e8f54e158fe3b728a14135bdf79
Instruction Fuzzy Hash: 1651C4B1D087D53DFB3243A48C55BBA7FAB5F46300F08858AE1D546B82C694EC84E766

Function 006A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(006B3CD6,?,?,?,?,?,?,?,?,006A5BA3,?,?,006B3CD6,?,?), ref: 006A5470
__fassign.LIBCMT ref: 006A54EB
__fassign.LIBCMT ref: 006A5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,006B3CD6,00000005,00000000,00000000), ref: 006A552C
WriteFile.KERNEL32(?,006B3CD6,00000000,006A5BA3,00000000,?,?,?,?,?,?,?,?,?,006A5BA3,?), ref: 006A554B
WriteFile.KERNEL32(?,?,00000001,006A5BA3,00000000,?,?,?,?,?,?,?,?,?,006A5BA3,?), ref: 006A5584

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 016ac131edd1c08c35bbdabb11c70abed8abf0a652261ceadfdb5cee7b8d7a2c
Instruction ID: c5186868d9ee7a636b5210b62c84bf92ab4b83b227b928ce1e3f662060fbbecb
Opcode Fuzzy Hash: 016ac131edd1c08c35bbdabb11c70abed8abf0a652261ceadfdb5cee7b8d7a2c
Instruction Fuzzy Hash: 395191B0D006499FDB11DFA8D845AEEBBFAEF0A300F14415AE956E7291D730AE41CF64

Function 006F10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006F307A
Part of subcall function 006F304E: _wcslen.LIBCMT ref: 006F309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006F1112
WSAGetLastError.WSOCK32 ref: 006F1121
WSAGetLastError.WSOCK32 ref: 006F11C9
closesocket.WSOCK32(00000000), ref: 006F11F9

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 29746eddab90c23ffdfeee4bad7dbda2359ce4604650bcb88c4de17ffcd5db65
Instruction ID: 651cef68260162f32d1c9dbc8b9e0b2d87867c891ab678f505f7b37e079a4987
Opcode Fuzzy Hash: 29746eddab90c23ffdfeee4bad7dbda2359ce4604650bcb88c4de17ffcd5db65
Instruction Fuzzy Hash: 3A41D331600208EFDB10DF24C844BB9B7AAEF46368F14C159FA199F391CB74AD41CBA5

Function 006DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006DCF22,?), ref: 006DDDFD

Part of subcall function 006DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006DCF22,?), ref: 006DDE16

lstrcmpiW.KERNEL32(?,?), ref: 006DCF45
MoveFileW.KERNEL32(?,?), ref: 006DCF7F
_wcslen.LIBCMT ref: 006DD005
_wcslen.LIBCMT ref: 006DD01B
SHFileOperationW.SHELL32(?), ref: 006DD061

Strings

\*.*, xrefs: 006DCFF3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 92344721878f63803becc69f6bcdaccfc38704fe8057f9680be457b4b9d56be1
Instruction ID: 97bdcb6724369ddac1b51a96835b40c2aa56c4e55b4509a83d3e5c7f9c7946f1
Opcode Fuzzy Hash: 92344721878f63803becc69f6bcdaccfc38704fe8057f9680be457b4b9d56be1
Instruction Fuzzy Hash: 9A414671D4521D9FDF52EBA4CD81EDDB7BAAF48340F1000EBE505EB241EA34A685CB54

Function 00702DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00702E1C
GetWindowLongW.USER32(?,000000F0), ref: 00702E4F
GetWindowLongW.USER32(?,000000F0), ref: 00702E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00702EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00702EE0
GetWindowLongW.USER32(?,000000F0), ref: 00702EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00702F0B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 1f9e6a0e6c944f76ce761bca823f7a13b9e8992206747e358760c08bfcb1f029
Instruction ID: fdae566cf3ca6a9e678b6a3c1bbfed0c9f183b755405ae6570089816d347c564
Opcode Fuzzy Hash: 1f9e6a0e6c944f76ce761bca823f7a13b9e8992206747e358760c08bfcb1f029
Instruction Fuzzy Hash: 2E311436684140EFDB219F58DC8CF6537E4EB4A750F1542A5FA048B2F2CB79A8829B04

Function 006D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D778F
SysAllocString.OLEAUT32(00000000), ref: 006D7792
SysAllocString.OLEAUT32(?), ref: 006D77B0
SysFreeString.OLEAUT32(?), ref: 006D77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 006D77DE
SysAllocString.OLEAUT32(?), ref: 006D77EC

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 259a9af0b7bcbd174edd88e58dfb0c6eb90341cbd7ee5d0f197f2b32cb50b0cd
Instruction ID: 425391c5ff01bef7c846609a36971bbdce046f4215e3a3ae972892aea3272c02
Opcode Fuzzy Hash: 259a9af0b7bcbd174edd88e58dfb0c6eb90341cbd7ee5d0f197f2b32cb50b0cd
Instruction Fuzzy Hash: 1021B576A04219AFDB10DFA8CC88CFB77ADFB093647008626F904DB390EA74DC418765

Function 006D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006D7868
SysAllocString.OLEAUT32(00000000), ref: 006D786B
SysAllocString.OLEAUT32 ref: 006D788C
SysFreeString.OLEAUT32 ref: 006D7895
StringFromGUID2.OLE32(?,?,00000028), ref: 006D78AF
SysAllocString.OLEAUT32(?), ref: 006D78BD

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ec2ab16df1b4246f2a56e06d390f4a730dba60bbbec6bf271cc7f3826287b48a
Instruction ID: e434b4a86a5bfda965b90659265c98dbe2e51124cb0544ddd6acedb42984ed83
Opcode Fuzzy Hash: ec2ab16df1b4246f2a56e06d390f4a730dba60bbbec6bf271cc7f3826287b48a
Instruction Fuzzy Hash: D5216271A04104AFDB10AFA8DC8DDAA77ADFB097607108236F915CB3A1EA74DC41DB69

Function 006E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006E04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006E052E

Strings

nul, xrefs: 006E0567

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 144ea9f116a60e5478c443dea72d9b07f926be5e622533d9e817849a9e51efb5
Instruction ID: e14574a9fba22bd092472241783d43391e149fa9a6d9df02a37f0164bc7ac107
Opcode Fuzzy Hash: 144ea9f116a60e5478c443dea72d9b07f926be5e622533d9e817849a9e51efb5
Instruction Fuzzy Hash: D22171B5501345EFEB209F2ADD44A9A77B5BF45724F608A19F8A1D72E0D7B0D980CF20

Function 006E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006E05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006E0601

Strings

nul, xrefs: 006E0639

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4c93b143a92ec3a732fac788a834d03dba4972aa0c5536c1f4251bd4c4c34d1f
Instruction ID: 12b89ac456c36b0bfe59ce2e0efb3d7852655cc4762fb695ec8371236c67dfbf
Opcode Fuzzy Hash: 4c93b143a92ec3a732fac788a834d03dba4972aa0c5536c1f4251bd4c4c34d1f
Instruction Fuzzy Hash: FA21A175501345EBEB208F6A9C04B9A77E5BF85720F204B19F8A1E32E0DBF098A1CB14

Function 007040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0067600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0067604C
Part of subcall function 0067600E: GetStockObject.GDI32(00000011), ref: 00676060
Part of subcall function 0067600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0067606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00704112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0070411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0070412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00704139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00704145

Strings

Msctls_Progress32, xrefs: 007040E3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e6825231cefd151e5008d72f1bca5bb07ee54e1551d64f1ab2b4a448b4458a75
Instruction ID: 7f5853f06ab22ebde8b485ac2a9c3db848af54572bb50d62699d60477ea7a71e
Opcode Fuzzy Hash: e6825231cefd151e5008d72f1bca5bb07ee54e1551d64f1ab2b4a448b4458a75
Instruction Fuzzy Hash: 2A11B6B215011DBEEF119F64CC85EE77F9DEF08798F004211B718A2090CB769C61DBA4

Function 006AD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006AD7A3: _free.LIBCMT ref: 006AD7CC

_free.LIBCMT ref: 006AD82D

Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0

_free.LIBCMT ref: 006AD838
_free.LIBCMT ref: 006AD843
_free.LIBCMT ref: 006AD897
_free.LIBCMT ref: 006AD8A2
_free.LIBCMT ref: 006AD8AD
_free.LIBCMT ref: 006AD8B8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: a64499e1e086aba0b0841a00f6f938f4c1c42f1387912513222f46eea773221f
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: EC115171580B04AAD5A1BFB1CC47FCB7BDE6F02B00F40082DB29AA68A2DA65FD054E55

Function 006DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006DDA74
LoadStringW.USER32(00000000), ref: 006DDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006DDA91
LoadStringW.USER32(00000000), ref: 006DDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006DDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 006DDAB9

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a0169f0420ee0beefbaaea15fdd0a99841e8abfef74d5ce5207f3b2a2985e9d4
Instruction ID: b6c12f62774040c66ffb1e3685be5e9f31ad69b6a6eab6131c83b6a59b332128
Opcode Fuzzy Hash: a0169f0420ee0beefbaaea15fdd0a99841e8abfef74d5ce5207f3b2a2985e9d4
Instruction Fuzzy Hash: 88018BF6900208BFF711A7A4DD89EE7336CD704701F448656B706E2181EA789E844F74

Function 006E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0160E100,0160E100), ref: 006E097B
EnterCriticalSection.KERNEL32(0160E0E0,00000000), ref: 006E098D
TerminateThread.KERNEL32(?,000001F6), ref: 006E099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 006E09A9
CloseHandle.KERNEL32(?), ref: 006E09B8
InterlockedExchange.KERNEL32(0160E100,000001F6), ref: 006E09C8
LeaveCriticalSection.KERNEL32(0160E0E0), ref: 006E09CF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: d30b6f619768579eae440c1a6b2b0b7855e4de60e22e75754e32e9f3373d763b
Instruction ID: aeebc7be031bc00582d031b2e7e390bc6d61db46df9f2deccaafb9de2d0c33af
Opcode Fuzzy Hash: d30b6f619768579eae440c1a6b2b0b7855e4de60e22e75754e32e9f3373d763b
Instruction Fuzzy Hash: DDF0C932442A12EBE7525FA4EE89AD6BA29BF05702F406325F20294CA1CB799465CF94

Function 00675D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00675D30
GetWindowRect.USER32(?,?), ref: 00675D71
ScreenToClient.USER32(?,?), ref: 00675D99
GetClientRect.USER32(?,?), ref: 00675ED7
GetWindowRect.USER32(?,?), ref: 00675EF8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: f2156dfc6237fb5bef3ae6e7cdcab349f0031a15de40b4c43e327e97acb05c43
Instruction ID: 919006c649390d16615b24505d0b59b24573b16d2a28e36fec2bdab038887025
Opcode Fuzzy Hash: f2156dfc6237fb5bef3ae6e7cdcab349f0031a15de40b4c43e327e97acb05c43
Instruction Fuzzy Hash: 7DB15A74A0074ADBDB14CFA9C4407EAB7F2FF48310F14851AE8AAD7250DB74AA91DB54

Function 006A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006A00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006A00D6
__allrem.LIBCMT ref: 006A00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006A010B
__allrem.LIBCMT ref: 006A0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006A0140

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 5828684f617a31139c901ac88bc7c8be95be4c906c107b71ee5772108c0cf703
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 2981C372A00B06ABEB20AF68CC41BAA73EAAF42324F25452EF551D6781E770DD418F54

Function 006F1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006F3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,006F101C,00000000,?,?,00000000), ref: 006F3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006F1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006F1DE1
WSAGetLastError.WSOCK32 ref: 006F1DF2
inet_ntoa.WSOCK32(?), ref: 006F1E8C
htons.WSOCK32(?,?,?,?,?), ref: 006F1EDB
_strlen.LIBCMT ref: 006F1F35

Part of subcall function 006D39E8: _strlen.LIBCMT ref: 006D39F2

Part of subcall function 00676D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0068CF58,?,?,?), ref: 00676DBA
Part of subcall function 00676D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0068CF58,?,?,?), ref: 00676DED

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: f278bb292c2b213e46e92016dd341411af97b129ec550c8b2dde25d575ef7b04
Instruction ID: 12c7433436560c4cdc13c8b156be19d1b3a8aa19e5bf33deb19d244f07d4d38d
Opcode Fuzzy Hash: f278bb292c2b213e46e92016dd341411af97b129ec550c8b2dde25d575ef7b04
Instruction Fuzzy Hash: 61A1CB30104304AFD364EB20C895E6A77E6AF85358F548A4CF55A9F2A2DB31ED46CB92

Function 006A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006982D9,006982D9,?,?,?,006A644F,00000001,00000001,8BE85006), ref: 006A6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006A644F,00000001,00000001,8BE85006,?,?,?), ref: 006A62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006A63D8
__freea.LIBCMT ref: 006A63E5

Part of subcall function 006A3820: RtlAllocateHeap.NTDLL(00000000,?,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6,?,00671129), ref: 006A3852

__freea.LIBCMT ref: 006A63EE
__freea.LIBCMT ref: 006A6413

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2092e0d47b353e31aa50229d1b38e31ea126135257bdc84f72e9705fe9c7585c
Instruction ID: 9b79756a7182eb07860e8c6135a8e6feb4c502ba6e6caa75dd6735b809b9a1cb
Opcode Fuzzy Hash: 2092e0d47b353e31aa50229d1b38e31ea126135257bdc84f72e9705fe9c7585c
Instruction Fuzzy Hash: 7151B3B2600216ABDF25AF64CC81EEF77ABEF46750F194629FC05D6240DB34DD41CA60

Function 006FBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Part of subcall function 006FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006FB6AE,?,?), ref: 006FC9B5
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FC9F1
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA68
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006FBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006FBD25
RegCloseKey.ADVAPI32(00000000), ref: 006FBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006FBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006FBDF3
RegCloseKey.ADVAPI32(?), ref: 006FBDFF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 6c13f57edfe6a864fb474b663e50ad8a86525003007b18bb34f31608d3dadb82
Instruction ID: 40c59e34cf46d9635542fc9f70b76406bb5d73dc14a62e5d084f96fb03563232
Opcode Fuzzy Hash: 6c13f57edfe6a864fb474b663e50ad8a86525003007b18bb34f31608d3dadb82
Instruction Fuzzy Hash: 1681AD30208245EFD714DF24C885E6ABBE6FF84348F14995CF6598B2A2DB31ED45CB92

Function 006CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 006CF7B9
SysAllocString.OLEAUT32(00000001), ref: 006CF860
VariantCopy.OLEAUT32(006CFA64,00000000), ref: 006CF889
VariantClear.OLEAUT32(006CFA64), ref: 006CF8AD
VariantCopy.OLEAUT32(006CFA64,00000000), ref: 006CF8B1
VariantClear.OLEAUT32(?), ref: 006CF8BB

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 275d765f2b7cb8911b96fba1744f176b5e26af6d7c08356a1335ebf6e47987ba
Instruction ID: f15c8eccec6638d31e41447a5bb8febbda03871b044d0f847855cad2f7024dfb
Opcode Fuzzy Hash: 275d765f2b7cb8911b96fba1744f176b5e26af6d7c08356a1335ebf6e47987ba
Instruction Fuzzy Hash: 0A51B131A01310ABCF64AB65D895F79B3E7EF45710B20946EF906DF291DB708C41CBAA

Function 006E910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00677620: _wcslen.LIBCMT ref: 00677625

Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 006E94E5
_wcslen.LIBCMT ref: 006E9506
_wcslen.LIBCMT ref: 006E952D
GetSaveFileNameW.COMDLG32(00000058), ref: 006E9585

