Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561689
MD5:	f461a88df2b23d0db11354b7284870e1
SHA1:	5f88d3b4e6640ed038b48e26a0c1fc50c7c39eb8
SHA256:	18cc5ff7b0dd625d23b7ecee3fa639b2368227373d1426674b7224906d0ce73f
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F461A88DF2B23D0DB11354B7284870E1)

taskkill.exe (PID: 7460 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7556 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7620 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7676 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7752 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7816 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7852 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7868 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8120 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bdb6cb1-7dc1-4911-ac4c-bfb5f1e5f2e5} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d72a6d910 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7804 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3796 -parentBuildID 20230927232528 -prefsHandle 3812 -prefMapHandle 3584 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb42aa61-4454-4ee0-acce-73b006d0329d} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d04ee4310 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7592 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5040 -prefMapHandle 5036 -prefsLen 32993 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40aa82e2-f3c8-416a-a76a-fd595b206e92} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d046e8710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7444	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-24T05:18:50.164046+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.208.16.94	443	TCP

Code function: 0_2_0010EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0010EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0010ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0010ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0010EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000FAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_000FAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00129576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00129576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_98d5ef22-d
Source: file.exe, 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0c86bd7b-0
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7b481c91-3
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3b622cce-4

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024272018F37 NtQuerySystemInformation,		16_2_0000024272018F37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000242720371F2 NtQuerySystemInformation,		16_2_00000242720371F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000FD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_000FD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000F1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_000F1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000FE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_000FE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00102046	0_2_00102046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00098060	0_2_00098060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000F8298	0_2_000F8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000CE4FF	0_2_000CE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C676B	0_2_000C676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00124873	0_2_00124873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000BCAA0	0_2_000BCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0009CAF0	0_2_0009CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000ACC39	0_2_000ACC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C6DD9	0_2_000C6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000AB119	0_2_000AB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000991C0	0_2_000991C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B1394	0_2_000B1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B1706	0_2_000B1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B781B	0_2_000B781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00097920	0_2_00097920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000A997D	0_2_000A997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B19B0	0_2_000B19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B7A4A	0_2_000B7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B1C77	0_2_000B1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B7CA7	0_2_000B7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0011BE44	0_2_0011BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C9EEE	0_2_000C9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B1F32	0_2_000B1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024272018F37	16_2_0000024272018F37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000242720371F2	16_2_00000242720371F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024272037232	16_2_0000024272037232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002427203791C	16_2_000002427203791C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 000AF9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 000B0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/39@73/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001037B5 GetLastError,FormatMessageW,

0_2_001037B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000F10BF AdjustTokenPrivileges,CloseHandle,		0_2_000F10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000F16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_000F16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001051CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001051CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000FD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_000FD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0010648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0010648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000942A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_000942A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1829888475.0000024D0E933000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe	Virustotal: Detection: 32%
Source: file.exe	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bdb6cb1-7dc1-4911-ac4c-bfb5f1e5f2e5} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d72a6d910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3796 -parentBuildID 20230927232528 -prefsHandle 3812 -prefMapHandle 3584 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb42aa61-4454-4ee0-acce-73b006d0329d} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d04ee4310 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5040 -prefMapHandle 5036 -prefsLen 32993 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40aa82e2-f3c8-416a-a76a-fd595b206e92} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d046e8710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bdb6cb1-7dc1-4911-ac4c-bfb5f1e5f2e5} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d72a6d910 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3796 -parentBuildID 20230927232528 -prefsHandle 3812 -prefMapHandle 3584 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb42aa61-4454-4ee0-acce-73b006d0329d} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d04ee4310 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5040 -prefMapHandle 5036 -prefsLen 32993 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40aa82e2-f3c8-416a-a76a-fd595b206e92} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d046e8710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1850103030.0000024D002CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1849023390.0000024D002C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1849787377.0000024D002C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1850103030.0000024D002CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1849023390.0000024D002C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1849787377.0000024D002C6000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000942DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000B0A76 push ecx; ret

0_2_000B0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000AF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_000AF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00121C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00121C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95853

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000024272018F37 rdtsc

16_2_0000024272018F37

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000FDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000FDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001068EE FindFirstFileW,FindClose,	0_2_001068EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0010698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0010698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000FD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000FD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000FD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000FD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00109642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00109642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0010979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0010979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00109B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00109B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00105C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00105C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000942DE

Source: firefox.exe, 00000010.00000002.3552834406.0000024272070000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)U,
Source: firefox.exe, 00000010.00000002.3552834406.0000024272070000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: firefox.exe, 00000011.00000002.3548746695.000002078A4BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp+
Source: firefox.exe, 0000000F.00000002.3549257102.0000024FEA07A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: firefox.exe, 00000010.00000002.3552834406.0000024272070000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW1
Source: firefox.exe, 0000000F.00000002.3549257102.0000024FEA07A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3553465444.0000024FEA940000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3548884326.000002427183A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3552568214.000002078A9C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000D.00000003.1910280758.0000024D7E3C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3552999149.0000024FEA512000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3549257102.0000024FEA07A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}
Source: firefox.exe, 0000000F.00000002.3553465444.0000024FEA940000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: firefox.exe, 0000000F.00000002.3553465444.0000024FEA940000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3552834406.0000024272070000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000024272018F37 rdtsc

16_2_0000024272018F37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0010EAA2 BlockInput,

0_2_0010EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000C2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000942DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000B4CE8 mov eax, dword ptr fs:[00000030h]

0_2_000B4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000F0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_000F0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000C2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000C2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000B083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B09D5 SetUnhandledExceptionFilter,	0_2_000B09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000B0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000B0C21

Source: C:\Users\user\Desktop\file.exe

0_2_000F1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000D2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_000D2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000FB226 SendInput,keybd_event,

0_2_000FB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001122DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001122DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_000F0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000F1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000F1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000B0698 cpuid

0_2_000B0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00108195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00108195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000ED27A GetUserNameW,

0_2_000ED27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000CBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_000CBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000942DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000942DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7444, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7444, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00111204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00111204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00111806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00111806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	33%	Virustotal		Browse
file.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	216.58.208.238	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.193.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1768444736.0000024D0C45A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830460267.0000024D0C434000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914567794.0000024D0C45D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888584677.0000024D0C434000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3549479899.0000024271AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3550094378.000002078A8C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1828825472.0000024D0ECF7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1888894612.0000024D0B49D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905483173.0000024D0B49D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791741584.0000024D05576000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000D.00000003.1898697681.0000024D7E2B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3550212579.0000024FEA3CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3549479899.0000024271AE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3552736586.000002078AB03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1765573429.0000024D0AC31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854794676.0000024D0AC30000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3550094378.000002078A88F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1830460267.0000024D0C42C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888584677.0000024D0C42C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1771334106.0000024D04A67000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.o	firefox.exe, 0000000D.00000003.1844218317.0000024D0FB2B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1832737394.0000024D0AD29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914253827.0000024D0CBE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890618087.0000024D04EC0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1829573455.0000024D0E98A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830266967.0000024D0D12B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://screenshots.firefox.com	firefox.exe, 0000000D.00000003.1910241099.0000024D7E3FE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1830806150.0000024D0B44C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1731040149.0000024D02B44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1730566636.0000024D02900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1731431374.0000024D02B87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1730803151.0000024D02B23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1731228857.0000024D02B66000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1913511798.0000024D0E58A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1834551255.0000024D0AB46000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1910280758.0000024D7E3C6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1877779895.0000024D7F85C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905483173.0000024D0B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830806150.0000024D0B490000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1731228857.0000024D02B66000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com/	firefox.exe, 0000000D.00000003.1910831723.0000024D7E24E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000D.00000003.1839760024.0000024D056CE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1731040149.0000024D02B44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1730566636.0000024D02900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1730803151.0000024D02B23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1731228857.0000024D02B66000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://exslt.org/sets	firefox.exe, 0000000D.00000003.1910454357.0000024D7E287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898902770.0000024D7E286000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000D.00000003.1839760024.0000024D056CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768444736.0000024D0C4DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904634876.0000024D0C4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830460267.0000024D0C4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888584677.0000024D0C4DE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1832029893.0000024D0AFA5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000D.00000003.1898697681.0000024D7E2B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3550212579.0000024FEA3CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3549479899.0000024271AE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3552736586.000002078AB03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://exslt.org/common	firefox.exe, 0000000D.00000003.1910454357.0000024D7E287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898902770.0000024D7E286000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1831869017.0000024D0AFCF000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://fpn.firefox.com	firefox.exe, 0000000D.00000003.1878635989.0000024D7F836000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1886700839.0000024D0E94F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1829605324.0000024D0E94E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000D.00000003.1898697681.0000024D7E2B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3550212579.0000024FEA3CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3549479899.0000024271AE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3552736586.000002078AB03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000D.00000003.1770039781.0000024D03BC7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000D.00000003.1894278665.0000024D026CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1736794012.0000024D026D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1742351358.0000024D026D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741750367.0000024D026D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741999737.0000024D026D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740067795.0000024D026D6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1831869017.0000024D0AFCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3549479899.0000024271A0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3550094378.000002078A80C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1789064796.0000024D03529000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789105307.0000024D0353A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1784932519.0000024D03511000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1830460267.0000024D0C42C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888584677.0000024D0C42C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1888192325.0000024D0CBE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914212641.0000024D0CBF2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1834551255.0000024D0AB87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3549479899.0000024271AC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3550094378.000002078A8C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1789064796.0000024D03529000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1784932519.0000024D03511000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1776939936.0000024D042B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884467815.0000024D042B9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1913511798.0000024D0E58A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1905610979.0000024D0B463000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1829605324.0000024D0E94E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886700839.0000024D0E95A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000011.00000002.3550094378.000002078A813000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1830460267.0000024D0C42C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888584677.0000024D0C42C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false	high
https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/connection-not-secure	firefox.exe, 0000000D.00000003.1834551255.0000024D0AB46000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1830806150.0000024D0B44C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1834551255.0000024D0AB46000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1832029893.0000024D0AF98000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1789064796.0000024D03529000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1839605380.0000024D0611C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1785197312.0000024D034C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1852770527.0000024D065E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1854794676.0000024D0AC0E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892003029.0000024D0428E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866824190.0000024D031F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776939936.0000024D042B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768444736.0000024D0C4EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884467815.0000024D042C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779760930.0000024D034E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851563075.0000024D045BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877225183.0000024D02B0B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891961189.0000024D04404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893352392.0000024D02B6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847169252.0000024D04189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860760799.0000024D035BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1840277663.0000024D05646000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851877495.0000024D04783000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776939936.0000024D042B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873606583.0000024D035BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1882987392.0000024D04191000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1839760024.0000024D056CE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.openh264.org/	firefox.exe, 0000000D.00000003.1910280758.0000024D7E3E3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1841603668.0000024D04EC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839760024.0000024D056CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890618087.0000024D04EC0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1832737394.0000024D0AD4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905774119.0000024D0AD4E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1770039781.0000024D03BC7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1770039781.0000024D03BC7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1832029893.0000024D0AF98000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1854794676.0000024D0AC30000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1905774119.0000024D0AD7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832737394.0000024D0AD7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1771334106.0000024D04A67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832353190.0000024D0AF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899878949.0000024D0AF67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895488485.0000024D0AF67000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1910280758.0000024D7E3C6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://exslt.org/dates-and-times$	firefox.exe, 0000000D.00000003.1898902770.0000024D7E243000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910710796.0000024D7E25E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1829888475.0000024D0E933000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1737904979.0000024D7FAA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849759319.0000024D7FAA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866130678.0000024D7FAA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846589152.0000024D7FAA1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1789064796.0000024D03529000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1903184436.0000024D0435E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3552809765.0000024FEA480000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3552233945.0000024271FB0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3549734914.000002078A6A0000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561689
Start date and time:	2024-11-24 05:17:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/39@73/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 38 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.209.229.249, 52.32.237.164, 52.27.142.243, 172.217.17.46, 88.221.134.209, 88.221.134.155, 172.217.17.78, 172.217.17.74
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, umwatson.events.data.microsoft.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.117.212.221
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
ATGS-MMD-ASUS	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	56.38.180.232
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.182.100.211
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	56.76.75.179
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.101.42.79
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.19.101.102
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	33.219.71.153

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Amadey	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_06bcc6ba-0eed-4f41-9fa2-71ddb700b597.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.178733177747649
Encrypted:	false
SSDEEP:	192:TjMiiMXcbhbVbTbfbRbObtbyEl7nwrUJA6WnSrDtTUd/SkDrqs:TYKcNhnzFSJQrnBnSrDhUd/z
MD5:	723BAB08C04BB59223DBE793B9BC1836
SHA1:	AF49EDEA98447DBBFF798A8F5962774C72B20479
SHA-256:	3F226583D68DFF55203FD8BEDE956EC31B5E74029D96089CA9D9FFF9898B76F5
SHA-512:	F24AB067E215941BE20F6222ABDADE8B46B1F852BF194570A60048F21028826F7D316556F06FE3FBAD8473A2866A65D8809F586F1D844CFA7FE6D9831BBAF93F
Malicious:	false
Preview:	{"type":"uninstall","id":"06bcc6ba-0eed-4f41-9fa2-71ddb700b597","creationDate":"2024-11-24T06:13:22.769Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_06bcc6ba-0eed-4f41-9fa2-71ddb700b597.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.178733177747649
Encrypted:	false
SSDEEP:	192:TjMiiMXcbhbVbTbfbRbObtbyEl7nwrUJA6WnSrDtTUd/SkDrqs:TYKcNhnzFSJQrnBnSrDhUd/z
MD5:	723BAB08C04BB59223DBE793B9BC1836
SHA1:	AF49EDEA98447DBBFF798A8F5962774C72B20479
SHA-256:	3F226583D68DFF55203FD8BEDE956EC31B5E74029D96089CA9D9FFF9898B76F5
SHA-512:	F24AB067E215941BE20F6222ABDADE8B46B1F852BF194570A60048F21028826F7D316556F06FE3FBAD8473A2866A65D8809F586F1D844CFA7FE6D9831BBAF93F
Malicious:	false
Preview:	{"type":"uninstall","id":"06bcc6ba-0eed-4f41-9fa2-71ddb700b597","creationDate":"2024-11-24T06:13:22.769Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3078340684818475
Encrypted:	false
SSDEEP:	24:Ydf3xAcTIUx2dWoM15rLN8zmJdf3xAcswM+bpoqdWoM15rLFX1RgmHdf3xAc6lVm:YdqNUgdw8z2dqz6Bdwssdqzadwu1
MD5:	15BFD7C59056D523575D965ECBC77F11
SHA1:	D7CC6B663D76CCF0EDFA7B20478F1789309B1AEC
SHA-256:	24FE9A76E89776E063B4F6390C8490FD3CD157842719BC22548DD889D6B69C87
SHA-512:	B4D5ABEBB9FDA44CE95305BF30514D8A4411462B25BCCBE793753749FF68645BEA7C89CD8F8E97F18A0F0B4FA22CAF9BC5206FB375FD0F309A566B5066724B93
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........'>..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IxYY"....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WxYY"............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WxYY"..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............^.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3078340684818475
Encrypted:	false
SSDEEP:	24:Ydf3xAcTIUx2dWoM15rLN8zmJdf3xAcswM+bpoqdWoM15rLFX1RgmHdf3xAc6lVm:YdqNUgdw8z2dqz6Bdwssdqzadwu1
MD5:	15BFD7C59056D523575D965ECBC77F11
SHA1:	D7CC6B663D76CCF0EDFA7B20478F1789309B1AEC
SHA-256:	24FE9A76E89776E063B4F6390C8490FD3CD157842719BC22548DD889D6B69C87
SHA-512:	B4D5ABEBB9FDA44CE95305BF30514D8A4411462B25BCCBE793753749FF68645BEA7C89CD8F8E97F18A0F0B4FA22CAF9BC5206FB375FD0F309A566B5066724B93
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........'>..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IxYY"....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WxYY"............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WxYY"..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............^.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9WYF47P3HQA1VRBF374S.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3078340684818475
Encrypted:	false
SSDEEP:	24:Ydf3xAcTIUx2dWoM15rLN8zmJdf3xAcswM+bpoqdWoM15rLFX1RgmHdf3xAc6lVm:YdqNUgdw8z2dqz6Bdwssdqzadwu1
MD5:	15BFD7C59056D523575D965ECBC77F11
SHA1:	D7CC6B663D76CCF0EDFA7B20478F1789309B1AEC
SHA-256:	24FE9A76E89776E063B4F6390C8490FD3CD157842719BC22548DD889D6B69C87
SHA-512:	B4D5ABEBB9FDA44CE95305BF30514D8A4411462B25BCCBE793753749FF68645BEA7C89CD8F8E97F18A0F0B4FA22CAF9BC5206FB375FD0F309A566B5066724B93
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........'>..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IxYY"....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WxYY"............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WxYY"..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............^.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AKWC79HN4QQ0U56C9U99.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3078340684818475
Encrypted:	false
SSDEEP:	24:Ydf3xAcTIUx2dWoM15rLN8zmJdf3xAcswM+bpoqdWoM15rLFX1RgmHdf3xAc6lVm:YdqNUgdw8z2dqz6Bdwssdqzadwu1
MD5:	15BFD7C59056D523575D965ECBC77F11
SHA1:	D7CC6B663D76CCF0EDFA7B20478F1789309B1AEC
SHA-256:	24FE9A76E89776E063B4F6390C8490FD3CD157842719BC22548DD889D6B69C87
SHA-512:	B4D5ABEBB9FDA44CE95305BF30514D8A4411462B25BCCBE793753749FF68645BEA7C89CD8F8E97F18A0F0B4FA22CAF9BC5206FB375FD0F309A566B5066724B93
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........'>..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IxYY"....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WxYY"............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WxYY"..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............^.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925504609456947
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL5y18P:8S+OBIUjOdwiOdYVjjwL5y18P
MD5:	6B34629B9F977013EB295F4E8567A5F2
SHA1:	EA3D0E070365CB29893D8A409FD943C5FCF4531A
SHA-256:	F044F390899DDF0895D2C19DEB0C26B46D4870EEA35C3758DA9DA19B69991453
SHA-512:	FE4C1BAAF56866C12C91EE5A9E2E27B8243535F1C937B0487B4681FEB1B537975B78A57A6E8BF1CD4F706E17B9DBF4F1E7565CBC4EC7C870CAFF998C7DA1EC73
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925504609456947
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL5y18P:8S+OBIUjOdwiOdYVjjwL5y18P
MD5:	6B34629B9F977013EB295F4E8567A5F2
SHA1:	EA3D0E070365CB29893D8A409FD943C5FCF4531A
SHA-256:	F044F390899DDF0895D2C19DEB0C26B46D4870EEA35C3758DA9DA19B69991453
SHA-512:	FE4C1BAAF56866C12C91EE5A9E2E27B8243535F1C937B0487B4681FEB1B537975B78A57A6E8BF1CD4F706E17B9DBF4F1E7565CBC4EC7C870CAFF998C7DA1EC73
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07328095494637173
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkihF/:DLhesh7Owd4+jih
MD5:	3D730BF87ED97629BEE9C59C80A86ECB
SHA1:	A8C26B19F0CBB309ADCC7158B4FFA2E1B142D889
SHA-256:	A7224A5A9C75BD47C61C866886E9DD75A52E7D1EF34B3BED7C1197BD35B0A9D0
SHA-512:	34826C3064926558416AC0549A3A53BA29D801D99EF672334D8C7C60BEEB81DC2E93A4175FA56C8BFC2346621698401126ECCE9B793EEF5777C5502188B34AA7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039301097826853294
Encrypted:	false
SSDEEP:	3:GHlhVziiaetQzlIlHlhVziiaetQz/4l8a9//Ylll4llqlyllel4lt:G7VOKYIl7VOKyoL9XIwlio
MD5:	3D4F8F3073272468E5F424B4C6AC7578
SHA1:	C4FED47F5F6D399FB454FC5EFD35F14899D2AF88
SHA-256:	D7095EADB1A41BA94E343E967013A1913EC8DB75BC54D2716A52AA292E4625E3
SHA-512:	E1CBF0E649B33B41A01BB04CA5D9B3C3A4BD9AFA947077B494A10D11AE2F81F2AE6A2CC5AA755CF894EDE6EB6910E1777CB0E526DC5AFC632E7AAA2B54296C88
Malicious:	false
Preview:	..-......................GG.....y...2.......V..m..-......................GG.....y...2.......V..m........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11786211655550957
Encrypted:	false
SSDEEP:	24:KZMt6fk5yLxsZ+KjxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxhwlB2VZ2i7+:OHM4QhJtUnWdU+RVxKHkZk
MD5:	BBE5D10249136389EF94628816D7B00A
SHA1:	AD8128EBB7CE2E22527354787CAAA767887BB147
SHA-256:	6E0C91453B7F32FC1C501EC0CE0A675028C7D331AE39CCEB51F93A5A2BCB2854
SHA-512:	BEF2711C9ACF9FB3C469BCC17DD8F42E9DC117FE69E4F1B55AC1F3A61AABD3706F8945786357C5D970A01F4967EAFCF042E6DCD412A9ED3E946C09C6B9859377
Malicious:	false
Preview:	7....-..........y...2...z...Hpc........y...2...K.5.4.M.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.493911387193699
Encrypted:	false
SSDEEP:	192:anaRtLYbBp6ohj4qyaaXf6Ki4M7N5q45RfGNBw8dLSl:feKq954MhJcwY0
MD5:	A573E62227558CB4E2D31883420F952B
SHA1:	FE6E6FF8CCED1D0FBE0D9D963D86D0A0022FBEAE
SHA-256:	8EE90A2BB5609D1EEB86387BAB03CAD0EA247FE40853FF41F074874BF53B463F
SHA-512:	F7432B685C84E5BCAD31546270FD0EA46B5DEF1D6FCC368F406D2DD871EFC924289578B18E788AF652D1C66B13CC0B30BBD4F68A70F04A328E2D1C7FE69E10FF
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732428773);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732428773);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732428773);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173242

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.493911387193699
Encrypted:	false
SSDEEP:	192:anaRtLYbBp6ohj4qyaaXf6Ki4M7N5q45RfGNBw8dLSl:feKq954MhJcwY0
MD5:	A573E62227558CB4E2D31883420F952B
SHA1:	FE6E6FF8CCED1D0FBE0D9D963D86D0A0022FBEAE
SHA-256:	8EE90A2BB5609D1EEB86387BAB03CAD0EA247FE40853FF41F074874BF53B463F
SHA-512:	F7432B685C84E5BCAD31546270FD0EA46B5DEF1D6FCC368F406D2DD871EFC924289578B18E788AF652D1C66B13CC0B30BBD4F68A70F04A328E2D1C7FE69E10FF
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732428773);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732428773);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732428773);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173242