Strings

X, xrefs: 006E9412

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 385b6176507f7f37d6f779548dba2f34d45923c9201aba2dccff70211aad5ad3
Instruction ID: ac10117f35e401a395bd90b94a47c4b1a303f48970a4628c3b3ab987c64d9954
Opcode Fuzzy Hash: 385b6176507f7f37d6f779548dba2f34d45923c9201aba2dccff70211aad5ad3
Instruction Fuzzy Hash: B8E1C231504340DFD764DF25C881AAAB7E6BF84314F04896DF8899B3A2EB31DD05CBA6

Function 0068920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2

BeginPaint.USER32(?,?,?), ref: 00689241
GetWindowRect.USER32(?,?), ref: 006892A5
ScreenToClient.USER32(?,?), ref: 006892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006892D3
EndPaint.USER32(?,?,?,?,?), ref: 00689321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006C71EA

Part of subcall function 00689339: BeginPath.GDI32(00000000), ref: 00689357

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: e653bf4c44fb3c0b228f06d7fb8794addfedd94565c081956bf318b149c63b63
Instruction ID: 120e66054e95306fd7e4edd5b85d30fdd7f2330b4bba4cbdbd001fa2c5b2994b
Opcode Fuzzy Hash: e653bf4c44fb3c0b228f06d7fb8794addfedd94565c081956bf318b149c63b63
Instruction Fuzzy Hash: 6F419E70104200EFD721EF24DC94FBA7BAAEB46320F18436DF9A5872E1C775A845DB66

Function 006E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006E080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 006E0847
EnterCriticalSection.KERNEL32(?), ref: 006E0863
LeaveCriticalSection.KERNEL32(?), ref: 006E08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006E08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 006E0921

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: fab0ee005ed75ede9dbdc539d5d6bb0515ef4de51b0c7a20b5e953dc265f92e9
Instruction ID: 133d3a4e94090ddc0b104ac0dd7677956038edb6fa4abe4f83777ce3dcfd191a
Opcode Fuzzy Hash: fab0ee005ed75ede9dbdc539d5d6bb0515ef4de51b0c7a20b5e953dc265f92e9
Instruction Fuzzy Hash: 37419E71900205EFEF15AF54DC85AAA777AFF44300F1081A9ED009E297DB74DE61CBA8

Function 007081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,006CF3AB,00000000,?,?,00000000,?,006C682C,00000004,00000000,00000000), ref: 0070824C
EnableWindow.USER32(?,00000000), ref: 00708272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007082D1
ShowWindow.USER32(?,00000004), ref: 007082E5
EnableWindow.USER32(?,00000001), ref: 0070830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0070832F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4cd0432fc5fec056690d91500166435605558b17626b459ed0fe539a17edcb87
Instruction ID: f0f73eca5965833b47b16edb397b114f9d06b5fef432b7e5df41a817c7c5d6cd
Opcode Fuzzy Hash: 4cd0432fc5fec056690d91500166435605558b17626b459ed0fe539a17edcb87
Instruction Fuzzy Hash: 3941A734601644EFDF61CF15C899BE87BE0FB4A714F1853A9E6484B2E2CB39A841CB56

Function 006D4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 006D4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006D4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006D4CEA
_wcslen.LIBCMT ref: 006D4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006D4D10
_wcsstr.LIBVCRUNTIME ref: 006D4D1A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 8b104a0e6a24b85b2a17db68a16a298e749aea35334584b509207cbf0fbec6c3
Instruction ID: ecbd7b254e79d0211498ff6ea0c78597edc6f75a970f887ef498e9328570876d
Opcode Fuzzy Hash: 8b104a0e6a24b85b2a17db68a16a298e749aea35334584b509207cbf0fbec6c3
Instruction Fuzzy Hash: F9212632A04200BBEB265B39EC49E7B7B9EDF45750F10816EF809CA391EE75CC4187A0

Function 006E581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00673AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00673A97,?,?,00672E7F,?,?,?,00000000), ref: 00673AC2

_wcslen.LIBCMT ref: 006E587B
CoInitialize.OLE32(00000000), ref: 006E5995
CoCreateInstance.OLE32(0070FCF8,00000000,00000001,0070FB68,?), ref: 006E59AE
CoUninitialize.OLE32 ref: 006E59CC

Strings

.lnk, xrefs: 006E5876, 006E58C1, 006E5985

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: a785d50f323c49731ba2084641c430b7c6d3608580ac4c7669864164583ed6e2
Instruction ID: 42487fa8fe76c7f85f6837b512aa28aa093f5921dcdb3a4329619e682e1d93f2
Opcode Fuzzy Hash: a785d50f323c49731ba2084641c430b7c6d3608580ac4c7669864164583ed6e2
Instruction Fuzzy Hash: C7D17370604741DFC714DF25C480A6ABBE2EF89718F14895DF88A9B362DB31EC05CB92

Function 006D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006D0FCA
Part of subcall function 006D0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006D0FD6
Part of subcall function 006D0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006D0FE5
Part of subcall function 006D0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006D0FEC
Part of subcall function 006D0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006D1002

GetLengthSid.ADVAPI32(?,00000000,006D1335), ref: 006D17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006D17BA
HeapAlloc.KERNEL32(00000000), ref: 006D17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 006D17DA
GetProcessHeap.KERNEL32(00000000,00000000,006D1335), ref: 006D17EE
HeapFree.KERNEL32(00000000), ref: 006D17F5

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b9dcb413e0d4c92d5187e8620e4ff579e4a78c0f4039adb224d899544ba87709
Instruction ID: 784988f58872da0338934fbb307865636d7e6223d087657cadda0fc252b2d0ac
Opcode Fuzzy Hash: b9dcb413e0d4c92d5187e8620e4ff579e4a78c0f4039adb224d899544ba87709
Instruction Fuzzy Hash: 9F116A71A01205FBDB119FA4CC49BEE7BBAEB46355F10821AF441DB320DB79AA44CB64

Function 006D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006D14FF
OpenProcessToken.ADVAPI32(00000000), ref: 006D1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006D1515
CloseHandle.KERNEL32(00000004), ref: 006D1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006D154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 006D1563

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: eea657ebebba06c2a014cdbdf12f944852bf14d757f96c5a897fd7675ccbf5ca
Instruction ID: 012fa11f10b857b856997d639b704e8b743e6078dc57626953a1e304c3c1375e
Opcode Fuzzy Hash: eea657ebebba06c2a014cdbdf12f944852bf14d757f96c5a897fd7675ccbf5ca
Instruction Fuzzy Hash: 36115E7250020DFBDF12CF94DD49BDE7BAAEF45704F048215FA05A6260C7B58E60DB61

Function 00693382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00693379,00692FE5), ref: 00693390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0069339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006933B7
SetLastError.KERNEL32(00000000,?,00693379,00692FE5), ref: 00693409

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ededd71377615e25e62bda51b7ea80226a95adfb1d1890493b8ba22354a61f90
Instruction ID: 067a3a409bb4af13224c88f4bc4db8829fe5d26c2bb4b1b3c1d6cde4ad006e2d
Opcode Fuzzy Hash: ededd71377615e25e62bda51b7ea80226a95adfb1d1890493b8ba22354a61f90
Instruction Fuzzy Hash: 4801F13224D331AEEF2A27746C859A62A9EEB1577A320832DF41094BF0EF114D02564C

Function 006A2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006A5686,006B3CD6,?,00000000,?,006A5B6A,?,?,?,?,?,0069E6D1,?,00738A48), ref: 006A2D78
_free.LIBCMT ref: 006A2DAB
_free.LIBCMT ref: 006A2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0069E6D1,?,00738A48,00000010,00674F4A,?,?,00000000,006B3CD6), ref: 006A2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0069E6D1,?,00738A48,00000010,00674F4A,?,?,00000000,006B3CD6), ref: 006A2DEC
_abort.LIBCMT ref: 006A2DF2

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9c40227c4aa448c772406e30ade126ca1923424abc5718f10a86fa4fe1637068
Instruction ID: e5c1febdbff7850fbc65bf89f893fd88296aad586d970beea1eb4a065565e5b4
Opcode Fuzzy Hash: 9c40227c4aa448c772406e30ade126ca1923424abc5718f10a86fa4fe1637068
Instruction Fuzzy Hash: BCF0F93158450267C263333D7C26B5B1657AFC3B61B20421CF424922D3EF289C015D69

Function 00708A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00689639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00689693
Part of subcall function 00689639: SelectObject.GDI32(?,00000000), ref: 006896A2
Part of subcall function 00689639: BeginPath.GDI32(?), ref: 006896B9
Part of subcall function 00689639: SelectObject.GDI32(?,00000000), ref: 006896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00708A4E
LineTo.GDI32(?,00000003,00000000), ref: 00708A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00708A70
LineTo.GDI32(?,00000000,00000003), ref: 00708A80
EndPath.GDI32(?), ref: 00708A90
StrokePath.GDI32(?), ref: 00708AA0

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: e26f03811dd2ff1cd3caa7c74a1f032b8159b5dea076738becdca903162c5bc6
Instruction ID: 43f4fedd53da0435edc8d7f37495a298163fa564be564de37f7fdb59cb4d4faf
Opcode Fuzzy Hash: e26f03811dd2ff1cd3caa7c74a1f032b8159b5dea076738becdca903162c5bc6
Instruction Fuzzy Hash: B8110C7600014CFFEB129F90DC88EAA7F6DEB04354F04C212FA15991A1DB759D55DBA4

Function 006D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006D5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 006D5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006D5230
ReleaseDC.USER32(00000000,00000000), ref: 006D5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 006D524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 006D5261

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c24421a448a5c3e30adde19dda441d42fa71fa07b84a8d4525a33095126b5650
Instruction ID: a383e1a1da75fdd0b9e6695c9e13b488bafb6607fed43b19a9d9553399923793
Opcode Fuzzy Hash: c24421a448a5c3e30adde19dda441d42fa71fa07b84a8d4525a33095126b5650
Instruction Fuzzy Hash: A8018F75E00708FBEB119BA59C49F5EBFB9EB48351F048166FA05A7380DA709904CBA4

Function 00671BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00671BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00671BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00671C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00671C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00671C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00671C22

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9f51a2371efd75792af16a13f9eb99924cbd1f59d7f52156ce7b130990422236
Instruction ID: d68a60e6b6e8c438de954265f18b2041511159100e206ebb559d0eb12a289577
Opcode Fuzzy Hash: 9f51a2371efd75792af16a13f9eb99924cbd1f59d7f52156ce7b130990422236
Instruction Fuzzy Hash: 6E016CB0902759BDE3008F5A8C85B52FFA8FF19354F00415B915C47941C7F5A864CBE5

Function 006DEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006DEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006DEB46
GetWindowThreadProcessId.USER32(?,?), ref: 006DEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006DEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006DEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006DEB75

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: fe31608b93825c3ce8605206191cec97484a0dd2540c3722f10a83bc74a9138f
Instruction ID: 2bdc17870ef43912a552c3e11c1d88777a7b7c11cec8d28298bf3c9362a5657b
Opcode Fuzzy Hash: fe31608b93825c3ce8605206191cec97484a0dd2540c3722f10a83bc74a9138f
Instruction Fuzzy Hash: 41F09072500118FBE72257529C0EEEF3A7CEFCAB11F008359F601D1190DBA51A01C6B9

Function 006C7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 006C7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 006C7469
GetWindowDC.USER32(?), ref: 006C7475
GetPixel.GDI32(00000000,?,?), ref: 006C7484
ReleaseDC.USER32(?,00000000), ref: 006C7496
GetSysColor.USER32(00000005), ref: 006C74B0

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 1c15c0363d9dfc0bd25dbc52de4c39a9cfafd076c29ec7d5465d5b788d05dbd3
Instruction ID: daa58f340d3dba5b5165cfac607ee21e4383d219b672dd9f3265269fe5f865c6
Opcode Fuzzy Hash: 1c15c0363d9dfc0bd25dbc52de4c39a9cfafd076c29ec7d5465d5b788d05dbd3
Instruction Fuzzy Hash: EF017831400205EFDB225F64DC08BAA7BB6FB04321F608264FA15A21A0CF352E52AF14

Function 006D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 006D187F
UnloadUserProfile.USERENV(?,?), ref: 006D188B
CloseHandle.KERNEL32(?), ref: 006D1894
CloseHandle.KERNEL32(?), ref: 006D189C
GetProcessHeap.KERNEL32(00000000,?), ref: 006D18A5
HeapFree.KERNEL32(00000000), ref: 006D18AC

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a951dc62f2c020cb168e4c5bf49b61e4aa9f7e6b89f87abff213c899cb1ea33c
Instruction ID: c5c0785664a5739c708fafbd5812f959e97522910d96d9287638a772c05dab1e
Opcode Fuzzy Hash: a951dc62f2c020cb168e4c5bf49b61e4aa9f7e6b89f87abff213c899cb1ea33c
Instruction Fuzzy Hash: 74E0C276004105FBDA025BA1ED0C90ABB39FB49B22B10C320F225810B0CF369820DB98

Function 0067BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0067BEB3

Strings

D%t, xrefs: 0067BDED, 0067BD91, 0067BD1B
D%tD%t, xrefs: 0067BCA5
D%t, xrefs: 0067BCA2
D%t, xrefs: 0067BE9A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%t$D%t$D%t$D%tD%t
API String ID: 1385522511-535996708
Opcode ID: 8354cb22951db66f1d0b49bba5f8906c64206985b804a661a601106f04ddc14f
Instruction ID: 27e6ae4f684b36ddf0c40748186e0c2c53a911560dc711845b9ef400cf0c0594
Opcode Fuzzy Hash: 8354cb22951db66f1d0b49bba5f8906c64206985b804a661a601106f04ddc14f
Instruction Fuzzy Hash: C8913B75A0020ADFCB14CF58C0906AAB7F2FF58314F64D16AE949AB351E731A992CB90

Function 006F7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00690242: EnterCriticalSection.KERNEL32(0074070C,00741884,?,?,0068198B,00742518,?,?,?,006712F9,00000000), ref: 0069024D
Part of subcall function 00690242: LeaveCriticalSection.KERNEL32(0074070C,?,0068198B,00742518,?,?,?,006712F9,00000000), ref: 0069028A

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Part of subcall function 006900A3: __onexit.LIBCMT ref: 006900A9

__Init_thread_footer.LIBCMT ref: 006F7BFB

Part of subcall function 006901F8: EnterCriticalSection.KERNEL32(0074070C,?,?,00688747,00742514), ref: 00690202
Part of subcall function 006901F8: LeaveCriticalSection.KERNEL32(0074070C,?,00688747,00742514), ref: 00690235

Strings

+Tl, xrefs: 006F7E2E
Variable must be of type 'Object'., xrefs: 006F7C3A
G, xrefs: 006F7C7F
5, xrefs: 006F7C78

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tl$5$G$Variable must be of type 'Object'.
API String ID: 535116098-841633982
Opcode ID: 6e6067e8893524f0b4512e50cb3b906f233fcc226dc777806ddf4ab811be2d6d
Instruction ID: 8e4d9193399a2afd1df0c648d70784ad4c89f8c758cf2d938790f46decacf5a2
Opcode Fuzzy Hash: 6e6067e8893524f0b4512e50cb3b906f233fcc226dc777806ddf4ab811be2d6d
Instruction Fuzzy Hash: 2E916874A04209EFCB04EF94D8919FDB7B2AF49300F50815DFA06AB3A2DB71AE41CB55

Function 006DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00677620: _wcslen.LIBCMT ref: 00677625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006DC6EE
_wcslen.LIBCMT ref: 006DC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006DC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006DC7CA

Strings

0, xrefs: 006DC6AF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 1ce62af9b0a2a37ba49c2f76c566014d36b10a9607fe358fc164e5faec05d71f
Instruction ID: 47b7ef66369fc331b1c14820ca7ee2c3cf7f91f99edf1e7644ed6481a14c2c39
Opcode Fuzzy Hash: 1ce62af9b0a2a37ba49c2f76c566014d36b10a9607fe358fc164e5faec05d71f
Instruction Fuzzy Hash: DF510371A043469BD754EF28C884BAB77EAAF89320F040A2EF995D33D0DB74D844CB56

Function 006FAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 006FAEA3

Part of subcall function 00677620: _wcslen.LIBCMT ref: 00677625

GetProcessId.KERNEL32(00000000), ref: 006FAF38
CloseHandle.KERNEL32(00000000), ref: 006FAF67

Strings

<, xrefs: 006FAE6B
@, xrefs: 006FAE72

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 71de49d41cc776875e13a8f822c7f26bd394a25bb5f1ed17311d788877323aa4
Instruction ID: 1a62866bececd0f80fc95c04c55d45aa1355ed97e3a0882c04a037b0854d308b
Opcode Fuzzy Hash: 71de49d41cc776875e13a8f822c7f26bd394a25bb5f1ed17311d788877323aa4
Instruction Fuzzy Hash: 40715B71A00219DFCB14DF94C485AAEBBF2BF08314F14849DE95AAB362CB74ED41CB95

Function 006D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006D7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006D723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006D724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006D72CF

Strings

DllGetClassObject, xrefs: 006D7242

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b18cd1176def773b0fc40ac837dc35cd2252163fff3c268689c37208bacd6a9f
Instruction ID: cde84acddf40b3b800bbb2ab577c84919988c3e66f143a79ec8e3864d3cfb622
Opcode Fuzzy Hash: b18cd1176def773b0fc40ac837dc35cd2252163fff3c268689c37208bacd6a9f
Instruction Fuzzy Hash: D34181B1A04204EFDB15CF54C884A9A7BAAEF44310F1481AEFD059F34AE7B4DA45CBA1

Function 00703D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00703E35
IsMenu.USER32(?), ref: 00703E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00703E92
DrawMenuBar.USER32 ref: 00703EA5

Strings

0, xrefs: 00703D89

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 8ad2ce8ebb6c8339a55d2a5aa89caac071160d05354d4c942fd0cb4c6ba2c990
Instruction ID: 805ac1ecec6d53aa20503521c76191d1b018654d64adaf9a1a369245865cfe37
Opcode Fuzzy Hash: 8ad2ce8ebb6c8339a55d2a5aa89caac071160d05354d4c942fd0cb4c6ba2c990
Instruction Fuzzy Hash: 17414879A01209EFDB10DF50D884AAABBF9FF49354F148329E915A7290D738AE54CF60

Function 006D1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Part of subcall function 006D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006D3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006D1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006D1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 006D1EA9

Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A

Strings

ListBox, xrefs: 006D1E25
ComboBox, xrefs: 006D1DF0

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: adad02ab7f2010b928827c35a6c46aa091f39507433fd283f799fc0f7f816685
Instruction ID: 8fdb8e843e2345f1e3f32bb4e030cf18e7ec7698eb71271e1679dadbd4a49059
Opcode Fuzzy Hash: adad02ab7f2010b928827c35a6c46aa091f39507433fd283f799fc0f7f816685
Instruction Fuzzy Hash: 48212971E00104BEDB14AB64DC46CFFB7BADF86350B14821EF815A73E1DF7849068624

Function 006FC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006FC9F1
_wcslen.LIBCMT ref: 006FCA68
_wcslen.LIBCMT ref: 006FCA9E
_wcslen.LIBCMT ref: 006FCAF9
_wcslen.LIBCMT ref: 006FCB2F
_wcslen.LIBCMT ref: 006FCB7F

Strings

HKLM, xrefs: 006FCA98, 006FCA9D
HKEY_LOCAL_MACHINE, xrefs: 006FCA62, 006FCA67

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: e8c546b488ce723f3be08ebbc8496deb173f90316a387f5ebf1cf14b219809fe
Instruction ID: d1ba7414d1791eefe29aa67a682d6efc7bf9706d16501f04baae8b06f2064dd0
Opcode Fuzzy Hash: e8c546b488ce723f3be08ebbc8496deb173f90316a387f5ebf1cf14b219809fe
Instruction Fuzzy Hash: E6312873A0016D8BCB30DF2D8A514FE33935BA1760F154029ED45AB345EA71ED40D3A0

Function 00702F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00702F8D
LoadLibraryW.KERNEL32(?), ref: 00702F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00702FA9
DestroyWindow.USER32(?), ref: 00702FB1

Strings

SysAnimate32, xrefs: 00702F68

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: fc54cb31c161be0095dda59ed7be3cbe59d25fe8c7a258da8dc08c1283245a10
Instruction ID: b3d02ee2dd0417b003c9b82952fb87693e616c732b1e4c922e11954e870060af
Opcode Fuzzy Hash: fc54cb31c161be0095dda59ed7be3cbe59d25fe8c7a258da8dc08c1283245a10
Instruction Fuzzy Hash: 9F21BE72200206EBEB115F64DC48EBB77F9EB593A4F104718F910920E1C779EC429760

Function 00694D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00694D1E,006A28E9,?,00694CBE,006A28E9,007388B8,0000000C,00694E15,006A28E9,00000002), ref: 00694D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00694DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00694D1E,006A28E9,?,00694CBE,006A28E9,007388B8,0000000C,00694E15,006A28E9,00000002,00000000), ref: 00694DC3

Strings

CorExitProcess, xrefs: 00694D98
mscoree.dll, xrefs: 00694D86

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5403d0c4a607a27f459d73a536ad62066bb0f1cf51f0aff16972662e2e85aefb
Instruction ID: f3419333c6cafe600decfdbb44184401b5e5f98341596a59bd61d97a57e01b37
Opcode Fuzzy Hash: 5403d0c4a607a27f459d73a536ad62066bb0f1cf51f0aff16972662e2e85aefb
Instruction Fuzzy Hash: C6F0A434500208FBDF125F94DC09BEDBBB9EF04712F044294F805A2690DF785981CBD4

Function 006CD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 006CD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006CD3BF
FreeLibrary.KERNEL32(00000000), ref: 006CD3E5

Strings

X64, xrefs: 006CD2A8
GetSystemWow64DirectoryW, xrefs: 006CD3B9

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 8950039e35c9f16d28b87ac302ef9f5229221ac5049a0e669f68d4287c855011
Instruction ID: f6fc4af9b3735fdc9e7210f7232293c5cb90952285cf3d4d2df28ecd9c4f11d1
Opcode Fuzzy Hash: 8950039e35c9f16d28b87ac302ef9f5229221ac5049a0e669f68d4287c855011
Instruction Fuzzy Hash: ECF020B0801620DBD7362B108C18FBAB213EF12701F64837CE90AE1290DB28CE418692

Function 00674E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00674EDD,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00674EAE
FreeLibrary.KERNEL32(00000000,?,?,00674EDD,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00674EA8
kernel32.dll, xrefs: 00674E94

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: c9887d07969b6d1e62ddb634e5ea42d239e10fa92c74628b10e073ca4317a7db
Instruction ID: 0249ce306348c0d6603e60f2f9e1fd9cd093dfc2229196575c1797833a4abe88
Opcode Fuzzy Hash: c9887d07969b6d1e62ddb634e5ea42d239e10fa92c74628b10e073ca4317a7db
Instruction Fuzzy Hash: 01E08676A01622DBD23317256C1CAAB6555AF81B72B058315FC04D2241DF68CD0180A4

Function 00674E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006B3CDE,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00674E74
FreeLibrary.KERNEL32(00000000,?,?,006B3CDE,?,00741418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00674E87

Strings

kernel32.dll, xrefs: 00674E5B
Wow64RevertWow64FsRedirection, xrefs: 00674E6E

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 83f0b41dab3f4fa1427622d50198f9b8b7c36b6c9ed502bd06c375e89840c1c6
Instruction ID: 595221ff06e9a9cf671c12505fdd393fc52d049ebe353c8192ef9cf56c6a77c5
Opcode Fuzzy Hash: 83f0b41dab3f4fa1427622d50198f9b8b7c36b6c9ed502bd06c375e89840c1c6
Instruction Fuzzy Hash: F7D0C27250262197D6331B246C0CDCB2A1EEF85B213058310B808E2250CF68CD0182D4

Function 006E2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006E2C05
DeleteFileW.KERNEL32(?), ref: 006E2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006E2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006E2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006E2CC0

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 54343ac5099f6a914ed1350ddb0c9bac835208bddfe38b2e37360310c3a5e095
Instruction ID: bdb2b64b0d7e15ea012ad1e4e7da3dcd38e8021bffba57c44f6c5ab6310878b7
Opcode Fuzzy Hash: 54343ac5099f6a914ed1350ddb0c9bac835208bddfe38b2e37360310c3a5e095
Instruction Fuzzy Hash: D1B17F71D01219ABDF51DFA5CC95EDEB7BEEF48340F1040AAF609E7241EA309A448F65

Function 006FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 006FA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006FA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 006FA468
CloseHandle.KERNEL32(?), ref: 006FA63D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 383ac20fcf43d71c3632fc07d213c7626996e13bbf4bd98e8cc61e68c3f3734a
Instruction ID: 055da942f9e7b55de0ebd746c81dec0c13e6dd58df95c87d01b0ed7126a2a0fd
Opcode Fuzzy Hash: 383ac20fcf43d71c3632fc07d213c7626996e13bbf4bd98e8cc61e68c3f3734a
Instruction Fuzzy Hash: E0A181B16043009FE760DF24C886F2AB7E6AF84714F14895DF559DB392DBB0EC418B96

Function 006DE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006DCF22,?), ref: 006DDDFD

Part of subcall function 006DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006DCF22,?), ref: 006DDE16

Part of subcall function 006DE199: GetFileAttributesW.KERNEL32(?,006DCF95), ref: 006DE19A

lstrcmpiW.KERNEL32(?,?), ref: 006DE473
MoveFileW.KERNEL32(?,?), ref: 006DE4AC
_wcslen.LIBCMT ref: 006DE5EB
_wcslen.LIBCMT ref: 006DE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 006DE650

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e308a58a90bc4894275aaee9c6ca5cf7023fef5a85df7c06bdf8186e62d53f55
Instruction ID: b2cf03a08b8956a4d595ee7323e97c2790993b0fabfa8cfe28c851ec602e8a34
Opcode Fuzzy Hash: e308a58a90bc4894275aaee9c6ca5cf7023fef5a85df7c06bdf8186e62d53f55
Instruction Fuzzy Hash: 445184B29083459BC764EB90DC819DF73EEAF84340F00491FF589D7251EF75A588876A

Function 006FB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Part of subcall function 006FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006FB6AE,?,?), ref: 006FC9B5
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FC9F1
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA68
Part of subcall function 006FC998: _wcslen.LIBCMT ref: 006FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006FBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006FBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006FBB63
RegCloseKey.ADVAPI32(?,?), ref: 006FBBA6
RegCloseKey.ADVAPI32(00000000), ref: 006FBBB3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: a340e85c435c6c944d78cfa147a0b4c16a1f59dd59a90c5ff039fc949d476033
Instruction ID: c1e3abf91b8147c660d8ffa9dcfbac2f7d2b4c7154c80fcdb7a07024978f2a45
Opcode Fuzzy Hash: a340e85c435c6c944d78cfa147a0b4c16a1f59dd59a90c5ff039fc949d476033
Instruction Fuzzy Hash: E8617C31208245AFD714DF14C891E7ABBE6FF84308F14999CF5998B2A2DB31ED45CB92

Function 006D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006D8BCD
VariantClear.OLEAUT32 ref: 006D8C3E
VariantClear.OLEAUT32 ref: 006D8C9D
VariantClear.OLEAUT32(?), ref: 006D8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006D8D3B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8ed117dfaa6cd56f923234ad6c20304cd4d5d65759fb139f71bd5d7111e0ecfa
Instruction ID: 420bac599c9e208299d8fffa15a29a8a379964d706c6b1db7e92eb172f757908
Opcode Fuzzy Hash: 8ed117dfaa6cd56f923234ad6c20304cd4d5d65759fb139f71bd5d7111e0ecfa
Instruction Fuzzy Hash: 56515CB5A00219EFCB14CF59C894AAAB7FAFF89310B15855AF905DB350E734E911CF90

Function 006E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006E8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 006E8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006E8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006E8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006E8C5F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: fb44ff7eca740a415ce6284be8489e88330d552bc083b56c72116c90ca5654f2
Instruction ID: 2bc96327ea08724d6645005153950d73d9ae586f16e0eaa6767dbde850ce565a
Opcode Fuzzy Hash: fb44ff7eca740a415ce6284be8489e88330d552bc083b56c72116c90ca5654f2
Instruction Fuzzy Hash: 6C515B35A002149FDB05DF65C881AADBBF2FF49314F18C098E809AB362CB35ED41CB94

Function 006F8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 006F8F40
GetProcAddress.KERNEL32(00000000,?), ref: 006F8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 006F8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 006F9032
FreeLibrary.KERNEL32(00000000), ref: 006F9052

Part of subcall function 0068F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,006E1043,?,753CE610), ref: 0068F6E6
Part of subcall function 0068F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,006CFA64,00000000,00000000,?,?,006E1043,?,753CE610,?,006CFA64), ref: 0068F70D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: bdfe5459d1ff0bfbcc30aa5deab52e7f6f7314beb1a635b78fcbebb3ba265514
Instruction ID: 9b4291502f4c9fa178d3d4d71208284d537956e7d2f4d2c61a28920d3bab7f9e
Opcode Fuzzy Hash: bdfe5459d1ff0bfbcc30aa5deab52e7f6f7314beb1a635b78fcbebb3ba265514
Instruction Fuzzy Hash: 00514834605209DFCB15DF58C4849ADBBF2FF49314B08C1A8E90A9B362DB31ED86CB95

Function 00706B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00706C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00706C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00706C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,006EAB79,00000000,00000000), ref: 00706C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00706CC7

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 83f1d204c93dcf4e4fc8bbb59bc351b561ec035aacc26d822ed35569f97f36f1
Instruction ID: da1f02c41126808fc14f8207b385c3d361aa3f84185dc72472ee53023e2dc872
Opcode Fuzzy Hash: 83f1d204c93dcf4e4fc8bbb59bc351b561ec035aacc26d822ed35569f97f36f1
Instruction Fuzzy Hash: 0641C175A00104EFE725DF28CC68FAA7BE5EB09350F154368E895A72E0C779BD61CA60

Function 006A2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006A20C3
_free.LIBCMT ref: 006A20E3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a1ffe7c38bb6425ffda0414afd659e29e4e2957b0247edbe0b0068d68e986d2e
Instruction ID: 93ed80413e6bf5e2696b2b737e515508600cbfd007d6ba2992475b540e7414eb
Opcode Fuzzy Hash: a1ffe7c38bb6425ffda0414afd659e29e4e2957b0247edbe0b0068d68e986d2e
Instruction Fuzzy Hash: FF41E472A40201AFCB24EF7CC890A9EB7E6EF8A714F1545A9E615EB351D631AD01CB80