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.3341780209331215
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSg0LXnIgw/pnxQwRlszT5sKtq3eHVQj6TcnamhujJlOsIx6mNVryNO:GUpOxr0gnR6E3eHTM4JlGjUNR4
MD5:	E9F9885350F84F5AE4C2752E63C736F6
SHA1:	4438B7DAED2C004BCBCE0E1692A550126D58D01A
SHA-256:	F2E6B1EFC1D02948BC8D221649F05783E08C1830AE62C6970E809CA91F0E340E
SHA-512:	FE8165ECEB59B717CAD52C4365EA001633F7A1F60B25C2C5D76F602753DEDDCF321E51C4C2864B4A7AF81D9107DD406DADC909753FA27F633138EFDDC7EDA40B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{1e282dc7-8185-4671-ae52-1d103dfb3231}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732428776639,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..iUpdate...40,"startTim..A4257...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...47818,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.3341780209331215
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSg0LXnIgw/pnxQwRlszT5sKtq3eHVQj6TcnamhujJlOsIx6mNVryNO:GUpOxr0gnR6E3eHTM4JlGjUNR4
MD5:	E9F9885350F84F5AE4C2752E63C736F6
SHA1:	4438B7DAED2C004BCBCE0E1692A550126D58D01A
SHA-256:	F2E6B1EFC1D02948BC8D221649F05783E08C1830AE62C6970E809CA91F0E340E
SHA-512:	FE8165ECEB59B717CAD52C4365EA001633F7A1F60B25C2C5D76F602753DEDDCF321E51C4C2864B4A7AF81D9107DD406DADC909753FA27F633138EFDDC7EDA40B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{1e282dc7-8185-4671-ae52-1d103dfb3231}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732428776639,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..iUpdate...40,"startTim..A4257...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...47818,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1569
Entropy (8bit):	6.3341780209331215
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSg0LXnIgw/pnxQwRlszT5sKtq3eHVQj6TcnamhujJlOsIx6mNVryNO:GUpOxr0gnR6E3eHTM4JlGjUNR4
MD5:	E9F9885350F84F5AE4C2752E63C736F6
SHA1:	4438B7DAED2C004BCBCE0E1692A550126D58D01A
SHA-256:	F2E6B1EFC1D02948BC8D221649F05783E08C1830AE62C6970E809CA91F0E340E
SHA-512:	FE8165ECEB59B717CAD52C4365EA001633F7A1F60B25C2C5D76F602753DEDDCF321E51C4C2864B4A7AF81D9107DD406DADC909753FA27F633138EFDDC7EDA40B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{1e282dc7-8185-4671-ae52-1d103dfb3231}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732428776639,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..iUpdate...40,"startTim..A4257...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...47818,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033796584628369
Encrypted:	false
SSDEEP:	48:YrSAYD6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycDyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	AEBF4CF9F84D6BF47A05AD0C6E07317D
SHA1:	CE3DCCF849D2B07619A86E43D671372443368C50
SHA-256:	DFF86667FE83A975CA29AA73262854CCE8FE9E051D0C4F9689DAA1A1C2E99AF6
SHA-512:	30EAD54CE291EBD6CF0CF7A31344825E2C00E3C9D25B78A88194F6AC1C5176910F24357ED8A88FF2F3073BC74096B169DBA08C37BB3C23DD86BA8E7012857161
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T06:12:38.059Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033796584628369
Encrypted:	false
SSDEEP:	48:YrSAYD6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycDyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	AEBF4CF9F84D6BF47A05AD0C6E07317D
SHA1:	CE3DCCF849D2B07619A86E43D671372443368C50
SHA-256:	DFF86667FE83A975CA29AA73262854CCE8FE9E051D0C4F9689DAA1A1C2E99AF6
SHA-512:	30EAD54CE291EBD6CF0CF7A31344825E2C00E3C9D25B78A88194F6AC1C5176910F24357ED8A88FF2F3073BC74096B169DBA08C37BB3C23DD86BA8E7012857161
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T06:12:38.059Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.591498862260872
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'112 bytes
MD5:	f461a88df2b23d0db11354b7284870e1
SHA1:	5f88d3b4e6640ed038b48e26a0c1fc50c7c39eb8
SHA256:	18cc5ff7b0dd625d23b7ecee3fa639b2368227373d1426674b7224906d0ce73f
SHA512:	69748cfd47eda08b44b2a4d160bd14a0d6b748131bdb045ddc130ed40c3c8729d9b6c80cef1303fad0822b7ffc77901893d523f2e29681e3091f75cb776cd221
SSDEEP:	12288:yqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaCTi:yqDEvCTbMWu7rQYlBQcBiT6rprG8aii
TLSH:	94159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6742A630 [Sun Nov 24 04:06:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE8DC7EEC33h
jmp 00007FE8DC7EE53Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE8DC7EE71Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE8DC7EE6EAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE8DC7F12DDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE8DC7F1328h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE8DC7F1311h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa714	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa714	0xa800	24048e089b8b25bf8a8de6a3b997b2aa	False	0.36544363839285715	data	5.61694405830637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x19dc	data			1.0016616314199396
RT_GROUP_ICON	0xde194	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde20c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde220	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde234	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde248	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde324	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-24T05:18:50.164046+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.208.16.94	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 05:18:52.957624912 CET	49742	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:18:52.957657099 CET	443	49742	35.190.72.216	192.168.2.4
Nov 24, 2024 05:18:52.957943916 CET	49742	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:18:52.963114977 CET	49742	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:18:52.963135958 CET	443	49742	35.190.72.216	192.168.2.4
Nov 24, 2024 05:18:54.228393078 CET	443	49742	35.190.72.216	192.168.2.4
Nov 24, 2024 05:18:54.234790087 CET	49742	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:18:54.243556023 CET	49742	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:18:54.243603945 CET	443	49742	35.190.72.216	192.168.2.4
Nov 24, 2024 05:18:54.243705988 CET	49742	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:18:54.243932009 CET	443	49742	35.190.72.216	192.168.2.4
Nov 24, 2024 05:18:54.244638920 CET	49742	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:18:54.783329010 CET	49744	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:54.783360958 CET	443	49744	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:54.783607960 CET	49744	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:54.785074949 CET	49744	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:54.785089016 CET	443	49744	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:54.838860989 CET	49745	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:54.838886023 CET	443	49745	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:54.849987984 CET	49745	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:54.851520061 CET	49745	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:54.851540089 CET	443	49745	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:55.068917036 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:55.188736916 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:55.188865900 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:55.370129108 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:55.370523930 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:55.370551109 CET	443	49747	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:55.372426987 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:55.374000072 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:55.374017954 CET	443	49747	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:55.489717007 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:55.518600941 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:55.518655062 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:55.519273996 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:55.520628929 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:55.520683050 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:55.955874920 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 05:18:55.955903053 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 05:18:55.956455946 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 05:18:55.956598997 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 05:18:55.956619024 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 05:18:56.064662933 CET	49751	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:56.064749002 CET	443	49751	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:56.064846039 CET	49751	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:56.065150976 CET	49751	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:56.065237045 CET	443	49751	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:56.342101097 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:56.387151957 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:56.494772911 CET	443	49744	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:56.495784044 CET	443	49744	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:56.500076056 CET	49744	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:56.500089884 CET	443	49744	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:56.507508039 CET	49744	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:56.507520914 CET	443	49744	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:56.507601023 CET	49744	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:56.507774115 CET	443	49744	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:56.510502100 CET	49744	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:56.579786062 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:56.602921963 CET	443	49745	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:56.602937937 CET	443	49745	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:56.603193045 CET	49745	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:56.603946924 CET	443	49745	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:56.604132891 CET	49745	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:56.607592106 CET	49745	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:56.607604027 CET	443	49745	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:56.607681990 CET	49745	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:56.607768059 CET	443	49745	142.250.181.78	192.168.2.4
Nov 24, 2024 05:18:56.607821941 CET	49745	443	192.168.2.4	142.250.181.78
Nov 24, 2024 05:18:56.644073009 CET	443	49747	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:56.655335903 CET	443	49747	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:56.656864882 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:56.660662889 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:56.660681009 CET	443	49747	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:56.660769939 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:56.660866022 CET	443	49747	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:56.661096096 CET	49754	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:56.661113977 CET	443	49754	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:56.672403097 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:56.672571898 CET	49754	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:56.677177906 CET	49754	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:56.677197933 CET	443	49754	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:56.699332952 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:56.702445984 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:56.702677965 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:56.800103903 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:56.800262928 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:56.804805040 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:56.804846048 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:56.804893970 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:56.805016994 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:56.805172920 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:56.822154999 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:57.217864037 CET	49755	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:57.217896938 CET	443	49755	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:57.218002081 CET	49755	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:57.219491959 CET	49755	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:57.219506979 CET	443	49755	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:57.231321096 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:57.232461929 CET	49756	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:18:57.232485056 CET	443	49756	34.107.243.93	192.168.2.4
Nov 24, 2024 05:18:57.239645958 CET	49756	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:18:57.241275072 CET	49756	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:18:57.241295099 CET	443	49756	34.107.243.93	192.168.2.4
Nov 24, 2024 05:18:57.267013073 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 05:18:57.269236088 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 05:18:57.284486055 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 05:18:57.284534931 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 05:18:57.284781933 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 05:18:57.290630102 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 05:18:57.290703058 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 05:18:57.290822029 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 05:18:57.292483091 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 05:18:57.327022076 CET	443	49751	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:57.331336021 CET	443	49751	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:57.345686913 CET	49751	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:57.348861933 CET	49751	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:57.348890066 CET	443	49751	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:57.349227905 CET	443	49751	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:57.350790977 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:57.350929976 CET	49751	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:57.351001024 CET	49751	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:57.351079941 CET	443	49751	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:57.351213932 CET	49751	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:57.351249933 CET	49751	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:57.420255899 CET	49757	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:57.420341969 CET	443	49757	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:57.420449018 CET	49757	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:57.420566082 CET	49757	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:57.420588970 CET	443	49757	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:57.435926914 CET	49758	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:18:57.436012983 CET	443	49758	34.149.100.209	192.168.2.4
Nov 24, 2024 05:18:57.437052011 CET	49758	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:18:57.438417912 CET	49758	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:18:57.438460112 CET	443	49758	34.149.100.209	192.168.2.4
Nov 24, 2024 05:18:57.555344105 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:57.557581902 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:57.592854023 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:57.639214993 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:57.677495956 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:57.688843966 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:57.712575912 CET	80	49753	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:57.726761103 CET	49753	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:57.758765936 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:57.758999109 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:57.759217024 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:57.788181067 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:18:57.788203001 CET	443	49760	34.120.208.123	192.168.2.4
Nov 24, 2024 05:18:57.788660049 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:18:57.790256977 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:18:57.790268898 CET	443	49760	34.120.208.123	192.168.2.4
Nov 24, 2024 05:18:57.878833055 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:57.940222979 CET	443	49754	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:57.940237999 CET	443	49754	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:57.940287113 CET	49754	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:58.068906069 CET	49754	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:58.068928957 CET	443	49754	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:58.068986893 CET	49754	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:58.069132090 CET	443	49754	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:58.069255114 CET	49754	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:58.482424974 CET	443	49755	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:58.482494116 CET	49755	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:58.502180099 CET	443	49756	34.107.243.93	192.168.2.4
Nov 24, 2024 05:18:58.502192020 CET	443	49756	34.107.243.93	192.168.2.4
Nov 24, 2024 05:18:58.502249002 CET	49756	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:18:58.604458094 CET	49755	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:58.604473114 CET	443	49755	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:58.604688883 CET	49755	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:58.604717970 CET	443	49755	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:58.604876995 CET	49756	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:18:58.604899883 CET	443	49756	34.107.243.93	192.168.2.4
Nov 24, 2024 05:18:58.604943991 CET	49756	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:18:58.605132103 CET	443	49756	34.107.243.93	192.168.2.4
Nov 24, 2024 05:18:58.605261087 CET	49762	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:58.605278015 CET	443	49762	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:58.605309010 CET	49755	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:58.605326891 CET	49756	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:18:58.605438948 CET	49762	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:58.606901884 CET	49762	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:58.606918097 CET	443	49762	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:58.678891897 CET	443	49757	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:58.678972960 CET	49757	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:58.681535006 CET	49757	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:58.681560993 CET	443	49757	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:58.681804895 CET	443	49757	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:58.683779955 CET	49757	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:58.683855057 CET	49757	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:58.683924913 CET	443	49757	35.244.181.201	192.168.2.4
Nov 24, 2024 05:18:58.684150934 CET	49757	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:18:58.699167967 CET	443	49758	34.149.100.209	192.168.2.4
Nov 24, 2024 05:18:58.699248075 CET	49758	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:18:58.703577995 CET	49758	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:18:58.703605890 CET	443	49758	34.149.100.209	192.168.2.4
Nov 24, 2024 05:18:58.703646898 CET	49758	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:18:58.703767061 CET	443	49758	34.149.100.209	192.168.2.4
Nov 24, 2024 05:18:58.703931093 CET	49758	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:18:58.890132904 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:18:58.944041967 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:18:59.051618099 CET	443	49760	34.120.208.123	192.168.2.4
Nov 24, 2024 05:18:59.051700115 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:18:59.056881905 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:18:59.056890011 CET	443	49760	34.120.208.123	192.168.2.4
Nov 24, 2024 05:18:59.056919098 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:18:59.057054996 CET	443	49760	34.120.208.123	192.168.2.4
Nov 24, 2024 05:18:59.057115078 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:18:59.870105028 CET	443	49762	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:59.870184898 CET	49762	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:59.874819994 CET	49762	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:59.874835968 CET	443	49762	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:59.874926090 CET	49762	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:18:59.874984980 CET	443	49762	34.117.188.166	192.168.2.4
Nov 24, 2024 05:18:59.875063896 CET	49762	443	192.168.2.4	34.117.188.166
Nov 24, 2024 05:19:00.830193996 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:00.859256029 CET	49764	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:00.859294891 CET	443	49764	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:00.861474037 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:00.861501932 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:00.862536907 CET	49764	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:00.862539053 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:00.862721920 CET	49764	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:00.862735033 CET	443	49764	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:00.862858057 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:00.862878084 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:00.949729919 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:00.955660105 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:02.165296078 CET	443	49764	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:02.168222904 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:02.171390057 CET	49764	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.171513081 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.517251968 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:02.520123959 CET	49764	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.520148039 CET	443	49764	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:02.520494938 CET	443	49764	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:02.522511959 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.522531033 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:02.522883892 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:02.523176908 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.523205996 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:02.523333073 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.524976015 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.524986029 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:02.527276993 CET	49764	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.527369976 CET	49764	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.527447939 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.527460098 CET	443	49764	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:02.527488947 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.527595997 CET	49764	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.527621984 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:02.528139114 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:02.636785984 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:02.850492954 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:02.899460077 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:03.783581972 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:03.783664942 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:03.788454056 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:03.788479090 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:03.788553953 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:03.788634062 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:03.788815975 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:06.278090000 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:06.414947033 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:06.486350060 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:06.489448071 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:06.489470959 CET	443	49768	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:06.490717888 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:06.492125034 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:06.492137909 CET	443	49768	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:06.605905056 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:06.619395018 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:06.627235889 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:06.627249956 CET	443	49769	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:06.627665043 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:06.629021883 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:06.629033089 CET	443	49769	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:06.664865017 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:06.819802999 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:06.865437031 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:07.551035881 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:07.670623064 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:07.704374075 CET	443	49768	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:07.704456091 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:07.709424973 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:07.709435940 CET	443	49768	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:07.709533930 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:07.709590912 CET	443	49768	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:07.709638119 CET	49768	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:07.875653028 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:07.915235043 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:07.934323072 CET	443	49769	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:07.934386015 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:08.028062105 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:08.031379938 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:08.031402111 CET	443	49769	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:08.031451941 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:08.031618118 CET	443	49769	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:08.033128023 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:08.147984028 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:08.361536980 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:08.416682005 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:09.050791979 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:09.170557022 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:09.375240088 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:09.420063019 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:18.044420958 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:18.044496059 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:18.044652939 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:18.046092033 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:18.046127081 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:18.370325089 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:18.489860058 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:19.271931887 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:19.272015095 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:19.277153015 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:19.277174950 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:19.277252913 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:19.277334929 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:19.278219938 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:19.280599117 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:19.388814926 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:19.400068998 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:19.508364916 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:19.613789082 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:19.618490934 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:19.658422947 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:19.737984896 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:19.942393064 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:19.990518093 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:21.071439028 CET	49771	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:21.071465015 CET	443	49771	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:21.073697090 CET	49771	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:21.073851109 CET	49771	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:21.073873043 CET	443	49771	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:21.094044924 CET	49772	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:21.094094038 CET	443	49772	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:21.094707012 CET	49772	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:21.094894886 CET	49772	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:21.094943047 CET	443	49772	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:21.118510008 CET	49773	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:19:21.118536949 CET	443	49773	35.190.72.216	192.168.2.4
Nov 24, 2024 05:19:21.122412920 CET	49773	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:19:21.123886108 CET	49773	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:19:21.123912096 CET	443	49773	35.190.72.216	192.168.2.4