Function 0068912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00689141
ScreenToClient.USER32(00000000,?), ref: 0068915E
GetAsyncKeyState.USER32(00000001), ref: 00689183
GetAsyncKeyState.USER32(00000002), ref: 0068919D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 376c658c9a3a1f32126495839a55feff738f6765081b432afe4bf29340b44fc4
Instruction ID: fa323a27960a579774580cb5765dd110c11296f5e103839344fffb018ecf2953
Opcode Fuzzy Hash: 376c658c9a3a1f32126495839a55feff738f6765081b432afe4bf29340b44fc4
Instruction Fuzzy Hash: 44415E31A0850AFBDF15AF64C848BFEB776FB05324F288319E465A22D0CB345951CF61

Function 006E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006E38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 006E3922
TranslateMessage.USER32(?), ref: 006E394B
DispatchMessageW.USER32(?), ref: 006E3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E3966

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 26a01a69c573fd89d94eeeb0bb4a86d3249afb609f90754f754e412396d84abc
Instruction ID: 03ad3e9f534c3544e592d74df42e691caff824fb60e957a7846cbe571977490c
Opcode Fuzzy Hash: 26a01a69c573fd89d94eeeb0bb4a86d3249afb609f90754f754e412396d84abc
Instruction Fuzzy Hash: 1C31E8745063D19EEB35DB36980CBF637A9AB02300F44456EE462C7392F7F89685CB25

Function 006ECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,006EC21E,00000000), ref: 006ECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 006ECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,006EC21E,00000000), ref: 006ECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,006EC21E,00000000), ref: 006ECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,006EC21E,00000000), ref: 006ECFF2

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: d02cbf4919e776945d68ce9225dec0fa1be05d133de2a9d842aa7e595add114b
Instruction ID: 3265a58bf4a8f9609260a05815eb3d3157bb94ca0c633e9a4f753b4f5ed9beec
Opcode Fuzzy Hash: d02cbf4919e776945d68ce9225dec0fa1be05d133de2a9d842aa7e595add114b
Instruction Fuzzy Hash: A1314F71501345EFDB20DFA6C884AABBBFAEF14361B10852EF506D2240DB34AE42DB64

Function 006D1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006D1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 006D19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 006D19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 006D19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 006D19E2

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 711f452232b365a9c974f9315f3f2dc3bc20d794e08b5d3e72838ba18cc1ad80
Instruction ID: 05710fc7118f756866606f21fee0c8f107777457378249e1789e6338c9f81c63
Opcode Fuzzy Hash: 711f452232b365a9c974f9315f3f2dc3bc20d794e08b5d3e72838ba18cc1ad80
Instruction Fuzzy Hash: 51318171900219EFCB14CFA8C9A9ADE7BB6EB45315F108366F921AB3D1C7B09D54CB90

Function 00705706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00705745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0070579D
_wcslen.LIBCMT ref: 007057AF
_wcslen.LIBCMT ref: 007057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00705816

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9c269a9dbf1518313f376ef657f4b6feb776e5cee8c9c5598d04d443ab57606e
Instruction ID: 2b27743cd3c9c22b9b0c1c28b3e4f5099d1e1215df5075ae900ce6ee771f94ce
Opcode Fuzzy Hash: 9c269a9dbf1518313f376ef657f4b6feb776e5cee8c9c5598d04d443ab57606e
Instruction Fuzzy Hash: 98218F75904618EADB209FA0CC84EEE77BCFF04320F108356F929AA1C0E7789985CF54

Function 006F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 006F0951
GetForegroundWindow.USER32 ref: 006F0968
GetDC.USER32(00000000), ref: 006F09A4
GetPixel.GDI32(00000000,?,00000003), ref: 006F09B0
ReleaseDC.USER32(00000000,00000003), ref: 006F09E8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 69a92afe0da436c5b5c8b79fa41ab090ddddb67b4f3d9d70750e6936ea5aefc0
Instruction ID: 32011708739cb50d28127319b5a4cb2855cd2c5f60e8270cd8f6309b23303868
Opcode Fuzzy Hash: 69a92afe0da436c5b5c8b79fa41ab090ddddb67b4f3d9d70750e6936ea5aefc0
Instruction Fuzzy Hash: 62218135600204EFE754EF65C885AAEBBE6EF49700F04C16CF94A9B362DB74AC04CB94

Function 006ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006ACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006ACDE9

Part of subcall function 006A3820: RtlAllocateHeap.NTDLL(00000000,?,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6,?,00671129), ref: 006A3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006ACE0F
_free.LIBCMT ref: 006ACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006ACE31

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0d4b69a073d2e0e7487231c1b6eb0912e17bc8a1526af968b05fb8239de96cb8
Instruction ID: bfb05163912ced6b25cc3abd0863e6571d63691a5c7c40fada9268bcfa4307c7
Opcode Fuzzy Hash: 0d4b69a073d2e0e7487231c1b6eb0912e17bc8a1526af968b05fb8239de96cb8
Instruction Fuzzy Hash: 5B01D8726012157FA72137BA6C48C7BA96EEEC7BB1315426DF905D7301EE648D0289F4

Function 00689639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00689693
SelectObject.GDI32(?,00000000), ref: 006896A2
BeginPath.GDI32(?), ref: 006896B9
SelectObject.GDI32(?,00000000), ref: 006896E2

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c3655b174bf1995f8f6f2012b3fe065c9625977bdba8cad07600eee2b28d2574
Instruction ID: 8650cd9ef35c12f1583126adb5716dcf9b8a6c453a690b44c7fc5db2490488d9
Opcode Fuzzy Hash: c3655b174bf1995f8f6f2012b3fe065c9625977bdba8cad07600eee2b28d2574
Instruction Fuzzy Hash: 82217174801345EBEB11BF64DC047F93B66BB01315F548317F410A61A0E77868D1CFA8

Function 006D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 006D5726
_memcmp.LIBVCRUNTIME ref: 006D5744
_memcmp.LIBVCRUNTIME ref: 006D5757
_memcmp.LIBVCRUNTIME ref: 006D576F
_memcmp.LIBVCRUNTIME ref: 006D5787

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 34c16b7c07df049d01809d1f035037382d586bbd434a84876f6b1358b5620c93
Instruction ID: 7232e8ae29602a62ab42674934e3db59d42fbbb70744b63a955e10776a617c3b
Opcode Fuzzy Hash: 34c16b7c07df049d01809d1f035037382d586bbd434a84876f6b1358b5620c93
Instruction Fuzzy Hash: D101D6A1A41605FAE61851109D42EFB739F9B22394B200026FD069EF81FA60ED1186B4

Function 006A2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0069F2DE,006A3863,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6), ref: 006A2DFD
_free.LIBCMT ref: 006A2E32
_free.LIBCMT ref: 006A2E59
SetLastError.KERNEL32(00000000,00671129), ref: 006A2E66
SetLastError.KERNEL32(00000000,00671129), ref: 006A2E6F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1e44963ec2f6b11c2dac8921102c53ba8c70c5233784b19bfab8661019634308
Instruction ID: d36a7fed01397c3c2358aeb3016c633e995b14ada113311d059d0aa065371f94
Opcode Fuzzy Hash: 1e44963ec2f6b11c2dac8921102c53ba8c70c5233784b19bfab8661019634308
Instruction Fuzzy Hash: 470149322C46026BC613733D2C96D6B265BBBC3771720422CF421E2392EF38CC410D25

Function 006D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?,?,006D035E), ref: 006D002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?), ref: 006D0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?), ref: 006D0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?), ref: 006D0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,006CFF41,80070057,?,?), ref: 006D0070

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0b6bda09415d5670352e7a485a80b97ea55f611c4217ab6bc4a6ecc5fe506de6
Instruction ID: 4e96c80fc3a6c5e96ac05ee8196baa4cdf3badbb929bea343b415846fe9fec11
Opcode Fuzzy Hash: 0b6bda09415d5670352e7a485a80b97ea55f611c4217ab6bc4a6ecc5fe506de6
Instruction Fuzzy Hash: 6901A272A00204FFEB114F68DC04BAA7AEEEF84752F148225F905D6350DBB5DD408BA4

Function 006DE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 006DE997
QueryPerformanceFrequency.KERNEL32(?), ref: 006DE9A5
Sleep.KERNEL32(00000000), ref: 006DE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 006DE9B7
Sleep.KERNEL32 ref: 006DE9F3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 24574819aaa9ff204d7e2324cd3e416761820ef1ca20573d58acadcecf453de3
Instruction ID: 576d54e9673b2ff76fb0b8d1e1b931f390cdcc18a5d9ac8edf40f7a53cde23a8
Opcode Fuzzy Hash: 24574819aaa9ff204d7e2324cd3e416761820ef1ca20573d58acadcecf453de3
Instruction Fuzzy Hash: 31016971C0262DDBCF00AFE4DC69AEDBB79FF08300F004656E502BA240CB399551CBA5

Function 006D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006D1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006D0B9B,?,?,?), ref: 006D1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006D114D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: bc4075c5ed620cbfb5757f2289a35287be4a53e2701a17504e5d5807131aa3be
Instruction ID: 321a75c3afeb59e1bff40d88eb9cff5656137af84be594ac3c85cfbeaa973941
Opcode Fuzzy Hash: bc4075c5ed620cbfb5757f2289a35287be4a53e2701a17504e5d5807131aa3be
Instruction Fuzzy Hash: 35011D75500205FFEB124F65DC49AAA3B7EEF8A360B204615FA45D7350DE75DC009A64

Function 006D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006D0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006D0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006D0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006D0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006D1002

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: df0156e98fd5d1acd170b656df16914eb8c76faedd775361c81afdea70675c02
Instruction ID: b4c4900f2e05f53a8cfedb713f31a5e681e6dba65859393bf1f0bcd353e0696b
Opcode Fuzzy Hash: df0156e98fd5d1acd170b656df16914eb8c76faedd775361c81afdea70675c02
Instruction Fuzzy Hash: 83F04F75600305FBD7225FA59C49F963B6EEF8A761F108615F945CA351CE74DC408A60

Function 006D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006D102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006D1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006D1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006D104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006D1062

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: de4ea7b628e3e44b1b02c113b97c0421d8b5c8738c848b1b12f20490e1dd8ed1
Instruction ID: 3ecf9cd5a89387e4ec781d9ca001f7509f0e3fc5514ac8144c8775ff8fbd5bfc
Opcode Fuzzy Hash: de4ea7b628e3e44b1b02c113b97c0421d8b5c8738c848b1b12f20490e1dd8ed1
Instruction Fuzzy Hash: 26F04F75200305FBD7226FA4EC49F963B6EEF8A761F104615F945CA350CE74DC808A60

Function 006E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E0324
CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E0331
CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E033E
CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E034B
CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E0358
CloseHandle.KERNEL32(?,?,?,?,006E017D,?,006E32FC,?,00000001,006B2592,?), ref: 006E0365

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6c758d888037d8d62c7e11ae46fe9c98a988773696d582e0c52b103fb5343bca
Instruction ID: 1f826990833473cb5200e738e868ac3a560131eb1ca2ba254feffe262f751a37
Opcode Fuzzy Hash: 6c758d888037d8d62c7e11ae46fe9c98a988773696d582e0c52b103fb5343bca
Instruction Fuzzy Hash: C201E272801B42DFD7309F66D880442F7F6BF503053158A3FD19252A30C3B1A984CF80

Function 006AD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006AD752

Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0

_free.LIBCMT ref: 006AD764
_free.LIBCMT ref: 006AD776
_free.LIBCMT ref: 006AD788
_free.LIBCMT ref: 006AD79A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3e6019ffa026cca1e66410f55736b3a45a2d0e8ff19c1c788a3219b5a5353020
Instruction ID: 25fa1911e4524342f1fb330f6d159d27089957e11b4ee9c507681f7c51d15bf0
Opcode Fuzzy Hash: 3e6019ffa026cca1e66410f55736b3a45a2d0e8ff19c1c788a3219b5a5353020
Instruction Fuzzy Hash: C4F0AF32141209AF82A6FB29F8C1C9B37DFBB06B11B950809F009E3A01C724FC808F68

Function 006D5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 006D5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 006D5C6F
MessageBeep.USER32(00000000), ref: 006D5C87
KillTimer.USER32(?,0000040A), ref: 006D5CA3
EndDialog.USER32(?,00000001), ref: 006D5CBD

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0ae64d59ed3e9526071ed430b249c887a22ff058517b1ebcd7161e1e9920dbdc
Instruction ID: fd3cb8f96b2296db866d0d320ab11668d223341fb339ebfcc4b4c6fde08c38bd
Opcode Fuzzy Hash: 0ae64d59ed3e9526071ed430b249c887a22ff058517b1ebcd7161e1e9920dbdc
Instruction Fuzzy Hash: 9001D130900B04EBEB315B10DD4EFE67BB9BB00B01F04435EB583A16E1DFF5A9848A95

Function 006A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006A22BE

Part of subcall function 006A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000), ref: 006A29DE
Part of subcall function 006A29C8: GetLastError.KERNEL32(00000000,?,006AD7D1,00000000,00000000,00000000,00000000,?,006AD7F8,00000000,00000007,00000000,?,006ADBF5,00000000,00000000), ref: 006A29F0

_free.LIBCMT ref: 006A22D0
_free.LIBCMT ref: 006A22E3
_free.LIBCMT ref: 006A22F4
_free.LIBCMT ref: 006A2305

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 965316b21283f1acdf0ddb5de9ce23b8aef36569cba1cbbaf40ee475e6dfef75
Instruction ID: 3bc8ab9b5c6089a8eda4d2dde1eaa5205dc12e00835b55c6789424a9052c4578
Opcode Fuzzy Hash: 965316b21283f1acdf0ddb5de9ce23b8aef36569cba1cbbaf40ee475e6dfef75
Instruction Fuzzy Hash: 08F030785802118F8793BF69BC118493B66B71BF51740851BF510D2271C73C2D51AFED

Function 006895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006895D4
StrokeAndFillPath.GDI32(?,?,006C71F7,00000000,?,?,?), ref: 006895F0
SelectObject.GDI32(?,00000000), ref: 00689603
DeleteObject.GDI32 ref: 00689616
StrokePath.GDI32(?), ref: 00689631

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 91b3621ad0f37d5f91c102819a2034184ea9937b476fb0cd4e547b623c555a59
Instruction ID: beb967f044e036a24ee2647f8e7b5d84cee544acee8fd2fe1295a3a1f75510a7
Opcode Fuzzy Hash: 91b3621ad0f37d5f91c102819a2034184ea9937b476fb0cd4e547b623c555a59
Instruction Fuzzy Hash: C6F03C38006248EBDB126F65ED1C7B43B62AB06322F48C315F429551F0DB7899D1DF28

Function 006A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006A10F9
__freea.LIBCMT ref: 006A1117

Part of subcall function 006A1537: _free.LIBCMT ref: 006A154F

Strings

am/pm, xrefs: 006A117A
a/p, xrefs: 006A11DE

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 1b52a83e9b4fdd0bbc174c13733de805687d19653f7e45a70d7ed2574e3a9af2
Instruction ID: 3ec76fce13a6bb5fa215643f342dc915cb2e49df7eeeb530cfadabe563ad1e71
Opcode Fuzzy Hash: 1b52a83e9b4fdd0bbc174c13733de805687d19653f7e45a70d7ed2574e3a9af2
Instruction Fuzzy Hash: 5CD1EE31900206DADF28AF68C855BFAB7B7EF07310F28415AE901AF751D6359E81CFA5