Nov 24, 2024 05:19:21.266762972 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 05:19:21.266787052 CET	443	49774	35.201.103.21	192.168.2.4
Nov 24, 2024 05:19:21.267072916 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 05:19:21.268492937 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 05:19:21.268507004 CET	443	49774	35.201.103.21	192.168.2.4
Nov 24, 2024 05:19:21.329627037 CET	49775	443	192.168.2.4	151.101.193.91
Nov 24, 2024 05:19:21.329648018 CET	443	49775	151.101.193.91	192.168.2.4
Nov 24, 2024 05:19:21.330046892 CET	49775	443	192.168.2.4	151.101.193.91
Nov 24, 2024 05:19:21.330184937 CET	49775	443	192.168.2.4	151.101.193.91
Nov 24, 2024 05:19:21.330194950 CET	443	49775	151.101.193.91	192.168.2.4
Nov 24, 2024 05:19:22.330131054 CET	443	49771	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:22.330229998 CET	49771	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.333347082 CET	49771	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.333358049 CET	443	49771	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:22.333602905 CET	443	49771	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:22.336190939 CET	49771	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.336286068 CET	49771	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.336359978 CET	443	49771	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:22.343647003 CET	49771	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.345186949 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:22.350018024 CET	443	49772	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:22.350117922 CET	49772	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:22.353429079 CET	49772	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:22.353467941 CET	443	49772	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:22.353722095 CET	443	49772	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:22.356076956 CET	49772	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:22.356189013 CET	49772	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:22.356221914 CET	443	49772	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:22.356348991 CET	49772	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:22.356348991 CET	49772	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:22.381521940 CET	443	49773	35.190.72.216	192.168.2.4
Nov 24, 2024 05:19:22.381839037 CET	49773	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:19:22.385730982 CET	49773	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:19:22.385750055 CET	443	49773	35.190.72.216	192.168.2.4
Nov 24, 2024 05:19:22.385814905 CET	49773	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:19:22.385910988 CET	443	49773	35.190.72.216	192.168.2.4
Nov 24, 2024 05:19:22.392165899 CET	49773	443	192.168.2.4	35.190.72.216
Nov 24, 2024 05:19:22.464596033 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:22.529021978 CET	443	49774	35.201.103.21	192.168.2.4
Nov 24, 2024 05:19:22.529115915 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 05:19:22.532949924 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 05:19:22.532958984 CET	443	49774	35.201.103.21	192.168.2.4
Nov 24, 2024 05:19:22.533045053 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 05:19:22.533092976 CET	443	49774	35.201.103.21	192.168.2.4
Nov 24, 2024 05:19:22.533242941 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 05:19:22.542934895 CET	443	49775	151.101.193.91	192.168.2.4
Nov 24, 2024 05:19:22.543034077 CET	49775	443	192.168.2.4	151.101.193.91
Nov 24, 2024 05:19:22.545775890 CET	49775	443	192.168.2.4	151.101.193.91
Nov 24, 2024 05:19:22.545779943 CET	443	49775	151.101.193.91	192.168.2.4
Nov 24, 2024 05:19:22.545999050 CET	443	49775	151.101.193.91	192.168.2.4
Nov 24, 2024 05:19:22.546523094 CET	49776	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:22.546575069 CET	443	49776	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:22.546853065 CET	49776	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:22.547161102 CET	49776	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:22.547199011 CET	443	49776	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:22.548369884 CET	49775	443	192.168.2.4	151.101.193.91
Nov 24, 2024 05:19:22.548461914 CET	49775	443	192.168.2.4	151.101.193.91
Nov 24, 2024 05:19:22.548491001 CET	443	49775	151.101.193.91	192.168.2.4
Nov 24, 2024 05:19:22.548589945 CET	49775	443	192.168.2.4	151.101.193.91
Nov 24, 2024 05:19:22.555900097 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.555919886 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:22.556385994 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.556505919 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.556516886 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:22.557882071 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.557902098 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:22.558442116 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.558587074 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.558603048 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:22.559775114 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.559783936 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:22.560069084 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.560178995 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:22.560189962 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:22.678199053 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:22.682691097 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:22.720473051 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:22.802231073 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:23.006072044 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:23.052582979 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:23.757998943 CET	443	49776	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:23.758081913 CET	49776	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:23.761486053 CET	49776	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:23.761513948 CET	443	49776	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:23.761769056 CET	443	49776	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:23.763771057 CET	49776	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:23.763866901 CET	49776	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:23.763928890 CET	443	49776	34.149.100.209	192.168.2.4
Nov 24, 2024 05:19:23.764842987 CET	49776	443	192.168.2.4	34.149.100.209
Nov 24, 2024 05:19:23.766618967 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:23.768589973 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.768672943 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.771230936 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.771243095 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.771483898 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.773682117 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.773762941 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.773812056 CET	443	49779	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.774290085 CET	49779	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.813225985 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.813290119 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.813936949 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.815721035 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.815726995 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.815924883 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.815943003 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.818237066 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.818249941 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.818475962 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.820667982 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.820739031 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.820787907 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.821533918 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.821594000 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.821665049 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 05:19:23.821820974 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.821820974 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 05:19:23.886248112 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:24.099872112 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:24.105427027 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:24.155769110 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:24.224997997 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:24.428822041 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:24.472204924 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:34.115928888 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:34.235820055 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:34.432610989 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:34.552285910 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:39.472225904 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:39.472274065 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:39.472595930 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:39.473783970 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:39.473804951 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:40.730237961 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:40.730433941 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:40.734474897 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:40.734488010 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:40.734580040 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:40.734648943 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 05:19:40.735208988 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:19:40.737176895 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:40.856702089 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:41.071283102 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:41.074707031 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:41.119772911 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:41.194354057 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:41.399339914 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:41.451445103 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:51.079077005 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:51.186708927 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:51.186743975 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:51.188461065 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:51.188642979 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:51.188656092 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:51.198571920 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:51.206888914 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:51.206947088 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:51.207408905 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:51.207582951 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:51.207618952 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:51.209938049 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:51.209965944 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:51.210596085 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:51.210745096 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:51.210756063 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:51.403135061 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:51.522665024 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:52.464296103 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.464397907 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.465672970 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.465740919 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.467519045 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.467545033 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.467791080 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.469944954 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.469952106 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.470171928 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.472595930 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.472714901 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.472744942 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.472914934 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.472981930 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.473041058 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.473500013 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.476526976 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.476545095 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:52.491309881 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.491400003 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.494431019 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.494438887 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.494662046 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.496968031 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.497055054 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.497096062 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 05:19:52.497195005 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:19:52.596029043 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:52.809587002 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:52.817498922 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:52.869529009 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:19:52.937021971 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:53.140719891 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:19:53.208179951 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:01.989319086 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:02.108725071 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:02.325298071 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:02.328437090 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:02.380561113 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:02.447911978 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:02.652247906 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:02.697103024 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:12.337285042 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:12.456903934 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:12.653789043 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:12.773294926 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:20.886228085 CET	49868	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:20:20.886311054 CET	443	49868	34.107.243.93	192.168.2.4
Nov 24, 2024 05:20:20.886573076 CET	49868	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:20:20.888014078 CET	49868	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:20:20.888056993 CET	443	49868	34.107.243.93	192.168.2.4
Nov 24, 2024 05:20:22.145560026 CET	443	49868	34.107.243.93	192.168.2.4
Nov 24, 2024 05:20:22.145983934 CET	49868	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:20:22.151299000 CET	49868	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:20:22.151304960 CET	443	49868	34.107.243.93	192.168.2.4
Nov 24, 2024 05:20:22.151458025 CET	443	49868	34.107.243.93	192.168.2.4
Nov 24, 2024 05:20:22.151554108 CET	49868	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:20:22.151561022 CET	443	49868	34.107.243.93	192.168.2.4
Nov 24, 2024 05:20:22.151638031 CET	49868	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:20:22.154022932 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:22.273585081 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:22.487226009 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:22.490942001 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:22.535243988 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:22.611346960 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:22.817291975 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:22.867371082 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:32.501545906 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:32.621146917 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:32.818073988 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:32.937566042 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:42.630490065 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:42.749980927 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:42.946997881 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:43.066907883 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:52.760195017 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:52.879776955 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:20:53.076697111 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:20:53.196183920 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:02.889468908 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:03.009113073 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:03.205929995 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:03.325474024 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:13.018910885 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:13.138442993 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:13.335412025 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:13.454902887 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:23.148591042 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:23.268201113 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:23.465204000 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:23.584717035 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:33.278772116 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:33.398284912 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:33.595256090 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:33.714840889 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:42.806603909 CET	50052	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:21:42.806659937 CET	443	50052	34.107.243.93	192.168.2.4
Nov 24, 2024 05:21:42.806857109 CET	50052	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:21:42.808388948 CET	50052	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:21:42.808414936 CET	443	50052	34.107.243.93	192.168.2.4
Nov 24, 2024 05:21:43.408128977 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:43.527743101 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:43.724539995 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:43.844110012 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:44.017333984 CET	443	50052	34.107.243.93	192.168.2.4
Nov 24, 2024 05:21:44.017414093 CET	50052	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:21:44.024462938 CET	50052	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:21:44.024493933 CET	443	50052	34.107.243.93	192.168.2.4
Nov 24, 2024 05:21:44.024595022 CET	50052	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:21:44.024620056 CET	443	50052	34.107.243.93	192.168.2.4
Nov 24, 2024 05:21:44.025389910 CET	50052	443	192.168.2.4	34.107.243.93
Nov 24, 2024 05:21:44.027260065 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:44.146728992 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:44.360857964 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:44.365101099 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:44.410969019 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:44.484747887 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:44.688693047 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:44.742651939 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:52.697340012 CET	50055	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.697448015 CET	443	50055	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:52.697603941 CET	50056	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.697693110 CET	443	50056	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:52.697702885 CET	50057	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.697737932 CET	443	50057	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:52.697818995 CET	50058	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.697841883 CET	443	50058	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:52.697895050 CET	50055	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.697896957 CET	50057	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.697915077 CET	50056	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.698003054 CET	50058	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.698067904 CET	50055	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.698105097 CET	443	50055	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:52.698188066 CET	50057	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.698200941 CET	443	50057	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:52.698280096 CET	50056	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.698316097 CET	443	50056	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:52.698451996 CET	50058	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:52.698472977 CET	443	50058	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:53.908688068 CET	443	50055	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:53.911063910 CET	50055	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:53.913806915 CET	50055	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:53.913839102 CET	443	50055	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:53.914098024 CET	443	50055	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:53.915605068 CET	50055	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:53.915713072 CET	50055	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:53.915756941 CET	443	50055	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:53.917646885 CET	50055	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:53.917696953 CET	50055	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:53.918608904 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:53.963202000 CET	443	50056	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:53.963327885 CET	50056	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:53.965653896 CET	50056	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:53.965678930 CET	443	50056	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:53.966445923 CET	443	50056	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:53.967540026 CET	50056	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:53.967628956 CET	50056	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:53.967917919 CET	443	50056	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:53.973550081 CET	50056	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.001741886 CET	443	50058	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:54.001810074 CET	50058	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.004014969 CET	50058	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.004026890 CET	443	50058	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:54.004254103 CET	443	50058	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:54.005539894 CET	50058	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.005610943 CET	50058	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.005677938 CET	443	50058	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:54.006243944 CET	50058	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.006243944 CET	50058	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.007477045 CET	443	50057	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:54.007543087 CET	50057	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.010204077 CET	50057	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.010214090 CET	443	50057	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:54.010596037 CET	443	50057	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:54.012428045 CET	50057	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.012521029 CET	50057	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.012597084 CET	443	50057	34.120.208.123	192.168.2.4
Nov 24, 2024 05:21:54.013535976 CET	50057	443	192.168.2.4	34.120.208.123
Nov 24, 2024 05:21:54.038420916 CET	80	49763	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:54.042485952 CET	49763	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:54.069051027 CET	50059	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:54.188524961 CET	80	50059	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:54.188611031 CET	50059	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:54.188775063 CET	50059	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:54.308192015 CET	80	50059	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:54.697663069 CET	49759	80	192.168.2.4	34.107.221.82
Nov 24, 2024 05:21:54.818154097 CET	80	49759	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:55.365997076 CET	80	50059	34.107.221.82	192.168.2.4
Nov 24, 2024 05:21:55.415328026 CET	50059	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 05:18:52.957950115 CET	60263	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:53.096276045 CET	53	60263	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:53.097014904 CET	59862	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:53.234432936 CET	53	59862	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:54.645598888 CET	56517	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:54.648015976 CET	51996	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:54.782227993 CET	53	56517	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:54.783530951 CET	64530	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:54.786189079 CET	60317	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:54.920033932 CET	53	64530	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:54.920664072 CET	56611	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:54.924228907 CET	53	60317	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:54.927151918 CET	65015	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:55.035808086 CET	57795	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:55.058110952 CET	53	56611	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:55.064421892 CET	53	65015	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:55.173088074 CET	53	57795	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:55.370949030 CET	60702	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:55.380860090 CET	49194	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:55.507674932 CET	53	60702	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:55.508424044 CET	49624	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:55.517627954 CET	53	49194	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:55.519160032 CET	54252	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:55.524302959 CET	54026	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:55.645426035 CET	53	49624	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:55.766685963 CET	53	54252	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:55.769151926 CET	61365	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:55.906254053 CET	53	61365	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:55.954485893 CET	53	54026	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:55.956379890 CET	59958	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:56.064879894 CET	61823	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:56.286624908 CET	54502	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:56.289664984 CET	53	61823	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:56.292376995 CET	51020	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:56.307219028 CET	53	59958	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:56.310261011 CET	52200	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:56.424773932 CET	64457	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:56.429344893 CET	53	51020	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:56.438999891 CET	63844	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:56.439593077 CET	56959	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:56.446489096 CET	55559	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:56.450392008 CET	53	52200	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:56.561503887 CET	53	64457	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:56.576214075 CET	53	63844	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:56.583250046 CET	53	55559	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:56.594660997 CET	60089	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:56.732095003 CET	53	60089	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:56.758265018 CET	52737	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:56.895308971 CET	53	52737	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:56.978804111 CET	53	51768	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:57.232796907 CET	57263	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:57.369925022 CET	53	57263	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:57.495553017 CET	61928	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:57.632935047 CET	53	61928	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:57.636661053 CET	49311	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:57.774652958 CET	53	49311	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:57.790518045 CET	61234	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:57.927975893 CET	53	61234	1.1.1.1	192.168.2.4
Nov 24, 2024 05:18:57.931302071 CET	60158	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:18:58.068303108 CET	53	60158	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:00.821122885 CET	62487	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:00.957961082 CET	53	62487	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:02.517061949 CET	60822	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:02.655045033 CET	53	60822	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:02.657582045 CET	59918	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:02.902297020 CET	53	59918	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:06.287545919 CET	62755	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:06.487307072 CET	58324	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:06.490195990 CET	50689	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:06.626079082 CET	53	58324	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:06.627603054 CET	55136	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:06.628046989 CET	53	50689	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:06.765974045 CET	53	55136	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:09.525655031 CET	52572	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:09.525929928 CET	49318	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:09.526170015 CET	51684	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:09.662646055 CET	53	49318	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:09.662699938 CET	53	52572	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:09.664197922 CET	53	51684	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:09.771378040 CET	58753	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:09.771611929 CET	59867	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:09.771796942 CET	56466	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:09.908792973 CET	53	58753	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:09.909080982 CET	53	56466	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:09.909116030 CET	53	59867	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:09.909465075 CET	58830	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:09.910012960 CET	59015	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:09.910115004 CET	55534	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:10.047353983 CET	53	58830	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:10.048019886 CET	49852	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:10.048341990 CET	53	59015	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:10.049889088 CET	60566	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:10.050101995 CET	53	55534	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:10.185751915 CET	53	49852	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:10.186537027 CET	63803	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:10.186770916 CET	53	60566	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:10.187469006 CET	64676	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:10.324448109 CET	53	64676	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:10.324982882 CET	49982	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:10.325299025 CET	53	63803	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:10.325767994 CET	52477	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:10.462487936 CET	53	49982	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:10.463571072 CET	53	52477	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:18.044421911 CET	56464	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:18.181282043 CET	53	56464	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:21.077249050 CET	59361	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:21.091281891 CET	60369	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:21.125365019 CET	51779	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:21.263626099 CET	53	51779	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:21.267010927 CET	61589	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:21.298475981 CET	53	59361	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:21.328752995 CET	53	60369	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:21.329983950 CET	64942	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:21.467613935 CET	53	64942	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:21.468261957 CET	65076	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:21.497350931 CET	53	61589	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:21.497915983 CET	49695	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:21.635010958 CET	53	49695	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:21.782965899 CET	53	65076	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:39.472551107 CET	49675	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:39.610511065 CET	53	49675	1.1.1.1	192.168.2.4
Nov 24, 2024 05:19:51.187092066 CET	54904	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:19:51.324614048 CET	53	54904	1.1.1.1	192.168.2.4
Nov 24, 2024 05:20:01.989564896 CET	53277	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:20:20.748466969 CET	50753	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:20:20.885270119 CET	53	50753	1.1.1.1	192.168.2.4
Nov 24, 2024 05:20:20.886538029 CET	60540	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:20:21.023694038 CET	53	60540	1.1.1.1	192.168.2.4
Nov 24, 2024 05:20:22.154304028 CET	51944	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:21:42.528160095 CET	61302	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:21:42.666439056 CET	53	61302	1.1.1.1	192.168.2.4
Nov 24, 2024 05:21:42.667974949 CET	50317	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:21:42.805037975 CET	53	50317	1.1.1.1	192.168.2.4
Nov 24, 2024 05:21:42.805834055 CET	54215	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:21:42.944259882 CET	53	54215	1.1.1.1	192.168.2.4
Nov 24, 2024 05:21:44.027532101 CET	62100	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:21:52.697920084 CET	59275	53	192.168.2.4	1.1.1.1
Nov 24, 2024 05:21:52.834773064 CET	53	59275	1.1.1.1	192.168.2.4
Nov 24, 2024 05:21:53.918903112 CET	49969	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 05:18:52.957950115 CET	192.168.2.4	1.1.1.1	0x66f1	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:53.097014904 CET	192.168.2.4	1.1.1.1	0xa651	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 05:18:54.645598888 CET	192.168.2.4	1.1.1.1	0x475d	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:54.648015976 CET	192.168.2.4	1.1.1.1	0x53b9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:54.783530951 CET	192.168.2.4	1.1.1.1	0x7ebc	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:54.786189079 CET	192.168.2.4	1.1.1.1	0x706c	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:54.920664072 CET	192.168.2.4	1.1.1.1	0xc7d2	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 24, 2024 05:18:54.927151918 CET	192.168.2.4	1.1.1.1	0x6a56	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 05:18:55.035808086 CET	192.168.2.4	1.1.1.1	0x5cc4	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:55.370949030 CET	192.168.2.4	1.1.1.1	0xd863	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:55.380860090 CET	192.168.2.4	1.1.1.1	0x23bc	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:55.508424044 CET	192.168.2.4	1.1.1.1	0x146c	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:18:55.519160032 CET	192.168.2.4	1.1.1.1	0x264d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:55.524302959 CET	192.168.2.4	1.1.1.1	0x6158	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:55.769151926 CET	192.168.2.4	1.1.1.1	0x60a0	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 05:18:55.956379890 CET	192.168.2.4	1.1.1.1	0x1714	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.064879894 CET	192.168.2.4	1.1.1.1	0x1070	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.286624908 CET	192.168.2.4	1.1.1.1	0x841c	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.292376995 CET	192.168.2.4	1.1.1.1	0xd5b6	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 05:18:56.310261011 CET	192.168.2.4	1.1.1.1	0x1e80	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 05:18:56.424773932 CET	192.168.2.4	1.1.1.1	0x1038	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.438999891 CET	192.168.2.4	1.1.1.1	0x522f	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.439593077 CET	192.168.2.4	1.1.1.1	0x87a2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.446489096 CET	192.168.2.4	1.1.1.1	0xddd7	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.594660997 CET	192.168.2.4	1.1.1.1	0xe664	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.758265018 CET	192.168.2.4	1.1.1.1	0x3453	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:18:57.232796907 CET	192.168.2.4	1.1.1.1	0x45bb	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:57.495553017 CET	192.168.2.4	1.1.1.1	0x23e1	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:57.636661053 CET	192.168.2.4	1.1.1.1	0xb4	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 05:18:57.790518045 CET	192.168.2.4	1.1.1.1	0xd778	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:57.931302071 CET	192.168.2.4	1.1.1.1	0x72a0	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:19:00.821122885 CET	192.168.2.4	1.1.1.1	0x4fb8	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:02.517061949 CET	192.168.2.4	1.1.1.1	0x6f5c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:02.657582045 CET	192.168.2.4	1.1.1.1	0x8d55	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 05:19:06.287545919 CET	192.168.2.4	1.1.1.1	0xc4e6	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:06.487307072 CET	192.168.2.4	1.1.1.1	0x7cd8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:06.490195990 CET	192.168.2.4	1.1.1.1	0x37a8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:19:06.627603054 CET	192.168.2.4	1.1.1.1	0xac1d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:19:09.525655031 CET	192.168.2.4	1.1.1.1	0xc40c	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.525929928 CET	192.168.2.4	1.1.1.1	0xbf71	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.526170015 CET	192.168.2.4	1.1.1.1	0x6ee7	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.771378040 CET	192.168.2.4	1.1.1.1	0x2ef5	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.771611929 CET	192.168.2.4	1.1.1.1	0x66e0	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.771796942 CET	192.168.2.4	1.1.1.1	0x1aa8	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.909465075 CET	192.168.2.4	1.1.1.1	0xc0a	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 24, 2024 05:19:09.910012960 CET	192.168.2.4	1.1.1.1	0x17fd	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 24, 2024 05:19:09.910115004 CET	192.168.2.4	1.1.1.1	0x316a	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 24, 2024 05:19:10.048019886 CET	192.168.2.4	1.1.1.1	0xd452	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.049889088 CET	192.168.2.4	1.1.1.1	0x2a22	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.186537027 CET	192.168.2.4	1.1.1.1	0xaad	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.187469006 CET	192.168.2.4	1.1.1.1	0x9091	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.324982882 CET	192.168.2.4	1.1.1.1	0x983	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 24, 2024 05:19:10.325767994 CET	192.168.2.4	1.1.1.1	0x29b6	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 24, 2024 05:19:18.044421911 CET	192.168.2.4	1.1.1.1	0xb76a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:19:21.077249050 CET	192.168.2.4	1.1.1.1	0x1fda	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 05:19:21.091281891 CET	192.168.2.4	1.1.1.1	0xd0da	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.125365019 CET	192.168.2.4	1.1.1.1	0x2ed3	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.267010927 CET	192.168.2.4	1.1.1.1	0x546c	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.329983950 CET	192.168.2.4	1.1.1.1	0xac09	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.468261957 CET	192.168.2.4	1.1.1.1	0xd1e9	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 24, 2024 05:19:21.497915983 CET	192.168.2.4	1.1.1.1	0x8fb1	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:19:39.472551107 CET	192.168.2.4	1.1.1.1	0x576c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:19:51.187092066 CET	192.168.2.4	1.1.1.1	0xc78f	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:20:01.989564896 CET	192.168.2.4	1.1.1.1	0x5bff	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:20:20.748466969 CET	192.168.2.4	1.1.1.1	0xef21	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:20:20.886538029 CET	192.168.2.4	1.1.1.1	0x69d8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:20:22.154304028 CET	192.168.2.4	1.1.1.1	0x88fa	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:21:42.528160095 CET	192.168.2.4	1.1.1.1	0x4457	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:21:42.667974949 CET	192.168.2.4	1.1.1.1	0xcb23	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:21:42.805834055 CET	192.168.2.4	1.1.1.1	0xb326	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:21:44.027532101 CET	192.168.2.4	1.1.1.1	0x5233	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:21:52.697920084 CET	192.168.2.4	1.1.1.1	0x5402	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 05:21:53.918903112 CET	192.168.2.4	1.1.1.1	0x72d5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 05:18:52.942379951 CET	1.1.1.1	192.168.2.4	0x9eb4	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:53.096276045 CET	1.1.1.1	192.168.2.4	0x66f1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:54.782227993 CET	1.1.1.1	192.168.2.4	0x475d	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:54.784962893 CET	1.1.1.1	192.168.2.4	0x53b9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:18:54.784962893 CET	1.1.1.1	192.168.2.4	0x53b9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:54.920033932 CET	1.1.1.1	192.168.2.4	0x7ebc	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:54.924228907 CET	1.1.1.1	192.168.2.4	0x706c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:55.058110952 CET	1.1.1.1	192.168.2.4	0xc7d2	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 24, 2024 05:18:55.064421892 CET	1.1.1.1	192.168.2.4	0x6a56	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 05:18:55.173088074 CET	1.1.1.1	192.168.2.4	0x5cc4	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:55.507674932 CET	1.1.1.1	192.168.2.4	0xd863	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:55.517627954 CET	1.1.1.1	192.168.2.4	0x23bc	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:18:55.517627954 CET	1.1.1.1	192.168.2.4	0x23bc	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:55.766685963 CET	1.1.1.1	192.168.2.4	0x264d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:55.954485893 CET	1.1.1.1	192.168.2.4	0x6158	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:18:55.954485893 CET	1.1.1.1	192.168.2.4	0x6158	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:18:55.954485893 CET	1.1.1.1	192.168.2.4	0x6158	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.063667059 CET	1.1.1.1	192.168.2.4	0xd1c7	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:18:56.063667059 CET	1.1.1.1	192.168.2.4	0xd1c7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.289664984 CET	1.1.1.1	192.168.2.4	0x1070	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.307219028 CET	1.1.1.1	192.168.2.4	0x1714	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.450392008 CET	1.1.1.1	192.168.2.4	0x1e80	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 05:18:56.510442972 CET	1.1.1.1	192.168.2.4	0x841c	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:18:56.561503887 CET	1.1.1.1	192.168.2.4	0x1038	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.576214075 CET	1.1.1.1	192.168.2.4	0x522f	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.576214075 CET	1.1.1.1	192.168.2.4	0x522f	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.576549053 CET	1.1.1.1	192.168.2.4	0x87a2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:18:56.576549053 CET	1.1.1.1	192.168.2.4	0x87a2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.583250046 CET	1.1.1.1	192.168.2.4	0xddd7	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:56.732095003 CET	1.1.1.1	192.168.2.4	0xe664	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:57.353363991 CET	1.1.1.1	192.168.2.4	0x2c0e	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:18:57.353363991 CET	1.1.1.1	192.168.2.4	0x2c0e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:57.369925022 CET	1.1.1.1	192.168.2.4	0x45bb	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:18:57.369925022 CET	1.1.1.1	192.168.2.4	0x45bb	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:57.632935047 CET	1.1.1.1	192.168.2.4	0x23e1	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:57.775943995 CET	1.1.1.1	192.168.2.4	0x60a3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:18:57.927975893 CET	1.1.1.1	192.168.2.4	0xd778	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:00.957961082 CET	1.1.1.1	192.168.2.4	0x4fb8	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:19:00.957961082 CET	1.1.1.1	192.168.2.4	0x4fb8	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:19:00.957961082 CET	1.1.1.1	192.168.2.4	0x4fb8	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:00.969609976 CET	1.1.1.1	192.168.2.4	0xc6df	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:02.655045033 CET	1.1.1.1	192.168.2.4	0x6f5c	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:06.432023048 CET	1.1.1.1	192.168.2.4	0xc4e6	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:19:06.432023048 CET	1.1.1.1	192.168.2.4	0xc4e6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:06.626079082 CET	1.1.1.1	192.168.2.4	0x7cd8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662646055 CET	1.1.1.1	192.168.2.4	0xbf71	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662646055 CET	1.1.1.1	192.168.2.4	0xbf71	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.662699938 CET	1.1.1.1	192.168.2.4	0xc40c	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.664197922 CET	1.1.1.1	192.168.2.4	0x6ee7	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:19:09.664197922 CET	1.1.1.1	192.168.2.4	0x6ee7	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.908792973 CET	1.1.1.1	192.168.2.4	0x2ef5	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.909080982 CET	1.1.1.1	192.168.2.4	0x1aa8	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.909116030 CET	1.1.1.1	192.168.2.4	0x66e0	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.909116030 CET	1.1.1.1	192.168.2.4	0x66e0	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.909116030 CET	1.1.1.1	192.168.2.4	0x66e0	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.909116030 CET	1.1.1.1	192.168.2.4	0x66e0	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.909116030 CET	1.1.1.1	192.168.2.4	0x66e0	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.909116030 CET	1.1.1.1	192.168.2.4	0x66e0	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.909116030 CET	1.1.1.1	192.168.2.4	0x66e0	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.909116030 CET	1.1.1.1	192.168.2.4	0x66e0	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:09.909116030 CET	1.1.1.1	192.168.2.4	0x66e0	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.047353983 CET	1.1.1.1	192.168.2.4	0xc0a	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 24, 2024 05:19:10.048341990 CET	1.1.1.1	192.168.2.4	0x17fd	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 24, 2024 05:19:10.050101995 CET	1.1.1.1	192.168.2.4	0x316a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 05:19:10.050101995 CET	1.1.1.1	192.168.2.4	0x316a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 05:19:10.050101995 CET	1.1.1.1	192.168.2.4	0x316a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 05:19:10.050101995 CET	1.1.1.1	192.168.2.4	0x316a	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 05:19:10.185751915 CET	1.1.1.1	192.168.2.4	0xd452	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:19:10.185751915 CET	1.1.1.1	192.168.2.4	0xd452	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.185751915 CET	1.1.1.1	192.168.2.4	0xd452	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.185751915 CET	1.1.1.1	192.168.2.4	0xd452	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.185751915 CET	1.1.1.1	192.168.2.4	0xd452	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.186770916 CET	1.1.1.1	192.168.2.4	0x2a22	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.324448109 CET	1.1.1.1	192.168.2.4	0x9091	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.325299025 CET	1.1.1.1	192.168.2.4	0xaad	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.325299025 CET	1.1.1.1	192.168.2.4	0xaad	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.325299025 CET	1.1.1.1	192.168.2.4	0xaad	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:10.325299025 CET	1.1.1.1	192.168.2.4	0xaad	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.263626099 CET	1.1.1.1	192.168.2.4	0x2ed3	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:19:21.263626099 CET	1.1.1.1	192.168.2.4	0x2ed3	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.328752995 CET	1.1.1.1	192.168.2.4	0xd0da	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.328752995 CET	1.1.1.1	192.168.2.4	0xd0da	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.328752995 CET	1.1.1.1	192.168.2.4	0xd0da	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.328752995 CET	1.1.1.1	192.168.2.4	0xd0da	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.467613935 CET	1.1.1.1	192.168.2.4	0xac09	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.467613935 CET	1.1.1.1	192.168.2.4	0xac09	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.467613935 CET	1.1.1.1	192.168.2.4	0xac09	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.467613935 CET	1.1.1.1	192.168.2.4	0xac09	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.497350931 CET	1.1.1.1	192.168.2.4	0x546c	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:19:21.782965899 CET	1.1.1.1	192.168.2.4	0xd1e9	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 05:19:21.782965899 CET	1.1.1.1	192.168.2.4	0xd1e9	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 05:19:21.782965899 CET	1.1.1.1	192.168.2.4	0xd1e9	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 05:19:21.782965899 CET	1.1.1.1	192.168.2.4	0xd1e9	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 05:19:24.318635941 CET	1.1.1.1	192.168.2.4	0x4e5	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:19:24.318635941 CET	1.1.1.1	192.168.2.4	0x4e5	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:20:02.220477104 CET	1.1.1.1	192.168.2.4	0x5bff	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:20:02.220477104 CET	1.1.1.1	192.168.2.4	0x5bff	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:20:20.885270119 CET	1.1.1.1	192.168.2.4	0xef21	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:20:22.291122913 CET	1.1.1.1	192.168.2.4	0x88fa	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:20:22.291122913 CET	1.1.1.1	192.168.2.4	0x88fa	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:21:42.666439056 CET	1.1.1.1	192.168.2.4	0x4457	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:21:42.805037975 CET	1.1.1.1	192.168.2.4	0xcb23	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:21:44.165900946 CET	1.1.1.1	192.168.2.4	0x5233	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:21:44.165900946 CET	1.1.1.1	192.168.2.4	0x5233	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:21:52.696343899 CET	1.1.1.1	192.168.2.4	0x6690	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 05:21:54.060331106 CET	1.1.1.1	192.168.2.4	0x72d5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 05:21:54.060331106 CET	1.1.1.1	192.168.2.4	0x72d5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49746	34.107.221.82	80	7868	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 05:18:55.370129108 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:18:56.342101097 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77459 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 05:18:57.231321096 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:18:57.555344105 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77460 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49753	34.107.221.82	80	7868	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 05:18:56.702677965 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49759	34.107.221.82	80	7868	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 05:18:57.759217024 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:18:58.890132904 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79341 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 05:19:06.278090000 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:19:06.619395018 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79349 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 05:19:07.551035881 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:19:07.875653028 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79350 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 05:19:09.050791979 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:19:09.375240088 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79352 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 05:19:19.388814926 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:19:19.618490934 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:19:19.942393064 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79362 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 05:19:22.682691097 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:19:23.006072044 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79365 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 05:19:24.105427027 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:19:24.428822041 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79367 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 05:19:34.432610989 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:19:41.074707031 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:19:41.399339914 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79384 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 05:19:51.403135061 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:19:52.817498922 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:19:53.140719891 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79395 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 05:20:02.328437090 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:20:02.652247906 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79405 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 05:20:12.653789043 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:20:22.490942001 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:20:22.817291975 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79425 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 05:20:32.818073988 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:20:42.946997881 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:20:53.076697111 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:21:03.205929995 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:21:13.335412025 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:21:23.465204000 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:21:44.365101099 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 05:21:44.688693047 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 06:16:37 GMT Age: 79507 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49763	34.107.221.82	80	7868	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 05:19:02.517251968 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:19:02.850492954 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77465 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 05:19:06.486350060 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:19:06.819802999 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77469 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 05:19:08.028062105 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:19:08.361536980 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77471 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 05:19:18.370325089 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:19:19.280599117 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:19:19.613789082 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77482 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 05:19:22.345186949 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:19:22.678199053 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77485 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 05:19:23.766618967 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:19:24.099872112 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77486 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 05:19:34.115928888 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:19:40.737176895 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:19:41.071283102 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77503 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 05:19:51.079077005 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:19:52.476545095 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:19:52.809587002 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77515 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 05:20:01.989319086 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:20:02.325298071 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77525 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 05:20:12.337285042 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:20:22.154022932 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:20:22.487226009 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77545 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 05:20:32.501545906 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:20:42.630490065 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:20:52.760195017 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:21:02.889468908 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:21:13.018910885 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:21:23.148591042 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 05:21:44.027260065 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:21:44.360857964 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 77627 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.4	50059	34.107.221.82	80