Function 006F61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00690242: EnterCriticalSection.KERNEL32(0074070C,00741884,?,?,0068198B,00742518,?,?,?,006712F9,00000000), ref: 0069024D
Part of subcall function 00690242: LeaveCriticalSection.KERNEL32(0074070C,?,0068198B,00742518,?,?,?,006712F9,00000000), ref: 0069028A

Part of subcall function 006900A3: __onexit.LIBCMT ref: 006900A9

__Init_thread_footer.LIBCMT ref: 006F6238

Part of subcall function 006901F8: EnterCriticalSection.KERNEL32(0074070C,?,?,00688747,00742514), ref: 00690202
Part of subcall function 006901F8: LeaveCriticalSection.KERNEL32(0074070C,?,00688747,00742514), ref: 00690235

Part of subcall function 006E359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006E35E4
Part of subcall function 006E359C: LoadStringW.USER32(00742390,?,00000FFF,?), ref: 006E360A

Strings

x#t, xrefs: 006F633A
x#t, xrefs: 006F6353
x#t, xrefs: 006F636F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#t$x#t$x#t
API String ID: 1072379062-2514561250
Opcode ID: 5eb0abe5c13051675f70923b0fecfd0bc4ba84250a82c9490b4ad68fb0dbb60e
Instruction ID: e04777438adb1b0f6af3bfe26cda23d9a4cd4cd14eee40992926063168454843
Opcode Fuzzy Hash: 5eb0abe5c13051675f70923b0fecfd0bc4ba84250a82c9490b4ad68fb0dbb60e
Instruction Fuzzy Hash: 1DC16D71A00109AFDB14EF98C891DBEB7BAEF49300F148169FA15AB291DB70ED45CB94

Function 006A5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOg, xrefs: 006A5BA8, 006A5C6C

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID: JOg
API String ID: 0-645625397
Opcode ID: 6cf7d88ecd5abce6dcc469492a21b3283c115757cc1b28ace6925851491b4c0e
Instruction ID: e012718a03efe5da80a702aa77cae844a598085fda54cf1ea30c1621f8458c17
Opcode Fuzzy Hash: 6cf7d88ecd5abce6dcc469492a21b3283c115757cc1b28ace6925851491b4c0e
Instruction Fuzzy Hash: 6051AE75900609ABCF11FFA8C845BEEBBBAAF06324F14005EF507A7292D6359E018F65

Function 006A8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 006A8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 006A8B7A
__dosmaperr.LIBCMT ref: 006A8B81

Strings

.i, xrefs: 006A8A63

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .i
API String ID: 2434981716-2647164722
Opcode ID: a386653e51266ebcd5670687cb90bf86fc04500dfd7cd1b3c70f9faeb1a1a7e2
Instruction ID: 5353e6a9359748ff0b057722ab8543cfea4630a87829eef504b5a5398fef7f34
Opcode Fuzzy Hash: a386653e51266ebcd5670687cb90bf86fc04500dfd7cd1b3c70f9faeb1a1a7e2
Instruction Fuzzy Hash: D54160B0604145AFDB25AF54C880ABD7FE7DB87304B2881AAF98587652DE35CC028FA4

Function 006D2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006D21D0,?,?,00000034,00000800,?,00000034), ref: 006DB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 006D2760

Part of subcall function 006DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 006DB3F8

Part of subcall function 006DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 006DB355
Part of subcall function 006DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006D2194,00000034,?,?,00001004,00000000,00000000), ref: 006DB365
Part of subcall function 006DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006D2194,00000034,?,?,00001004,00000000,00000000), ref: 006DB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006D27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006D281A

Strings

@, xrefs: 006D2832

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9d0968765f3cdbb2a872a0bd396bf803fb5d3775ee298d25faaa6cb602158978
Instruction ID: d37992d2b03a2f28155a0d984b076cd900de0fdae46f2b822658bdae49946043
Opcode Fuzzy Hash: 9d0968765f3cdbb2a872a0bd396bf803fb5d3775ee298d25faaa6cb602158978
Instruction Fuzzy Hash: A6414F72D00218AFDB10DBA4CC51EEEBBB9EF15300F00509AFA55B7281DB706E45DBA0

Function 006A172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 006A1769
_free.LIBCMT ref: 006A1834
_free.LIBCMT ref: 006A183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 006A1760, 006A1767, 006A1796, 006A17CE

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 21dbe8b303686cbf3e6ae24327481f664d0b2be6fbbfc91c5b19d9cacacc44e0
Instruction ID: ce58d4fb8749f1f9b09e2e8eddaca525c7820c8ce80987f4b24bec9e67795c08
Opcode Fuzzy Hash: 21dbe8b303686cbf3e6ae24327481f664d0b2be6fbbfc91c5b19d9cacacc44e0
Instruction Fuzzy Hash: 8D31A275A40218EFCB21EB999881D9EBBFEEB87310F50416AF404DB211D7B48E40CF94

Function 006DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006DC306
DeleteMenu.USER32(?,00000007,00000000), ref: 006DC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00741990,01615628), ref: 006DC395

Strings

0, xrefs: 006DC2DF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 0f2c6121a08bedfe25fea75d26409e18a922bd55fad0f89348f0808e5e07363c
Instruction ID: 519710a6c378a41f5498e19c61ffb1d05f92f80a3cc1f9808181bf1dc63c473a
Opcode Fuzzy Hash: 0f2c6121a08bedfe25fea75d26409e18a922bd55fad0f89348f0808e5e07363c
Instruction Fuzzy Hash: 1C41BF31A04346DFDB20DF28D884B5ABBE6AF85320F11861EF9A5973D1C730E904CB66

Function 00704416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0070CC08,00000000,?,?,?,?), ref: 007044AA
GetWindowLongW.USER32 ref: 007044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007044D7

Strings

SysTreeView32, xrefs: 0070447C

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 91ef53047b96758324edb57e52c487b2b8816e8455a12e17325d0e15fa4d6044
Instruction ID: e1e66478e879de96f2a1e22fd76208cf89d6f87b095690ebd79752337acede82
Opcode Fuzzy Hash: 91ef53047b96758324edb57e52c487b2b8816e8455a12e17325d0e15fa4d6044
Instruction Fuzzy Hash: D1319CB1210245EBDB219F38DC45BEA77A9EB08334F208319FA79922D0DB78AC609750

Function 006D6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 006D6EED
VariantCopyInd.OLEAUT32(?,?), ref: 006D6F08
VariantClear.OLEAUT32(?), ref: 006D6F12

Strings

*jm, xrefs: 006D6E8B, 006D6E90, 006D6EF8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jm
API String ID: 2173805711-1720354028
Opcode ID: da4c27788201152a0c6fd5d9752b8099981ea18968945bfaee912f28e549b3e7
Instruction ID: e4938c505bcf07b240d03f7ac1783e22eadf15fe9531d5d4d8e26dcaa33f7e70
Opcode Fuzzy Hash: da4c27788201152a0c6fd5d9752b8099981ea18968945bfaee912f28e549b3e7
Instruction Fuzzy Hash: 3231CFB1A04645DBCB05AFA5E8909BE37B7FF80300B10459EF9024B3B1CB349D12CBA4

Function 006F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006F335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,006F3077,?,?), ref: 006F3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006F307A
_wcslen.LIBCMT ref: 006F309B
htons.WSOCK32(00000000,?,?,00000000), ref: 006F3106

Strings

255.255.255.255, xrefs: 006F3095, 006F309A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b9507baac4f69ac285bdbf2679608bb24084f23bf96563d38788626a8672a776
Instruction ID: 97308691bd579e6d052704c54b438f7f03688258ee6724a6005609df5105149d
Opcode Fuzzy Hash: b9507baac4f69ac285bdbf2679608bb24084f23bf96563d38788626a8672a776
Instruction Fuzzy Hash: 7E31C1356002199FCB10CF28C585EBA77E2EF15318F24C15AEA158B392DB72EE45C761

Function 00703EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00703F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00703F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00703F78

Strings

SysMonthCal32, xrefs: 00703F0B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d0c3185aab07c0fbeaa1d55edcb72c37b0e8a68f4e14584c79fc0277d5d499ec
Instruction ID: 2fa066be604681d64f0ebd79b25a892f89c02932779b1a9654cabac47abe853d
Opcode Fuzzy Hash: d0c3185aab07c0fbeaa1d55edcb72c37b0e8a68f4e14584c79fc0277d5d499ec
Instruction Fuzzy Hash: F921BF32600219FBDF219F50CC46FEA3BB9EF48714F110215FA156B1D0DAB9A950CB90

Function 00704653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00704705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00704713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0070471A

Strings

msctls_updown32, xrefs: 00704684

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: fc6b5b80054ef78ccd870a3b1917b3169a4fdc361cebc785272f88a9729068d0
Instruction ID: c93b3136dc82cdf0f40b730f1d3f59ad17eafb89df05c32d7dae3903ab7ee1f6
Opcode Fuzzy Hash: fc6b5b80054ef78ccd870a3b1917b3169a4fdc361cebc785272f88a9729068d0
Instruction Fuzzy Hash: EC217CF5600209EFEB10DF68DC91DA637EDEB4A3A4B004149FA009B2A1CB35EC51CA64

Function 006D95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006D961D

Strings

#requireadmin, xrefs: 006D95D9
#OnAutoItStartRegister, xrefs: 006D95F3
#notrayicon, xrefs: 006D95B7

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 69c2af46f02d7c7b069748413c3f16287a808c759234f51a18ec5dd499dc6cf6
Instruction ID: c5f4a7fc69e0ef67c70f35e114883e5c4f241930c023433f6b39cdf5643b900c
Opcode Fuzzy Hash: 69c2af46f02d7c7b069748413c3f16287a808c759234f51a18ec5dd499dc6cf6
Instruction Fuzzy Hash: ED212672604151A6D771BB24A802FF773DA9F91310F10402BF94997782EB55ED92C3E9

Function 007037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00703840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00703850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00703876

Strings

Listbox, xrefs: 0070380F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 81389cf97d70e00d4a6c6c2d166f862ff0ad3d346ee3e29259f17e3eb96f19cd
Instruction ID: 65bc9cc4aca2bb745a49bbb3eb903876e324758cf0b66d4803d6147dc9f20558
Opcode Fuzzy Hash: 81389cf97d70e00d4a6c6c2d166f862ff0ad3d346ee3e29259f17e3eb96f19cd
Instruction Fuzzy Hash: CE218072610118FBEB229F54CC85EBB37AEEF89764F108214F9449B1D0CA79DC5287A0

Function 006E49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006E4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006E4A5C
SetErrorMode.KERNEL32(00000000,?,?,0070CC08), ref: 006E4AD0

Strings

%lu, xrefs: 006E4A6F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 93977e1c30094b7f16fdf09663966fa149141082c638d2b3cd09b2223471431e
Instruction ID: ad027e66b38b363e68625cc83f392dd4e73765c27f9cfeff99918cb58212218d
Opcode Fuzzy Hash: 93977e1c30094b7f16fdf09663966fa149141082c638d2b3cd09b2223471431e
Instruction Fuzzy Hash: 19318170A00208AFDB11DF64C885EAA77F9EF08304F1480A9F409DB352DB75ED45CB65

Function 007041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0070424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00704264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00704271

Strings

msctls_trackbar32, xrefs: 00704226

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fccf9f28e5d052cb2fadf88d0f3e2bf4b9544da2480cee5603c03d1b72f6c291
Instruction ID: ea3f1cff94321fd0b692d536d0aa9f628970cf00adb2be7ab8bb8d214e8220fc
Opcode Fuzzy Hash: fccf9f28e5d052cb2fadf88d0f3e2bf4b9544da2480cee5603c03d1b72f6c291
Instruction Fuzzy Hash: BE11C171240208BEEF209F28CC06FAB3BECEF85B64F014218FA55E20D0D675D8619B14

Function 006D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A

Part of subcall function 006D2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 006D2DC5
Part of subcall function 006D2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 006D2DD6
Part of subcall function 006D2DA7: GetCurrentThreadId.KERNEL32 ref: 006D2DDD
Part of subcall function 006D2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 006D2DE4

GetFocus.USER32 ref: 006D2F78

Part of subcall function 006D2DEE: GetParent.USER32(00000000), ref: 006D2DF9

GetClassNameW.USER32(?,?,00000100), ref: 006D2FC3
EnumChildWindows.USER32(?,006D303B), ref: 006D2FEB

Strings

%s%d, xrefs: 006D2FFF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d3cbca61e689a25c1c073a604d87042821aa6ae8881d510ff2b9af0dc0cc1516
Instruction ID: 08f8c4c9c327fc762a85a1d07ef21181edffdcac21f47ac6e3eccd05056cfe2e
Opcode Fuzzy Hash: d3cbca61e689a25c1c073a604d87042821aa6ae8881d510ff2b9af0dc0cc1516
Instruction Fuzzy Hash: 5911E471A00205ABDF917F70CC95EEE376BAF94304F04817AF9099B392DE359A498B74

Function 00705882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007058EE
DrawMenuBar.USER32(?), ref: 007058FD

Strings

0, xrefs: 0070588F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f9c5d2185b919dc7112f9545a5e27c41f766a0fbe78f6881e4b3fbcdd95cd523
Instruction ID: 8fa6db693672f91ab4a3c7df229cb0456cd23e7a13c20ac84c5f90622a30a1da
Opcode Fuzzy Hash: f9c5d2185b919dc7112f9545a5e27c41f766a0fbe78f6881e4b3fbcdd95cd523
Instruction Fuzzy Hash: DF01A931500208EFDB219F11DC48BAFBBB5FB45361F1082A9F848D6191DB789A90EF20

Function 006D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edc20ff8f08d7568b8b4f92a6a46c94f43bd7d416f3e88365520cb3844cb588
Instruction ID: d48fa68240e5fcc047ed75daf11c009e5ad0fdb11ba66405f8a7f497f505a325
Opcode Fuzzy Hash: 4edc20ff8f08d7568b8b4f92a6a46c94f43bd7d416f3e88365520cb3844cb588
Instruction Fuzzy Hash: 33C13775A00216AFEB14CFA4C894BAEB7B6FF48304F218599E505EB351D731EE42CB90

Function 006F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006F3459
CoUninitialize.OLE32 ref: 006F3463
VariantInit.OLEAUT32(?), ref: 006F346E
VariantClear.OLEAUT32(?), ref: 006F371B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 9c901bf86419a3c35a2440861c1fcbcf986bb7572159fc7336e117c55531fdcb
Instruction ID: 91d6aeb1cf4e81036346038786749cbbccca90f0cc622912a2b394e3e95f73a4
Opcode Fuzzy Hash: 9c901bf86419a3c35a2440861c1fcbcf986bb7572159fc7336e117c55531fdcb
Instruction Fuzzy Hash: 9AA15B756043149FD740EF28C485A2AB7E6FF88714F14895DFA8A9B362DB30EE01CB95

Function 006D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0070FC08,?), ref: 006D05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0070FC08,?), ref: 006D0608
CLSIDFromProgID.OLE32(?,?,00000000,0070CC40,000000FF,?,00000000,00000800,00000000,?,0070FC08,?), ref: 006D062D
_memcmp.LIBVCRUNTIME ref: 006D064E

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 12ccf2b7bb54f7e3dbafc153f86e2ba0e0cd765e90ad75d0fa20416209c4024f
Instruction ID: 9545daa64f8d00855265fc8d297caacb1aba106b22422b0c37d153784d169273
Opcode Fuzzy Hash: 12ccf2b7bb54f7e3dbafc153f86e2ba0e0cd765e90ad75d0fa20416209c4024f
Instruction Fuzzy Hash: 96810D75E00109EFDB04DF94C984EEEB7BAFF89315F204599E506AB250DB71AE06CB60