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 05:21:54.188775063 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 05:21:55.365997076 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 38623 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	23:18:46
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x90000
File size:	922'112 bytes
MD5 hash:	F461A88DF2B23D0DB11354B7284870E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:18:46
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xde0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:18:46
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:18:48
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xde0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:18:48
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:18:49
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xde0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:18:49
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:18:49
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xde0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:18:49
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x800000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:18:49
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xde0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:18:49
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:18:49
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:18:49
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:18:49
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	23:18:50
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bdb6cb1-7dc1-4911-ac4c-bfb5f1e5f2e5} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d72a6d910 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	23:18:52
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3796 -parentBuildID 20230927232528 -prefsHandle 3812 -prefMapHandle 3584 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb42aa61-4454-4ee0-acce-73b006d0329d} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d04ee4310 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	23:18:56
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5040 -prefMapHandle 5036 -prefsLen 32993 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40aa82e2-f3c8-416a-a76a-fd595b206e92} 7868 "\\.\pipe\gecko-crash-server-pipe.7868" 24d046e8710 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1518
Total number of Limit Nodes:	51

Executed Functions

Function 000942DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0009430D

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

GetCurrentProcess.KERNEL32(?,0012CB64,00000000,?,?), ref: 00094422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00094429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00094454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00094466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00094474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0009447B
GetSystemInfo.KERNEL32(?,?,?), ref: 000944A0

Strings

|O, xrefs: 000D36F8
kernel32.dll, xrefs: 0009444F
GetNativeSystemInfo, xrefs: 00094460

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 1eca0cb945ab58777d691229dd4bb78166f6277962950e36a57320ec9dab9695
Instruction ID: 8dd56f46272389ff713dce1c3f82c2ea37236240ba72953af740cd17760af5c2
Opcode Fuzzy Hash: 1eca0cb945ab58777d691229dd4bb78166f6277962950e36a57320ec9dab9695
Instruction Fuzzy Hash: 5CA16F6690E3C0FFCB21CB6A7C415997FE47B36360B1C5899D44393F22D2A045C9DB62

Function 000942A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,000950AA,?,?,00000000,00000000), ref: 000942B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000950AA,?,?,00000000,00000000), ref: 000942C9
LoadResource.KERNEL32(?,00000000,?,?,000950AA,?,?,00000000,00000000,?,?,?,?,?,?,00094F20), ref: 000D35BE
SizeofResource.KERNEL32(?,00000000,?,?,000950AA,?,?,00000000,00000000,?,?,?,?,?,?,00094F20), ref: 000D35D3
LockResource.KERNEL32(000950AA,?,?,000950AA,?,?,00000000,00000000,?,?,?,?,?,?,00094F20,?), ref: 000D35E6

Strings

SCRIPT, xrefs: 000942BF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a1d038046836a4354dfd6aa44bbd0a4dfb1d789e6fc5cb35b5ed2111222d7df9
Instruction ID: 988b3de4b76fbf2cf717caaae40991e10e1624d7b99a4ea28dd8b89ed3d7d518
Opcode Fuzzy Hash: a1d038046836a4354dfd6aa44bbd0a4dfb1d789e6fc5cb35b5ed2111222d7df9
Instruction Fuzzy Hash: B3117C70600700BFEB318B65DC48F2B7BB9EFC5B51F208169B50296690EB71D8519660

Function 000D2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00092B6B

Part of subcall function 00093A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00161418,?,00092E7F,?,?,?,00000000), ref: 00093A78

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00152224), ref: 000D2C10
ShellExecuteW.SHELL32(00000000,?,?,00152224), ref: 000D2C17

Strings

runas, xrefs: 000D2C0B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: df14c2ebc6791767c2616d731fea7e9ade497a2a155412126c5612ddd0192a81
Instruction ID: eea8eb2f39f9d17ba0c61fad4ba0c5b2be7e8c5ecc4e20a513913118442d0cd7
Opcode Fuzzy Hash: df14c2ebc6791767c2616d731fea7e9ade497a2a155412126c5612ddd0192a81
Instruction Fuzzy Hash: 4511CD31208301BACF14FF60DC529EEB7E4ABA1341F48542DF592520A3CF218A4AAB52

Function 000FD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000FD501
Process32FirstW.KERNEL32(00000000,?), ref: 000FD50F
Process32NextW.KERNEL32(00000000,?), ref: 000FD52F
CloseHandle.KERNELBASE(00000000), ref: 000FD5DC

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b35f98f84f5fa9ceeba0df01b0c9ad988fd8cb0c9eff0da41790fd7cd757b823
Instruction ID: c133eab4c019f5deb6940776979bc4fa54a3cea106fb1499ec10eb2297065758
Opcode Fuzzy Hash: b35f98f84f5fa9ceeba0df01b0c9ad988fd8cb0c9eff0da41790fd7cd757b823
Instruction Fuzzy Hash: 5831C271108304AFD710EF64C881ABFBBF9EF99354F10092DF681821A2EB719949DB92

Function 000FDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,000D5222), ref: 000FDBCE
GetFileAttributesW.KERNELBASE(?), ref: 000FDBDD
FindFirstFileW.KERNEL32(?,?), ref: 000FDBEE
FindClose.KERNEL32(00000000), ref: 000FDBFA

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d99f6739081a4b50bd5a807c93f06331dd4b287d8e69d62830fa66ff09a0ec45
Instruction ID: 365659a1e93e6cbb5d4d67f64fdefbda19831bc027d2495b9cf9f87f0e892b16
Opcode Fuzzy Hash: d99f6739081a4b50bd5a807c93f06331dd4b287d8e69d62830fa66ff09a0ec45
Instruction Fuzzy Hash: 35F0A030810919E782306B78AC0E8BE37AE9F01334B104703FA76C28E0EBB059A696D5

Function 000B4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000C28E9,?,000B4CBE,000C28E9,001588B8,0000000C,000B4E15,000C28E9,00000002,00000000,?,000C28E9), ref: 000B4D09
TerminateProcess.KERNEL32(00000000,?,000B4CBE,000C28E9,001588B8,0000000C,000B4E15,000C28E9,00000002,00000000,?,000C28E9), ref: 000B4D10
ExitProcess.KERNEL32 ref: 000B4D22

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d2aead819a1528c23b78a2c0e8b30ef216100ed6dd52462135450f1c645ae384
Instruction ID: 15937b01fed9f3c0362c40406d4c32fa5d0e34fe59aff0d1305a001921bb31b0
Opcode Fuzzy Hash: d2aead819a1528c23b78a2c0e8b30ef216100ed6dd52462135450f1c645ae384
Instruction Fuzzy Hash: 97E0B631000548BFCF21AF54DD0AA9C3B69FB41795B108418FD059A523CB35DEA2DB84

Function 0011AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0011B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0011B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0011B1D4
_wcslen.LIBCMT ref: 0011B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0011B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0011B236
_wcslen.LIBCMT ref: 0011B332

Part of subcall function 001005A7: GetStdHandle.KERNEL32(000000F6), ref: 001005C6

_wcslen.LIBCMT ref: 0011B34B
_wcslen.LIBCMT ref: 0011B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0011B3B6
GetLastError.KERNEL32(00000000), ref: 0011B407
CloseHandle.KERNEL32(?), ref: 0011B439
CloseHandle.KERNEL32(00000000), ref: 0011B44A
CloseHandle.KERNEL32(00000000), ref: 0011B45C
CloseHandle.KERNEL32(00000000), ref: 0011B46E
CloseHandle.KERNEL32(?), ref: 0011B4E3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 3b0902443761a532bea4143fe9129c356d636a9641e07e9d028b1153b7664b01
Instruction ID: 7a195beee77fd343b4beff69279ba2ee884b9a2c575239d913695fc347235f6b
Opcode Fuzzy Hash: 3b0902443761a532bea4143fe9129c356d636a9641e07e9d028b1153b7664b01
Instruction Fuzzy Hash: 07F18D315083409FCB18EF24C891BAEBBE5BF85314F15856DF4999B2A2DB31EC84CB52

Function 0009D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0009D807
timeGetTime.WINMM ref: 0009DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0009DB28
TranslateMessage.USER32(?), ref: 0009DB7B
DispatchMessageW.USER32(?), ref: 0009DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0009DB9F
Sleep.KERNELBASE(0000000A), ref: 0009DBB1

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 82a8c83c80f9e95236411d99fd0a87fb9a4dbd71c21512bf2ab815599a0746cf
Instruction ID: c8ef2286ca10a0008f0d47462d3e24f0331c3c10c5ea69a094b9b521693fe0a5
Opcode Fuzzy Hash: 82a8c83c80f9e95236411d99fd0a87fb9a4dbd71c21512bf2ab815599a0746cf
Instruction Fuzzy Hash: 6742F130648382EFDB38DF25C844BAEB7E5BF45304F18452EE59697292D770E894DB82

Function 00092CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00092D07
RegisterClassExW.USER32(00000030), ref: 00092D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00092D42
InitCommonControlsEx.COMCTL32(?), ref: 00092D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00092D6F
LoadIconW.USER32(000000A9), ref: 00092D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00092D94

Strings

+, xrefs: 00092CF0
TaskbarCreated, xrefs: 00092D37
AutoIt v3 GUI, xrefs: 00092D23
0, xrefs: 00092CE9

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a08e204f68083937452ee23cc921f845959178c5edebe342089ca3a9c7a05de7
Instruction ID: 03734bfc42249032cb1a0c44ec9491ca81a9679916c80a4d5d0fc6873c227d95
Opcode Fuzzy Hash: a08e204f68083937452ee23cc921f845959178c5edebe342089ca3a9c7a05de7
Instruction Fuzzy Hash: EB21E0B5911218BFDB10DFA4EC89BDDBBB4FB08705F04811AF611A66A0D7B10590CF95

Function 000D065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000D039A: CreateFileW.KERNELBASE(00000000,00000000,?,000D0704,?,?,00000000,?,000D0704,00000000,0000000C), ref: 000D03B7

GetLastError.KERNEL32 ref: 000D076F
__dosmaperr.LIBCMT ref: 000D0776
GetFileType.KERNELBASE(00000000), ref: 000D0782
GetLastError.KERNEL32 ref: 000D078C
__dosmaperr.LIBCMT ref: 000D0795
CloseHandle.KERNEL32(00000000), ref: 000D07B5
CloseHandle.KERNEL32(?), ref: 000D08FF
GetLastError.KERNEL32 ref: 000D0931
__dosmaperr.LIBCMT ref: 000D0938

Strings

H, xrefs: 000D08BD

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 9c76cdf81290658aebf41f3ff269e0da39b7a6a329c72c8afdd398526c445345
Instruction ID: fe979f58a9edf55f76cfe2b428db35923bdf57724760d00bdd650b2ac4abf409
Opcode Fuzzy Hash: 9c76cdf81290658aebf41f3ff269e0da39b7a6a329c72c8afdd398526c445345
Instruction Fuzzy Hash: AFA1F532A042059FDF29DF68DC51BEE7BE0AB46320F14015AF8199F392D7719D52CBA1

Function 0009344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00093A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00161418,?,00092E7F,?,?,?,00000000), ref: 00093A78

Part of subcall function 00093357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00093379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0009356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000D318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000D31CE
RegCloseKey.ADVAPI32(?), ref: 000D3210
_wcslen.LIBCMT ref: 000D3277
_wcslen.LIBCMT ref: 000D3286

Strings

\Include\, xrefs: 00093527
Software\AutoIt v3\AutoIt, xrefs: 00093560
\, xrefs: 000D328C
Include, xrefs: 000D3184, 000D31C5

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 85f6ea7eb05e730872d35c02b764102cf1abbd732fb54d22e1510793c0ce39c6
Instruction ID: 20a9510819b919ba2e4958a180bfa017ef5990beddc4b49f522233711c652328
Opcode Fuzzy Hash: 85f6ea7eb05e730872d35c02b764102cf1abbd732fb54d22e1510793c0ce39c6
Instruction Fuzzy Hash: 657195719047019EC714EF65EC819AFBBE8FF99740F40442EF545932A1EB709A89CBA2

Function 00092B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00092B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00092B9D
LoadIconW.USER32(00000063), ref: 00092BB3
LoadIconW.USER32(000000A4), ref: 00092BC5
LoadIconW.USER32(000000A2), ref: 00092BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00092BEF
RegisterClassExW.USER32(?), ref: 00092C40

Part of subcall function 00092CD4: GetSysColorBrush.USER32(0000000F), ref: 00092D07
Part of subcall function 00092CD4: RegisterClassExW.USER32(00000030), ref: 00092D31
Part of subcall function 00092CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00092D42
Part of subcall function 00092CD4: InitCommonControlsEx.COMCTL32(?), ref: 00092D5F
Part of subcall function 00092CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00092D6F
Part of subcall function 00092CD4: LoadIconW.USER32(000000A9), ref: 00092D85
Part of subcall function 00092CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00092D94

Strings

#, xrefs: 00092C16
AutoIt v3, xrefs: 00092C2F
0, xrefs: 00092C0F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 23bd93fcfda63531d0c022d43bb61c73cfda20f96c0d67860eec0f38f09f000f
Instruction ID: 05837540d30ee12dc386bc012d001c295fe424d51653f9e3d4f5951bd0f1162e
Opcode Fuzzy Hash: 23bd93fcfda63531d0c022d43bb61c73cfda20f96c0d67860eec0f38f09f000f
Instruction Fuzzy Hash: 55211870E10318BBDB109FA5EC55AAD7FB4FB48B60F08002AE602A7BA0D7F14590DF90

Function 00093170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0009316A,?,?), ref: 000931D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0009316A,?,?), ref: 00093204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00093227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0009316A,?,?), ref: 00093232
CreatePopupMenu.USER32 ref: 00093246
PostQuitMessage.USER32(00000000), ref: 00093267

Strings

TaskbarCreated, xrefs: 0009322D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c3901b03c748c50294054d20e829327b172926277bf7b3c6d85b6b648e8896d5
Instruction ID: 4844e345a81955137de16851a63692237de08283190f89e8d4ab3da1da0763c1
Opcode Fuzzy Hash: c3901b03c748c50294054d20e829327b172926277bf7b3c6d85b6b648e8896d5
Instruction Fuzzy Hash: C6411D31248204B7DF741B789D0DBBD369AE745354F080125F612D66F2CBB19A91FFA1

Function 00091410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00091459
CoUninitialize.COMBASE ref: 000914F8
UnregisterHotKey.USER32(?), ref: 000916DD
DestroyWindow.USER32(?), ref: 000D24B9
FreeLibrary.KERNEL32(?), ref: 000D251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000D254B

Strings

close all, xrefs: 00091454

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7c2fba1b8b203e54f81db46f78b7af7693aeadbf10df68d304d934c7aa620bb4
Instruction ID: 70b8d866e9c60447d9e82bb45f1b1f2b60fd7fa3bf4676d1b3e8de0e4bbee430
Opcode Fuzzy Hash: 7c2fba1b8b203e54f81db46f78b7af7693aeadbf10df68d304d934c7aa620bb4
Instruction Fuzzy Hash: F1D16931701212CFCB29EF54D599AA9F7A0BF15700F1542AEE54A6B352CB30AC62DFA0

Function 00092C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00092C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00092CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00091CAD,?), ref: 00092CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00091CAD,?), ref: 00092CCF

Strings

edit, xrefs: 00092CAC
AutoIt v3, xrefs: 00092C89, 00092C8E, 00092C8F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3d5b4bbe76d23137fcfa728d7ad30a5ec4062750b5f9a6ffaf502937f88954cb
Instruction ID: b84c89bea5b6088541717b474c186e56fb1307db314cec0e731cfd18ff9c7b8d
Opcode Fuzzy Hash: 3d5b4bbe76d23137fcfa728d7ad30a5ec4062750b5f9a6ffaf502937f88954cb
Instruction Fuzzy Hash: 53F0FE755402907AEB711717AC08E7B3EBDE7CAF60F05005EFE01A3AA0C6B118D1EAB1

Function 00093B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00093B0F,SwapMouseButtons,00000004,?), ref: 00093B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00093B0F,SwapMouseButtons,00000004,?), ref: 00093B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00093B0F,SwapMouseButtons,00000004,?), ref: 00093B83

Strings

Control Panel\Mouse, xrefs: 00093B3E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9b5a92f2b7261eb5f4886a03a23738269fd43eba7d3d514014068ad0c2ce7d73
Instruction ID: 835b761904c8d5a09de16c8a9b5ea7f1922113e71fb07ed6dacfab119fcef29e
Opcode Fuzzy Hash: 9b5a92f2b7261eb5f4886a03a23738269fd43eba7d3d514014068ad0c2ce7d73
Instruction Fuzzy Hash: 46112AB5510208FFDF608FA5DC44EAEB7BDEF44744B104459BA05D7210D3719E51ABA4

Function 00093923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000D33A2

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00093A04

Strings

Line: , xrefs: 000D33EB

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 34f7271137654376007102df0ff209887ae8b24c809c4ceec5cb9d03c8538ae4
Instruction ID: 67e7b04e7f3f345fb298993b156e49116237e92575fde5d03844730fd379b03a
Opcode Fuzzy Hash: 34f7271137654376007102df0ff209887ae8b24c809c4ceec5cb9d03c8538ae4
Instruction Fuzzy Hash: 2F31A571408304AACB25EB10DC45BEFB7D8AB45720F04492EF59A93592DBB09749DBD2

Function 000AFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 000B0668

Part of subcall function 000B32A4: RaiseException.KERNEL32(?,?,?,000B068A,?,00161444,?,?,?,?,?,?,000B068A,00091129,00158738,00091129), ref: 000B3304