Function 006FA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 006FA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 006FA6BA

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Process32NextW.KERNEL32(00000000,?), ref: 006FA79C
CloseHandle.KERNEL32(00000000), ref: 006FA7AB

Part of subcall function 0068CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,006B3303,?), ref: 0068CE8A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 6f73df60ca3030c488b8ca1eeac0e4f770765f92beea8a69b695f1db5eaf665d
Instruction ID: 03de421cbff654618aac00a4950154a92d6ee3f14b90936e2ed32edf7a99da64
Opcode Fuzzy Hash: 6f73df60ca3030c488b8ca1eeac0e4f770765f92beea8a69b695f1db5eaf665d
Instruction Fuzzy Hash: 48516EB15083009FD750EF24C886E6BBBE9FF89754F008A1DF59997252EB70D904CB96

Function 006B1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006B14C0

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d48fc3ad084f29c3038847b65c276018edaacedc275325d8e0700d2d84ced069
Instruction ID: 9a628888ba1285d9d6f947a8bc9a826ad20ca0d1bf66e8048acae57b92b499c8
Opcode Fuzzy Hash: d48fc3ad084f29c3038847b65c276018edaacedc275325d8e0700d2d84ced069
Instruction Fuzzy Hash: 3A4137B1600110BBDF217BF98C556EE3AEBEF43330F644269F419CA292EA348D814766

Function 00706278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007062E2
ScreenToClient.USER32(?,?), ref: 00706315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00706382

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f7cbfe4f9d93287f5b6493a6c3d5b072de9aed0475a1a38baba912aaec684edc
Instruction ID: 994b7bb773e5bbaaac496766a0cd174d93538346fc15bee23dc941e10437617e
Opcode Fuzzy Hash: f7cbfe4f9d93287f5b6493a6c3d5b072de9aed0475a1a38baba912aaec684edc
Instruction Fuzzy Hash: AA512A75900249EFDF20DF54D890AAE7BF6FB45360F108259F915972D0D734AD91CB90

Function 006F1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 006F1AFD
WSAGetLastError.WSOCK32 ref: 006F1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006F1B8A
WSAGetLastError.WSOCK32 ref: 006F1B94

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: ba557d1b6b007c8801af4ce3b0bc709f7e3946c90f70ca550ed7f08933525f95
Instruction ID: 40c8c39ba67267b8ea73a6c01c136f79412fc48c07316d21c46d06eff1f41baa
Opcode Fuzzy Hash: ba557d1b6b007c8801af4ce3b0bc709f7e3946c90f70ca550ed7f08933525f95
Instruction Fuzzy Hash: 3C41BE34640200EFE760AF24C886F6A77E6AB45718F54C54CFA1A9F3D3D672ED428B94

Function 006AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59eade04012d86d120e427c93c684d68095e7dab366d3afc7731aa274f8e6637
Instruction ID: a2c08efa17b77f7b94433d0efd1f8ff4a2446cc60a872e858c9e76c665e2f292
Opcode Fuzzy Hash: 59eade04012d86d120e427c93c684d68095e7dab366d3afc7731aa274f8e6637
Instruction Fuzzy Hash: 4841D371A00704BFD724AF78CC41BAABBEAEF8A710F10452EF551DB682D771AD418B94

Function 006E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006E5783
GetLastError.KERNEL32(?,00000000), ref: 006E57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006E57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006E57FA

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6415a86d135d9491d22ceeabc0421df45ee6c752eb2fb11829afe1f15959b97e
Instruction ID: ec53b9d0a3adce2431161d8b3f464251d327104b8ee0a65a17b473bf999fe7ca
Opcode Fuzzy Hash: 6415a86d135d9491d22ceeabc0421df45ee6c752eb2fb11829afe1f15959b97e
Instruction Fuzzy Hash: 94412939600610DFCB11EF15C584A5EBBE2EF89724B18C488E85AAB362CB34FD00CB95

Function 006AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00696D71,00000000,00000000,006982D9,?,006982D9,?,00000001,00696D71,?,00000001,006982D9,006982D9), ref: 006AD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006AD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006AD9AB
__freea.LIBCMT ref: 006AD9B4

Part of subcall function 006A3820: RtlAllocateHeap.NTDLL(00000000,?,00741444,?,0068FDF5,?,?,0067A976,00000010,00741440,006713FC,?,006713C6,?,00671129), ref: 006A3852

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: a66779ae24c7e2d937671a693b508a1352316e21eaadf71cf47dc0412fa167b6
Instruction ID: 3065ad20dc9e3b23ecec7c14bdeb99d5a71c30b05f44fb25311d38a33eb5dce8
Opcode Fuzzy Hash: a66779ae24c7e2d937671a693b508a1352316e21eaadf71cf47dc0412fa167b6
Instruction Fuzzy Hash: 2831A072A0020AABDF25AF64DC45EEF7BAAEF42310B054268FC05D7291EB35DD55CB90

Function 007052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00705352
GetWindowLongW.USER32(?,000000F0), ref: 00705375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00705382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007053A8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 31a043048122f1d76eb392201ad9ba365ed50096284ec00a0c54dddc4d6f3639
Instruction ID: cc00dbfaf580c3bf8d9201a6bb1c1e53c4e83ab052fa63496b8ace4355b2d9cb
Opcode Fuzzy Hash: 31a043048122f1d76eb392201ad9ba365ed50096284ec00a0c54dddc4d6f3639
Instruction Fuzzy Hash: F631C634A55A08EFEB309F14CC06BEAF7E5AB05394F584301FA10961E1C7BDA980DF55

Function 006DAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 006DABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 006DAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 006DAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 006DACC6

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5048f14fffc1b860e18c68337952a45e0fdcab34455c5f446f191f73b43a78bd
Instruction ID: a6f3e7c864e2af0f380a691d5d44b4be262712d1c49ae3ae455c746aee66275e
Opcode Fuzzy Hash: 5048f14fffc1b860e18c68337952a45e0fdcab34455c5f446f191f73b43a78bd
Instruction Fuzzy Hash: 19310C30E68618AFFF35CBA58C047FA7767AB89330F04431BE485523D1C77589458756

Function 00707674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0070769A
GetWindowRect.USER32(?,?), ref: 00707710
PtInRect.USER32(?,?,00708B89), ref: 00707720
MessageBeep.USER32(00000000), ref: 0070778C

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 35a199f4cd0767ea9c1ea8937ecf8cb432643f9c07e7e6a9e99fff5dee2a725b
Instruction ID: 8af11dd90015ec5f43ce150c388cba46651169716db28bae517dc0b7a168fa31
Opcode Fuzzy Hash: 35a199f4cd0767ea9c1ea8937ecf8cb432643f9c07e7e6a9e99fff5dee2a725b
Instruction Fuzzy Hash: 9941CE38A05254DFCB09DF58C894EA877F0FF49390F5992A9E8148B2A0C739F981CF90

Function 007016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007016EB

Part of subcall function 006D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006D3A57
Part of subcall function 006D3A3D: GetCurrentThreadId.KERNEL32 ref: 006D3A5E
Part of subcall function 006D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006D25B3), ref: 006D3A65

GetCaretPos.USER32(?), ref: 007016FF
ClientToScreen.USER32(00000000,?), ref: 0070174C
GetForegroundWindow.USER32 ref: 00701752

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 80c20f9eaa261f2996a926161b2155110dfe29db99a06dc9374d7136c8a23d9c
Instruction ID: a2fe632ef4ec988028f1eda8eceaf29d77657881624a0cfc38344a0b95a13b29
Opcode Fuzzy Hash: 80c20f9eaa261f2996a926161b2155110dfe29db99a06dc9374d7136c8a23d9c
Instruction Fuzzy Hash: A8314175D00149EFC740DFA9C881CAEBBF9EF48304B5481AEE415E7251DB359E45CBA4

Function 00708FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2

GetCursorPos.USER32(?), ref: 00709001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006C7711,?,?,?,?,?), ref: 00709016
GetCursorPos.USER32(?), ref: 0070905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006C7711,?,?,?), ref: 00709094

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ec21751e967a046792547f45be657484a1bbd75690bf6ac2ff1fb77ebf86e4be
Instruction ID: 563bd4982321b8b4e8656b791023126e50718da705f6b967542ff8cd041b7035
Opcode Fuzzy Hash: ec21751e967a046792547f45be657484a1bbd75690bf6ac2ff1fb77ebf86e4be
Instruction Fuzzy Hash: 8321A135600018EFDB269F94CC58EFB7BF9EF4A350F144269FA45472A2C739A990DB60

Function 006DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0070CB68), ref: 006DD2FB
GetLastError.KERNEL32 ref: 006DD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 006DD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0070CB68), ref: 006DD376

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 12bcf468aa62447e6ea3992e5e28aacd68e628e811995be1da7591bdf5273e52
Instruction ID: 1bb99067e6bcce2ea6e12ebb493fb969a3defa2d96eef492ee06b86bf8f725a7
Opcode Fuzzy Hash: 12bcf468aa62447e6ea3992e5e28aacd68e628e811995be1da7591bdf5273e52
Instruction Fuzzy Hash: E4217F70909201DFC710EF28C8818AAB7E5AE56364F108B1EF499C73E1DB31D946CB97

Function 006D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006D102A
Part of subcall function 006D1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006D1036
Part of subcall function 006D1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006D1045
Part of subcall function 006D1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006D104C
Part of subcall function 006D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006D1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006D15BE
_memcmp.LIBVCRUNTIME ref: 006D15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D1617
HeapFree.KERNEL32(00000000), ref: 006D161E

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ff3bfc52fde324755d084c798d46f20a479bdaf05cd03fdb4898c6692d6815fd
Instruction ID: 87468ffac05f0d270cb0846c1f249ad84054e68813ae04c37f35500131298d1c
Opcode Fuzzy Hash: ff3bfc52fde324755d084c798d46f20a479bdaf05cd03fdb4898c6692d6815fd
Instruction Fuzzy Hash: A8216B71E00109FFDB10DFA4C945BEEB7B9EF45344F18855AE441AB341D774AA45CB50

Function 00702782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0070280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00702824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00702832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00702840

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 01f3177c0fdc9146dc8b47e300261abc78d7a08daa8865ac8b37cfae76278be3
Instruction ID: dcdc663f5b00815e75d2aeccac142d428b4d4cad4495afbe5f5808c6e011c5c6
Opcode Fuzzy Hash: 01f3177c0fdc9146dc8b47e300261abc78d7a08daa8865ac8b37cfae76278be3
Instruction Fuzzy Hash: 1C21B236204111EFE7159B24CC48F6A7795AF45324F24C358F5168B6D3DB79EC42C790

Function 006D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006D8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,006D790A,?,000000FF,?,006D8754,00000000,?,0000001C,?,?), ref: 006D8D8C
Part of subcall function 006D8D7D: lstrcpyW.KERNEL32(00000000,?,?,006D790A,?,000000FF,?,006D8754,00000000,?,0000001C,?,?,00000000), ref: 006D8DB2
Part of subcall function 006D8D7D: lstrcmpiW.KERNEL32(00000000,?,006D790A,?,000000FF,?,006D8754,00000000,?,0000001C,?,?), ref: 006D8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,006D8754,00000000,?,0000001C,?,?,00000000), ref: 006D7923
lstrcpyW.KERNEL32(00000000,?,?,006D8754,00000000,?,0000001C,?,?,00000000), ref: 006D7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,006D8754,00000000,?,0000001C,?,?,00000000), ref: 006D7984

Strings

cdecl, xrefs: 006D797B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 06b079e9d064fba2f717671e1c0b5625bbf3f7793db390ecb7e40c6a6b91b89b
Instruction ID: 8c43e36b1625358e9ee549ea6d35e577f4a0d2ab8d14da98074a0cb851cd5801
Opcode Fuzzy Hash: 06b079e9d064fba2f717671e1c0b5625bbf3f7793db390ecb7e40c6a6b91b89b
Instruction Fuzzy Hash: FA11E43A600201AFCB155F34C855DBA77A6FF85350B00812BE802CB3A4FF319811C7A6

Function 00707CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00707D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00707D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00707D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006EB7AD,00000000), ref: 00707D6B

Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: ff66e5fa94f17c9dd9211848f0aea71fe75f1fb58b88f552f3389db1b247cbb5
Instruction ID: b91945b4a3620a9bb6dd700a50b449a7ba6ede7af10cb0576efbe5d2eaa2f962
Opcode Fuzzy Hash: ff66e5fa94f17c9dd9211848f0aea71fe75f1fb58b88f552f3389db1b247cbb5
Instruction Fuzzy Hash: AB11CD35A05654EFDB14DF28CC04AA63BE9AF46360B258324F839CB2F0E738A950DB50

Function 00705660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007056BB
_wcslen.LIBCMT ref: 007056CD
_wcslen.LIBCMT ref: 007056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00705816

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 933b60243ecd73e250db87a63e9ad1eac5d49c660b822dc81f8cd053e659b527
Instruction ID: f65747736b150b5766ff8b647e7ce7734d5db30d701bc40286a274dc2b99c738
Opcode Fuzzy Hash: 933b60243ecd73e250db87a63e9ad1eac5d49c660b822dc81f8cd053e659b527
Instruction Fuzzy Hash: 6711BE75A00608E6DF209F61CC85EEF77ECEF11760B50826AF915D60C1EBB89A81CF64

Function 006A1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e65c9941c938c419db1118aae947ab0ee280580f858066cc61913f0740ae24
Instruction ID: 23b469203b257e77fe8b0e0aefd6fcab6a70df63d54d6b60533b45b1cc4db572
Opcode Fuzzy Hash: 49e65c9941c938c419db1118aae947ab0ee280580f858066cc61913f0740ae24
Instruction Fuzzy Hash: 6201A2B220961A7EF65136786CC0F67661EDF437B8F34032AF521652D2DB609C004974

Function 006D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 006D1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006D1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006D1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006D1A8A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 436cc3173b1fe0396af70cdb0e7cdc72ab2aa5b4a5069e628818555b86c53606
Instruction ID: 48ea31594ea25bc8a3f133f0dba7aebca082d40166e27f0f2d918efeb190e85b
Opcode Fuzzy Hash: 436cc3173b1fe0396af70cdb0e7cdc72ab2aa5b4a5069e628818555b86c53606
Instruction Fuzzy Hash: D1113C3AD01219FFEB11DBA4CD85FADBB79EB04750F240092E600BB290D6B16E51DB94

Function 006DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006DE1FD
MessageBoxW.USER32(?,?,?,?), ref: 006DE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006DE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006DE24D

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: c9d61ff9ace108f5e12db7bc2a57f5e5e5a1dcfb5e86672ae652654ee9a1708a
Instruction ID: 0933cfe72e15dc3b5bf2d61a339dc47d339f40ef68ab21620c879206ef99cff6
Opcode Fuzzy Hash: c9d61ff9ace108f5e12db7bc2a57f5e5e5a1dcfb5e86672ae652654ee9a1708a
Instruction Fuzzy Hash: CA110876D04258BBC702AFA89C05A9F7FAD9B46310F00831AF914D7390D775DA0487A4

Function 0069D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0069CFF9,00000000,00000004,00000000), ref: 0069D218
GetLastError.KERNEL32 ref: 0069D224
__dosmaperr.LIBCMT ref: 0069D22B
ResumeThread.KERNEL32(00000000), ref: 0069D249