__CxxThrowException@8.LIBVCRUNTIME ref: 000B0685

Strings

Unknown exception, xrefs: 000B0692

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 48f1db22ef2d704a5bab6bf2e3025375c3f6ba0db4e306ce6ce34c077c4154ad
Instruction ID: 85c865f7fdd9da435c87ecf030e7fceffdc4325471d254c67e7f296da6e04c12
Opcode Fuzzy Hash: 48f1db22ef2d704a5bab6bf2e3025375c3f6ba0db4e306ce6ce34c077c4154ad
Instruction Fuzzy Hash: 47F0623490020DB7CF14B6E4DC46CEF77AD9F40750B604535B9249A5D3EF71EA69C681

Function 000910F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00091BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00091BF4
Part of subcall function 00091BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00091BFC
Part of subcall function 00091BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00091C07
Part of subcall function 00091BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00091C12
Part of subcall function 00091BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00091C1A
Part of subcall function 00091BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00091C22

Part of subcall function 00091B4A: RegisterWindowMessageW.USER32(00000004,?,000912C4), ref: 00091BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0009136A
OleInitialize.OLE32 ref: 00091388
CloseHandle.KERNEL32(00000000,00000000), ref: 000D24AB

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 735fc7c73d1e4c36c94d4aa101c8489a9a2e0e5eb3dcc49122c079c61903b620
Instruction ID: 3ae12d91d42282464f17c2f4e419919bf04a39af768b246ed94193b63be701de
Opcode Fuzzy Hash: 735fc7c73d1e4c36c94d4aa101c8489a9a2e0e5eb3dcc49122c079c61903b620
Instruction Fuzzy Hash: A071DFB5901300AEC784DF7AAD45699BAE5FB8A34435C822AD40BD7A72EBB044D1DF81

Function 000FC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00093923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00093A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000FC259
KillTimer.USER32(?,00000001,?,?), ref: 000FC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000FC270

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: da6b07d234e707027c7b5c752463e4265df90edecdac7995b2a5ba7889ab253d
Instruction ID: 4d5962cd32f07f54c8ba89ee3a08304ae55e4717d88894e3bac563794e6ab1b9
Opcode Fuzzy Hash: da6b07d234e707027c7b5c752463e4265df90edecdac7995b2a5ba7889ab253d
Instruction Fuzzy Hash: EF31E370900348AFFBB29F648946BEBBBECAF02304F04049ED2DA93641C7745A84DB51

Function 000C86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,000C85CC,?,00158CC8,0000000C), ref: 000C8704
GetLastError.KERNEL32(?,000C85CC,?,00158CC8,0000000C), ref: 000C870E
__dosmaperr.LIBCMT ref: 000C8739

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 4da5cf6844d4b00c87a8f59610ad6641f0141a132a6518680aca6e7cd8ac3980
Instruction ID: 20a3cdf3aa96a1767ec463630025647e716c981a0d3924c4f642b4d9d3f132d5
Opcode Fuzzy Hash: 4da5cf6844d4b00c87a8f59610ad6641f0141a132a6518680aca6e7cd8ac3980
Instruction Fuzzy Hash: 32016B3660426026C2B063346C45FBF27894B81779F39421DF9049B1D3DEA0ECC18398

Function 0009DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0009DB7B
DispatchMessageW.USER32(?), ref: 0009DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0009DB9F
Sleep.KERNELBASE(0000000A), ref: 0009DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 000E1CC9

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: a55dbe3436edb4cdae12f5cdee1161cfbc1e97a67445083d912d7b89976f41c1
Instruction ID: 0799ec119e94e462557f5f5aff718d57729c3787b4f6c11b16d0cc896daf79fd
Opcode Fuzzy Hash: a55dbe3436edb4cdae12f5cdee1161cfbc1e97a67445083d912d7b89976f41c1
Instruction Fuzzy Hash: 22F05E30644380ABEB70CBA0CC49FEA73ECEF45310F104A19E70AD34D0DB3094899B65

Function 000A1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000A17F6

Strings

CALL, xrefs: 000A17C6

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 7ebcb3d9d4fa3a538045280c93156640ccb9eddded451d2ca0792aafff377e77
Instruction ID: ed4484eb5786bbf2527f7670462e3a00c672b994d450a0b569bc949824a70519
Opcode Fuzzy Hash: 7ebcb3d9d4fa3a538045280c93156640ccb9eddded451d2ca0792aafff377e77
Instruction Fuzzy Hash: 2E229C70608741DFC724CF64D480AAABBF1BF9A354F14891DF4969B3A2D772E941CB82

Function 00092DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 000D2C8C

Part of subcall function 00093AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00093A97,?,?,00092E7F,?,?,?,00000000), ref: 00093AC2

Part of subcall function 00092DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00092DC4

Strings

X, xrefs: 000D2C5A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 2b78e5ab823275a34005d3ba887e16588c277f016247d800b793d1186865c0d4
Instruction ID: fb32eef9c5336da8e07ce68c0d94601883ad4bb0c29c487098856c3361ec26fb
Opcode Fuzzy Hash: 2b78e5ab823275a34005d3ba887e16588c277f016247d800b793d1186865c0d4
Instruction Fuzzy Hash: 7921D571A10258AFCF41EF94C845BEE7BF8AF48305F00405AE405BB342EBB45A899FA1

Function 00093837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00093908

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: fc92d47ffdddc7a286e15139acaa4437bae67988ef98f51db4a2da4e7730ac4f
Instruction ID: f5a034177407b2971bb6e64e2fb6f1ac0974626a0ac083b7f6c91b1850ba2950
Opcode Fuzzy Hash: fc92d47ffdddc7a286e15139acaa4437bae67988ef98f51db4a2da4e7730ac4f
Instruction Fuzzy Hash: C83191705043019FD760EF24D88579BBBE8FB49718F04092EF69A87741EBB1AA44DF92

Function 000AF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000AF661

Part of subcall function 0009D730: GetInputState.USER32 ref: 0009D807

Sleep.KERNEL32(00000000), ref: 000EF2DE

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 428e35695803b28b1b4453167a151294dc8f7410290f7ec6475ff11aa15395af
Instruction ID: e8eec0c2839d063884d5d3d676154d66ad372a2ac9868af4597f206975c38642
Opcode Fuzzy Hash: 428e35695803b28b1b4453167a151294dc8f7410290f7ec6475ff11aa15395af
Instruction Fuzzy Hash: 35F0A031240A05EFD324EFB9E549BAEB7E8FF45760F00002AE959C7361DB70A850CB91

Function 00094ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00094E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00094EDD,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E9C
Part of subcall function 00094E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00094EAE
Part of subcall function 00094E90: FreeLibrary.KERNEL32(00000000,?,?,00094EDD,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094EFD

Part of subcall function 00094E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000D3CDE,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E62
Part of subcall function 00094E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00094E74
Part of subcall function 00094E59: FreeLibrary.KERNEL32(00000000,?,?,000D3CDE,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E87

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6ac0d166cd61bc0013febe11f78c52fc9e627baaa8404ac92534d34f2d5097f2
Instruction ID: 986f86c8d06bf1b873933892b06da43df8b3414b893d9b03ea76f737dc8fa8c2
Opcode Fuzzy Hash: 6ac0d166cd61bc0013febe11f78c52fc9e627baaa8404ac92534d34f2d5097f2
Instruction Fuzzy Hash: 0811E332610306AACF24AF60DC12FED77A5AF50755F10842EF542A61D2EF709A46A790

Function 000C8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 000C8440

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: adb9bdd39b93923b7974dfcdfd16a8d5cb83dcee78b38391e6839e6f862aef56
Instruction ID: a4873a4fa891d62d58756a3248888e1eb354ba455e21e9134d50f58d542faea5
Opcode Fuzzy Hash: adb9bdd39b93923b7974dfcdfd16a8d5cb83dcee78b38391e6839e6f862aef56
Instruction Fuzzy Hash: B7111C7590410AAFCB15DF58E941EDE7BF5EF48314F158059FC08AB312D631DA11CB65

Function 000BE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 35586bd8857b74830c0ee116a3d91c4b7be22beccd579a958e626defb31190a9
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 3DF02832510A149AC7313B69DC05FDE37D89F623B4F100729F821931D3DB70D80186A9

Function 000C3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6,?,00091129), ref: 000C3852

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: acf0fc7267a63f86b2156a043552e6b501f10ff06f0af50f8d90788386a52883
Instruction ID: 792766441bd7a6a9937a0037c8f74e7cd8f4b4344861cbb800a1cebeca34074d
Opcode Fuzzy Hash: acf0fc7267a63f86b2156a043552e6b501f10ff06f0af50f8d90788386a52883
Instruction Fuzzy Hash: 24E0ED31124326A6E6712B669C02FEE3698AB42BB0F098038BC1592992CF20DE0586E0

Function 00094F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094F6D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 449eeedce7e64ea7aa8416cdd11167ae3e2e830119a054dfeb1bc0bd2ca65e22
Instruction ID: cffabf95dfb027579d784a6f306b3630eda47b9fb2e61ae83caaefa04e884702
Opcode Fuzzy Hash: 449eeedce7e64ea7aa8416cdd11167ae3e2e830119a054dfeb1bc0bd2ca65e22
Instruction Fuzzy Hash: ECF03971105752CFDF349F64D4A4C66BBE4EF143293208A7EF2EA82A21C7319885EF50

Function 00122A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00122A66

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: b863a53954a06851349722c511fa7ecbc3a9f000c48b54366b8f8966447eca5a
Instruction ID: c9d8e38c1e6bf5b57b4c87d757bb06288860977636e64c1a1be901b9f1170592
Opcode Fuzzy Hash: b863a53954a06851349722c511fa7ecbc3a9f000c48b54366b8f8966447eca5a
Instruction Fuzzy Hash: 0DE04F3635412ABAC714EA30EC808FE735CEB643957104536ED16D3D51DB3499A596E0

Function 000930F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0009314E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e41bad699ca4b22257b330f98718a3aa09a8eae2e523de179a7603fdef333185
Instruction ID: 25988067bc40e99d36464d885216f4d8901353c1393c49fa1d650d8e3db75cdb
Opcode Fuzzy Hash: e41bad699ca4b22257b330f98718a3aa09a8eae2e523de179a7603fdef333185
Instruction Fuzzy Hash: 3BF0A770904314AFEB529B24DC457DA7BFCB701708F0400E5E64996692D7B057C8CF81

Function 00092DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00092DC4

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5855053ffba9e8eae84115ee9606ebcf30e83cd2305832685c7809f0dc483fd9
Instruction ID: a1a4a374232ade6731ec29ff472b059351671608884c4dd7c38845aa50541261
Opcode Fuzzy Hash: 5855053ffba9e8eae84115ee9606ebcf30e83cd2305832685c7809f0dc483fd9
Instruction Fuzzy Hash: 50E0CD726002246BCB209398DC05FDA77DDDFC8790F040071FD09D7249DE60ADC48590

Function 00092B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00093837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00093908

Part of subcall function 0009D730: GetInputState.USER32 ref: 0009D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00092B6B

Part of subcall function 000930F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0009314E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 00aa7b4adade973ac0e7cb6da9d3f9dbb9c6a06c9d1ce979495367aa1969b215
Instruction ID: 55f29f1b9ec86878569ce0a6b0d73bc8b08c80c43077624dc77e9f64c005e0ef
Opcode Fuzzy Hash: 00aa7b4adade973ac0e7cb6da9d3f9dbb9c6a06c9d1ce979495367aa1969b215
Instruction Fuzzy Hash: DEE07D2130430427CE08BB75AC224FEF3899FD1351F80043EF14283163DF2085859752

Function 000D039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,000D0704,?,?,00000000,?,000D0704,00000000,0000000C), ref: 000D03B7

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1130c4ebcbbdd259f31ff965ea4822da9ddbf86a6caf47d5ee2df4eb27e808c4
Instruction ID: 6f55e5ff0b16ebd05c72d2bd2ad7232290a47bb8de8ed7bdc4174be68149a959
Opcode Fuzzy Hash: 1130c4ebcbbdd259f31ff965ea4822da9ddbf86a6caf47d5ee2df4eb27e808c4
Instruction Fuzzy Hash: 78D06C3204010DFBDF129F84DD06EDA3BAAFB48714F014000BE1856020C732E872AB90

Function 00091CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00091CBC

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 1e3dfbba9feecbd2dd9b289b9e0533859f85464f580e05c8e851ce564c36d64a
Instruction ID: 66ac25cb997a6212e523e3dcf71786ff6a04212602a76fe523c9c5336c40c15b
Opcode Fuzzy Hash: 1e3dfbba9feecbd2dd9b289b9e0533859f85464f580e05c8e851ce564c36d64a
Instruction Fuzzy Hash: F4C09236380305BFF2248B80BC4AF547764B759B10F088001F70AA9EE3C3F268A0EA90

Non-executed Functions

Function 00129576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0012961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0012965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0012969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001296C9
SendMessageW.USER32 ref: 001296F2
GetKeyState.USER32(00000011), ref: 0012978B
GetKeyState.USER32(00000009), ref: 00129798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001297AE
GetKeyState.USER32(00000010), ref: 001297B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001297E9
SendMessageW.USER32 ref: 00129810
SendMessageW.USER32(?,00001030,?,00127E95), ref: 00129918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0012992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00129941
SetCapture.USER32(?), ref: 0012994A
ClientToScreen.USER32(?,?), ref: 001299AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001299BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001299D6
ReleaseCapture.USER32 ref: 001299E1
GetCursorPos