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 2e152da9e94343dd52750eec65cc5afe3c27d6c7336a6bd62b6251a4deac39f3
Instruction ID: 5cdaa69ed5607275b4fe09ccb93dbc25bce8122441ef6889acfb2ff9c5b63ede
Opcode Fuzzy Hash: 2e152da9e94343dd52750eec65cc5afe3c27d6c7336a6bd62b6251a4deac39f3
Instruction Fuzzy Hash: 4101D236805208BBCF116BA5DC09BAA7A6EDF82730F204329FA25925D0CF70CA01C6A5

Function 00709EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00689BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00689BB2

GetClientRect.USER32(?,?), ref: 00709F31
GetCursorPos.USER32(?), ref: 00709F3B
ScreenToClient.USER32(?,?), ref: 00709F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00709F7A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: da22bafca155a794a6827fde57bcb3da31978fd237a1b5e48406a52ea5b3d325
Instruction ID: e8d9591c1da00b3c8be895c554b7459196e0f0f8f96b8500462662ebdf9657aa
Opcode Fuzzy Hash: da22bafca155a794a6827fde57bcb3da31978fd237a1b5e48406a52ea5b3d325
Instruction Fuzzy Hash: 8511973290011AEBDB01EFA8C8899FE77B8FB05311F004651FA01E3182C738BA91CBA5

Function 0067600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0067604C
GetStockObject.GDI32(00000011), ref: 00676060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0067606A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f1d4db99044eecd27bf5c43de2856d31300ffacb1c34186c7da92455a13385ed
Instruction ID: ea9789bc735574af0e62fc9905b24d6bb1e4f977dee87f07c9e414fd3aa5710b
Opcode Fuzzy Hash: f1d4db99044eecd27bf5c43de2856d31300ffacb1c34186c7da92455a13385ed
Instruction Fuzzy Hash: B511A172101908FFEF125F94CD44EEA7B6AFF08364F008205FA0852110CB369C60DF90

Function 00693B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00693B56

Part of subcall function 00693AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00693AD2
Part of subcall function 00693AA3: ___AdjustPointer.LIBCMT ref: 00693AED

_UnwindNestedFrames.LIBCMT ref: 00693B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00693B7C
CallCatchBlock.LIBVCRUNTIME ref: 00693BA4

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 100aac76d4ad07843a2a445b962a9389ad04445e3afc9047f118d9730fd7df20
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 97012932100148BBDF126E95CC42EEB3B6EEF58B54F044018FE4896621C732E962EBA4

Function 006A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006713C6,00000000,00000000,?,006A301A,006713C6,00000000,00000000,00000000,?,006A328B,00000006,FlsSetValue), ref: 006A30A5
GetLastError.KERNEL32(?,006A301A,006713C6,00000000,00000000,00000000,?,006A328B,00000006,FlsSetValue,00712290,FlsSetValue,00000000,00000364,?,006A2E46), ref: 006A30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006A301A,006713C6,00000000,00000000,00000000,?,006A328B,00000006,FlsSetValue,00712290,FlsSetValue,00000000), ref: 006A30BF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6d6724c7910ff8954a6222d7ab15c87ee31a24a678ae46d9388c64447203b192
Instruction ID: 87d07e5a72c7b89641e273f09e4b467bdebea55dce233ec0377b87f718216b5f
Opcode Fuzzy Hash: 6d6724c7910ff8954a6222d7ab15c87ee31a24a678ae46d9388c64447203b192
Instruction Fuzzy Hash: 7D01F732301332EBCB319B799C449977B9AAF07BA1B208720F905E7380CB25DD01CAE4

Function 006D7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 006D747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006D7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006D74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006D74CA

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 9438c7888ec7feb61e95f29769ce44e0c98935598ed6b815c3eb9c87eec9e5f3
Instruction ID: f67d7e580b1d8913b4a01a88f6c36717c90e43f8ffe6b9e2fca089c150bb2387
Opcode Fuzzy Hash: 9438c7888ec7feb61e95f29769ce44e0c98935598ed6b815c3eb9c87eec9e5f3
Instruction Fuzzy Hash: 3911A1B1605314DBE722CF14DC08B92BFFDEB00B00F10866AF616D6291EB74E904DB52

Function 006DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,006DACD3,?,00008000), ref: 006DB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,006DACD3,?,00008000), ref: 006DB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,006DACD3,?,00008000), ref: 006DB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,006DACD3,?,00008000), ref: 006DB126

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 503eeb8ce365cd09bd55b35e233cfbc40d1b1c4a0af7522d8e0c6014fa751561
Instruction ID: aab56c3b6d2984a8a7d4e8a33ba260fdb8b8a0fdd28178643e3aabc768e4b9a8
Opcode Fuzzy Hash: 503eeb8ce365cd09bd55b35e233cfbc40d1b1c4a0af7522d8e0c6014fa751561
Instruction Fuzzy Hash: 07118E70C0061CD7CF10AFE4ED596EEBB79FF0A311F028286D941B2245CF3449508B95

Function 00707E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00707E33
ScreenToClient.USER32(?,?), ref: 00707E4B
ScreenToClient.USER32(?,?), ref: 00707E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00707E8A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1c00d3e52bd6d6f87f7306ae71a6a2b79090185953bd4f4a55878e147d144899
Instruction ID: e4b698af91e2adfdf632b1c015c389e7eb9205bb2a30062a1e1e29c5e77dc36e
Opcode Fuzzy Hash: 1c00d3e52bd6d6f87f7306ae71a6a2b79090185953bd4f4a55878e147d144899
Instruction Fuzzy Hash: 0C1160B9D0020AEFDB41CF98C884AEEBBF9FB08310F109166E911E2250D735AA54CF90

Function 006D2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 006D2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 006D2DD6
GetCurrentThreadId.KERNEL32 ref: 006D2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 006D2DE4

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 806fa67157c03c18201fc8cb566045d2b8ef4b312fb39c18ef73c22943b2907f
Instruction ID: 4fdd61997fa18cb6a346b43d3121e4ec08fb1ff3e92cfd9a76a53b948369dbf4
Opcode Fuzzy Hash: 806fa67157c03c18201fc8cb566045d2b8ef4b312fb39c18ef73c22943b2907f
Instruction Fuzzy Hash: CEE092B1501224BBD7315B729C0EFEB7E6EEF96BA1F004316F105D11809EA9C841C6B0

Function 00708863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00689639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00689693
Part of subcall function 00689639: SelectObject.GDI32(?,00000000), ref: 006896A2
Part of subcall function 00689639: BeginPath.GDI32(?), ref: 006896B9
Part of subcall function 00689639: SelectObject.GDI32(?,00000000), ref: 006896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00708887
LineTo.GDI32(?,?,?), ref: 00708894
EndPath.GDI32(?), ref: 007088A4
StrokePath.GDI32(?), ref: 007088B2

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f055b61192321cd29d024c6d34b94b389c61b5ff649454ec5b7b7590596ae458
Instruction ID: 433806c6cd8e4c663475daaa991da80b0505b75db61312975b0acf19c2503e2e
Opcode Fuzzy Hash: f055b61192321cd29d024c6d34b94b389c61b5ff649454ec5b7b7590596ae458
Instruction Fuzzy Hash: 01F03A36041258FAEB136F94AC09FCA3E59AF06310F44C201FA11651E1CBB95551DBE9

Function 006898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006898CC
SetTextColor.GDI32(?,?), ref: 006898D6
SetBkMode.GDI32(?,00000001), ref: 006898E9
GetStockObject.GDI32(00000005), ref: 006898F1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 52a477f48409e860a29389476552cad06fad7f12a49b6c695cf35700e1a1e8af
Instruction ID: da0b77bc8536fed8a6f5ee0f15f1d089c992613b27184aef77a15b274fbf2d2f
Opcode Fuzzy Hash: 52a477f48409e860a29389476552cad06fad7f12a49b6c695cf35700e1a1e8af
Instruction Fuzzy Hash: 13E06D31244284EEDB225B74EC09BE83F61EB12336F18C319FAFA581E1CB7546509F20

Function 006D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 006D1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,006D11D9), ref: 006D163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006D11D9), ref: 006D1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,006D11D9), ref: 006D164F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 980822949a5566dbf2545132a75d8b05724a7c3584abea6f78038c18c9d90df2
Instruction ID: 70b9a01de21879ca0e8d35a60a39cd65d5c7845811f72e4df4acda25ded0897b
Opcode Fuzzy Hash: 980822949a5566dbf2545132a75d8b05724a7c3584abea6f78038c18c9d90df2
Instruction Fuzzy Hash: F0E08C32A02211EBE7201FA0AE0DB963B7DAF45792F14CA09F245CD080EA788440CB68

Function 006CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006CD858
GetDC.USER32(00000000), ref: 006CD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006CD882
ReleaseDC.USER32(?), ref: 006CD8A3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d1ea454b8d9c79edec59a8ef28533cfd4c9647708f7185449734d371711750a7
Instruction ID: 96c871c4de380e3b198c398048365a2b29d81c695b70b7f51553d2b2f1415de1
Opcode Fuzzy Hash: d1ea454b8d9c79edec59a8ef28533cfd4c9647708f7185449734d371711750a7
Instruction Fuzzy Hash: 19E01AB0800204EFCF52AFA0D808A6DBBB2FB08310F10C219F846E7250CB3D8902AF54

Function 006CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006CD86C
GetDC.USER32(00000000), ref: 006CD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006CD882
ReleaseDC.USER32(?), ref: 006CD8A3

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e6ba0305685304b966c75a9add4a52b3d2104492052807b9d31f32f17ae708a2
Instruction ID: 1a8d0dc2a18b20755e1ee1d3fceeb41194b5d365abe74081514b64b6529ab118
Opcode Fuzzy Hash: e6ba0305685304b966c75a9add4a52b3d2104492052807b9d31f32f17ae708a2
Instruction Fuzzy Hash: B3E09A75800204DFCF52AFA0D80866DBBB6BB48311F14C649E94AE7250CB3D59019F54

Function 006E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00677620: _wcslen.LIBCMT ref: 00677625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 006E4ED4

Strings

LPT, xrefs: 006E4DFB
*, xrefs: 006E4E10

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 7c949d67cf88e9f64339d2c9c3b9475ced71269c80c1cca3a2b851cdc958b02b
Instruction ID: 657a00c8fef383a14a45a23f8a323f8d27d1a6f9065b2934310a6c3c5ebebd1a
Opcode Fuzzy Hash: 7c949d67cf88e9f64339d2c9c3b9475ced71269c80c1cca3a2b851cdc958b02b
Instruction Fuzzy Hash: 25918175A012449FDB14DF65C484EAABBF2BF84704F18809DE80A9F362CB35ED85CB91

Function 0069E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0069E30D

Strings

pow, xrefs: 0069E2E5, 0069E302

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 710cee4a7dc7609cd123b3d99121ec68d9f9a7cde1a84a2b46d7742662117be2
Instruction ID: c5bcdb747189de4208257a62bf4bebaaf1c277fc11c54ae588161124fa6613b9
Opcode Fuzzy Hash: 710cee4a7dc7609cd123b3d99121ec68d9f9a7cde1a84a2b46d7742662117be2
Instruction Fuzzy Hash: E8513B61A0C20296CF15B718CD013F93BEEEF41740F748D69E095427EAEB368D969E4A

Function 006F7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(006C569E,00000000,?,0070CC08,?,00000000,00000000), ref: 006F78DD

Part of subcall function 00676B57: _wcslen.LIBCMT ref: 00676B6A

CharUpperBuffW.USER32(006C569E,00000000,?,0070CC08,00000000,?,00000000,00000000), ref: 006F783B

Strings

<ss, xrefs: 006F77C8

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <ss
API String ID: 3544283678-523161429
Opcode ID: 44a715e15142dc0254b7a7bbf74366de113f1984f6a544ceacb8cb8fd04891aa
Instruction ID: f1dd2779b8599318bebffeaea3feba98fef814df14408a949d80d46e30527ec1
Opcode Fuzzy Hash: 44a715e15142dc0254b7a7bbf74366de113f1984f6a544ceacb8cb8fd04891aa
Instruction Fuzzy Hash: 25617E72914128EACF44FBE4CC91DFDB3BABF14300B548129F646A7192EF745A09DBA4

Function 0068E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0068E1B1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a274a0a0779338ba89815ba82c07264c40002e346f1b6731232be186aef97803
Instruction ID: 4a8e319cccdcf8f995574926788dd6f1e7864de1726ad0b75d04f55fa2c0ba38
Opcode Fuzzy Hash: a274a0a0779338ba89815ba82c07264c40002e346f1b6731232be186aef97803
Instruction Fuzzy Hash: DB511335500246DFDB15EF28C491AFA7BB6EF25310F248159E8919B390DA369E43CBA0

Function 0068F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0068F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0068F2BB

Strings

@, xrefs: 0068F2AF

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 5efaa5cde9f7d49b0df757d9c51a71715d21faaa977fcbce2ef132a8773254c7
Instruction ID: 7db92f159a8b1cb22f91aabb23967eb5b15e987666f82bb7399bc3252c8a7da5
Opcode Fuzzy Hash: 5efaa5cde9f7d49b0df757d9c51a71715d21faaa977fcbce2ef132a8773254c7
Instruction Fuzzy Hash: 7E5154714087449BD360AF20DC86BAFBBF9FF95310F81885CF1D9411A5EB349929CB6A

Function 006F5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006F57E0
_wcslen.LIBCMT ref: 006F57EC

Strings

CALLARGARRAY, xrefs: 006F57E6, 006F57EB

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 59619445199e1e5c4ca8a0fb100adb5545206957553893b4ee00c8a068626b67
Instruction ID: 8a710f762557dccd185ff8c46abcfb10d4542b32adc6e4d989b2198d772fcadb
Opcode Fuzzy Hash: 59619445199e1e5c4ca8a0fb100adb5545206957553893b4ee00c8a068626b67
Instruction Fuzzy Hash: A8418E71A001199FCB14DFA8C8818FEBBF6EF59350F10412DE616A7391E7349D81CBA4

Function 006ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006ED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006ED13A

Strings

|, xrefs: 006ED10B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 9614cf67f5bb1587e9c48719c5df11d30a64dd576d808c86e9724e4c97869a2e
Instruction ID: af07d16758c9cee9c4430325c28dde29e970aad2e87e729fcae1319da50253ae
Opcode Fuzzy Hash: 9614cf67f5bb1587e9c48719c5df11d30a64dd576d808c86e9724e4c97869a2e
Instruction Fuzzy Hash: 9D314F71D01209ABCF55EFA5CC85EEE7FBAFF04344F104019F819A6265EB31AA06CB65

Function 0070356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00703621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0070365C

Strings

static, xrefs: 007035BC

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 6d0751940719cf859113f527f89e56c1f7f7f64d0338ae8f216d78bffe2aef24
Instruction ID: 571b47f8d6bb39e510e3bbc07efdb2eaa0e6dddc739b50016345c4180f379e47
Opcode Fuzzy Hash: 6d0751940719cf859113f527f89e56c1f7f7f64d0338ae8f216d78bffe2aef24
Instruction Fuzzy Hash: 09318A71110604EAEB209F78DC80EBB73EDFF88720F10971DF8A597290DA39AD918764

Function 00704537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0070461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00704634

Strings

', xrefs: 0070458E

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: a428897fae623c181d0174767a431a04364768d01ecf9f42951bacff054565e5
Instruction ID: 5d6dd8c435de3d0232793154759a2e383d9cd8d8182ce985f5a5e832780e1048
Opcode Fuzzy Hash: a428897fae623c181d0174767a431a04364768d01ecf9f42951bacff054565e5
Instruction Fuzzy Hash: 123127B5A01209DFDB14CFA9C980BDA7BF5FF49300F10416AEA04AB381E775A951CF90

Function 007031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0070327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00703287

Strings

Combobox, xrefs: 00703249

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ba922d109648250556f6074e05d4c40fd76c3fe11e082fb1a028c811d3c5452c
Instruction ID: 3ed8e093f0acf534d6cc16f43154cdd188bba9179abe8002366cb465deeadbb7
Opcode Fuzzy Hash: ba922d109648250556f6074e05d4c40fd76c3fe11e082fb1a028c811d3c5452c
Instruction Fuzzy Hash: A4116071200208BFEF259F54DC85EBB37AEEB94364F104229F918972D1D6799D518760

Function 00703710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0067600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0067604C
Part of subcall function 0067600E: GetStockObject.GDI32(00000011), ref: 00676060
Part of subcall function 0067600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0067606A

GetWindowRect.USER32(00000000,?), ref: 0070377A
GetSysColor.USER32(00000012), ref: 00703794

Strings

static, xrefs: 00703757

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ed22c6237907caa0d8df194879b194e97c62251a13a75d455ea87bf45409c5ee
Instruction ID: ba3f24f2d3f1d8f3af8f86a5c5ec463aa7ea8502094fc0bb0507fbe5078cd36b
Opcode Fuzzy Hash: ed22c6237907caa0d8df194879b194e97c62251a13a75d455ea87bf45409c5ee
Instruction Fuzzy Hash: 671129B2610209EFDB01DFA8CC45AEA7BF8EB08314F005A15F955E2290DB39E8619B50

Function 006ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006ECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006ECDA6

Strings

<local>, xrefs: 006ECD66

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a3b063257298f4fee9b3ece8ec98a2d68826a830106e4f1af4b825f6f0a791a2
Instruction ID: 29a35a9c926faef69157483d5b35b10a4c423e878ba18404edcca6296bce2e2b
Opcode Fuzzy Hash: a3b063257298f4fee9b3ece8ec98a2d68826a830106e4f1af4b825f6f0a791a2
Instruction Fuzzy Hash: 3F11C271206771BAD7384B678C49EE7BEAEEF527B4F00422AB10983180D7769842D6F0

Function 00703429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007034BA

Strings

edit, xrefs: 0070348F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 49d577732edda4e4e22c59a2463f34814fbb968093fe01160a320cb648db43fa
Instruction ID: 94151ee3e544798e99265e5beee970a0472610108e550c1b0f9e740058cf1c5b
Opcode Fuzzy Hash: 49d577732edda4e4e22c59a2463f34814fbb968093fe01160a320cb648db43fa
Instruction Fuzzy Hash: 48118C71100248EBEB228F64DC84ABB37AEEF05374F508724F9659B1E0C779EC919B65

Function 006D6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

CharUpperBuffW.USER32(?,?,?), ref: 006D6CB6
_wcslen.LIBCMT ref: 006D6CC2

Strings

STOP, xrefs: 006D6CBC, 006D6CC1

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 114d275ff948d10c4ef51529d2380f29df893b15ee3cb0d91eab667cb0d42bd2
Instruction ID: b7da242472b0479b2bc52e47365ef324eaaa8636b9f5b4e410ec808ae10501f8
Opcode Fuzzy Hash: 114d275ff948d10c4ef51529d2380f29df893b15ee3cb0d91eab667cb0d42bd2
Instruction Fuzzy Hash: 8601C432E145278ACB219FBDDC819FF77B7EF61710710052AF85296391EA35D901C650

Function 006D1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Part of subcall function 006D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006D3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006D1D4C

Strings

ListBox, xrefs: 006D1D16
ComboBox, xrefs: 006D1CEB

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ceba3c6f55cbc67bd665a258da7c86810e09f2ca1f7e6667ecc9d7789973aaf5
Instruction ID: d3b77c9a1ebc37a6fbc4ee50ba4dfeebd0be08efb4c0d4fc82e8d57b72becc4d
Opcode Fuzzy Hash: ceba3c6f55cbc67bd665a258da7c86810e09f2ca1f7e6667ecc9d7789973aaf5
Instruction Fuzzy Hash: 1501B571A11218ABCB18EBA4CC51CFE73ABEF57350B044A1EE8265B3C1EB7159098665

Function 006D1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Part of subcall function 006D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006D3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 006D1C46

Strings

ListBox, xrefs: 006D1C10
ComboBox, xrefs: 006D1BE5

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9de970bdf9d6ec33fe4895859a268800c25c35df02d04aa3ea9896ee9dca3deb
Instruction ID: c3fa7e1427ee16154a68b3c888f2c276f3e13ce3736441a7b27018bb2ad07130
Opcode Fuzzy Hash: 9de970bdf9d6ec33fe4895859a268800c25c35df02d04aa3ea9896ee9dca3deb
Instruction Fuzzy Hash: B201A7B5F91108B6DF19EB90CD52DFF77EA9B12340F14001EA40667382EA689E0986B6

Function 006D1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Part of subcall function 006D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006D3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 006D1CC8

Strings

ListBox, xrefs: 006D1C94
ComboBox, xrefs: 006D1C69

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3197fc00f1bc4557471cff84ab9db29df16f27bbacd2a1ff274aba1fda7f6ac5
Instruction ID: 3560209c48f78b776c4e3e51bfc6fa64cbddf8fbdd6750eeed730ef06d28e3ad
Opcode Fuzzy Hash: 3197fc00f1bc4557471cff84ab9db29df16f27bbacd2a1ff274aba1fda7f6ac5
Instruction Fuzzy Hash: 3301A7B1B9011876DB15E790CA12EFE73EA9B12340F14001AB80577382EA659F098676

Function 0068A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0068A529

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Strings

3yl, xrefs: 0068A545, 0068A54D, 0068A552
,%t, xrefs: 0068A509

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%t$3yl
API String ID: 2551934079-2110182000
Opcode ID: 802f4e3b16015162c114dabd785f7d05a0901561baf361ab54adc8534ccc76b9
Instruction ID: f923746ba7ee8dbe3c3f33cee556628f27b6f087615ecf9eebc2f5a0be25da18
Opcode Fuzzy Hash: 802f4e3b16015162c114dabd785f7d05a0901561baf361ab54adc8534ccc76b9
Instruction Fuzzy Hash: F8012B317006109BEA04F7A8D81BA9D73ABDB05710F50426EF905572C3DF645D428BAF

Function 006D1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00679CB3: _wcslen.LIBCMT ref: 00679CBD

Part of subcall function 006D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 006D3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 006D1DD3

Strings

ListBox, xrefs: 006D1DA0
ComboBox, xrefs: 006D1D75

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5f803ed2afb6fe674b1f2dffd99f31b34ce4bc389d98e2e7e815b3756d22c4b8
Instruction ID: c811993c0116c44672675584901d716211d5bee361653ade5bc6a43a26008787
Opcode Fuzzy Hash: 5f803ed2afb6fe674b1f2dffd99f31b34ce4bc389d98e2e7e815b3756d22c4b8
Instruction Fuzzy Hash: F5F0F4B1F50218B6DB08E7A4CC52EFE73BAAF12350F04091AB826673C2DBA459088675

Function 00708172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00743018,0074305C), ref: 007081BF
CloseHandle.KERNEL32 ref: 007081D1

Strings

\0t, xrefs: 0070818A

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0t
API String ID: 3712363035-315198736
Opcode ID: 20b86d8cb5554909b0ab7e39c25eed8db1b51fd9858a37053c1d23ce03e0d935
Instruction ID: 3ec7e80eda04f39d2082f7ea7f465d65c09c3dcb05f2b6d29c7cb1a7cf988cb1
Opcode Fuzzy Hash: 20b86d8cb5554909b0ab7e39c25eed8db1b51fd9858a37053c1d23ce03e0d935
Instruction Fuzzy Hash: 03F05EB5640304BAF7206761AC45FB77A9EDB05750F008626BB0CD61B2D77E8A0082BD

Function 006F747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006F7493
_wcslen.LIBCMT ref: 006F74B9

Strings

3, 3, 16, 1, xrefs: 006F7483

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: d1771dad047eebf6519445ae7141ce7c55d12ab03d470c942b82af3eec3e8c4c
Instruction ID: c857ddec887922dd5d7b5bea5e32cda872b143231165048eb72c9f72963a08b0
Opcode Fuzzy Hash: d1771dad047eebf6519445ae7141ce7c55d12ab03d470c942b82af3eec3e8c4c
Instruction Fuzzy Hash: 9EE02B4220422410927122799CC1DBF57CFCFC9750710182FFA81C236AEE948D9293E4

Function 006D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006D0B23

Strings

AutoIt, xrefs: 006D0B17
Error allocating memory., xrefs: 006D0B1C

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: e72a31f2ac738d6ef2c7fdc992a9c3275cc07b661c315ed5f0e962fdaabf5895
Instruction ID: 48bc33df4ec890a23a3d6c981182329975b32786df0e240bb65c7cee553cb16a
Opcode Fuzzy Hash: e72a31f2ac738d6ef2c7fdc992a9c3275cc07b661c315ed5f0e962fdaabf5895
Instruction Fuzzy Hash: 53E0D832244308B6E2553754BC07FC97BC58F05B51F10462FF748955C38ED6249046AD

Function 00690D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0068F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00690D71,?,?,?,0067100A), ref: 0068F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0067100A), ref: 00690D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0067100A), ref: 00690D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00690D7F

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: e2b1c92d00ece44d71a11aa76a43953c7c7c532d0d211ffd4116ab3fc8679368
Instruction ID: 84d08cba9686107ffa1b778a145251560400b4e5d265fe0c4dfadbd5781e3352
Opcode Fuzzy Hash: e2b1c92d00ece44d71a11aa76a43953c7c7c532d0d211ffd4116ab3fc8679368
Instruction Fuzzy Hash: A7E0E574200751CFE7719F78D8047467BE5BF14744F008B2DE495C6A51DBB9E4488B95

Function 0068E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0068E3D5

Strings

0%t, xrefs: 0068E3B5
8%t, xrefs: 0068E3CA

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%t$8%t
API String ID: 1385522511-3566158117
Opcode ID: c6751414d57b6b24c93a67b00644b7c0f6f7a20d700845a1f27cb42980dc9835
Instruction ID: 59e153d56623755417a78dbd24c9b2578d5d4c12cd231532948f9ebd29b700bc
Opcode Fuzzy Hash: c6751414d57b6b24c93a67b00644b7c0f6f7a20d700845a1f27cb42980dc9835
Instruction Fuzzy Hash: 8FE02639508D10CFCA04B718B854A88B35BEB06320B9042FAF102872D3DB392C63874C

Function 006E3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 006E302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 006E3044

Strings

aut, xrefs: 006E3038

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ed85e5ada1040330a5866b83cfb2c5c70cbe8d722ce5ffecf520b12a05913a87
Instruction ID: ad266126209d14cb36fbb63bb2a3a4f43abc82484e07b625ebd4a3b4fab7dd7a
Opcode Fuzzy Hash: ed85e5ada1040330a5866b83cfb2c5c70cbe8d722ce5ffecf520b12a05913a87
Instruction Fuzzy Hash: 52D05EB2500328B7DA20A7A4AC0EFCB3A6CEB05750F0043A1B655E60D1DEF89984CAD4

Function 006CD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006CD220

Strings

X64, xrefs: 006CD2A8
%.3d, xrefs: 006CD22B

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b10101e022b303dd3df20ad27e5c0d8e3a4548e7513fb8b96beda8a34b2a9894
Instruction ID: 59b78aff741de97555ee5f93eef72ec09cebcbcf80b70c40d54288efb41f7648
Opcode Fuzzy Hash: b10101e022b303dd3df20ad27e5c0d8e3a4548e7513fb8b96beda8a34b2a9894
Instruction Fuzzy Hash: A8D012A1C08108E9CB90A7D0CC45EBAB3BDFB09301F50857AFA0692040D63CC64AAB61

Function 00702356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0070236C
PostMessageW.USER32(00000000), ref: 00702373

Part of subcall function 006DE97B: Sleep.KERNEL32 ref: 006DE9F3

Strings

Shell_TrayWnd, xrefs: 00702365

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f90b3d50f566237a22fa4b7b694f1ee596aa806da4cf3f0aa3906a45c069a2ea
Instruction ID: dc56aaf86460a58cf71506c165c9a5b7d6318b27ad9448f60ddaa372c8b6c3f4
Opcode Fuzzy Hash: f90b3d50f566237a22fa4b7b694f1ee596aa806da4cf3f0aa3906a45c069a2ea
Instruction Fuzzy Hash: FED0A972781300BAE2A8B3309C0FFC666089B00B04F108B067201AA1D0C8A9A8008A58

Function 00702322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0070232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0070233F

Part of subcall function 006DE97B: Sleep.KERNEL32 ref: 006DE9F3

Strings

Shell_TrayWnd, xrefs: 00702325

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3051555868429f236be361eda1b175ae5e93d83f3aedc2a3c5fd58af8fbf2ef4
Instruction ID: 86fd1a057ade134631c4dcf0a8456e93ad79aed1458a53bacfa16168b411b268
Opcode Fuzzy Hash: 3051555868429f236be361eda1b175ae5e93d83f3aedc2a3c5fd58af8fbf2ef4
Instruction Fuzzy Hash: 0DD0A976780300B6E2A8B3309C0FFC66A089B00B04F108B067205AA1D0C8A9A8008A58

Function 006ABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 006ABE93
GetLastError.KERNEL32 ref: 006ABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006ABEFC

Memory Dump Source

Source File: 00000000.00000002.1706582461.0000000000671000.00000020.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true

Associated: 00000000.00000002.1706519338.0000000000670000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.000000000070C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706913230.0000000000732000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707505340.000000000073C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707605541.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 9b4663cc7d47955a1d2063e0820c2a6371b27cce1219874fe10ffd90f6f55c16
Instruction ID: cfcfc6a0463201ea7e4225a8d9d81f55755f9b83f32fd0975e7b34989d1a5318
Opcode Fuzzy Hash: 9b4663cc7d47955a1d2063e0820c2a6371b27cce1219874fe10ffd90f6f55c16
Instruction Fuzzy Hash: C8412B34605246EFCF21AF64CC54AFA7BA6EF03350F189269F959972A2DB308D01CF51

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49763
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49786

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1766693130.000001DD7886B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1766493116.000001DD7886B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764680240.000001DD81329000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1825840929.000001DD7881D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1826242972.000001DD79162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1769500182.000001DD815C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843326834.000001DD815C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1817974620.000001DD815C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1774388796.000001DD7FF79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1819409336.000001DD801C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1774388796.000001DD7FF79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1771224859.000001DD809C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1769500182.000001DD815C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843326834.000001DD815C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1774388796.000001DD7FF79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1819409336.000001DD801C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1774388796.000001DD7FF79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3506876814.000002638730A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3506413536.0000018CEB40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3506876814.000002638730A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3506413536.0000018CEB40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1849306403.000001DD79FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3506876814.000002638730A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3506413536.0000018CEB40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3506413536.0000018CEB40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3506413536.0000018CEB40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3506413536.0000018CEB40C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/h equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1825840929.000001DD7881D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1826242972.000001DD79162000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1771224859.000001DD809C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1769500182.000001DD815C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843326834.000001DD815C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1726153850.000001DD78BD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1771224859.000001DD809A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50060 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50061 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8e1024c6-a904-4ad9-9906-d3c31a0dc2d3.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8e1024c6-a904-4ad9-9906-d3c31a0dc2d3.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N2YU3HEZYD5C986D5N5B.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TUHCJ7T574UJFMNWO596.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre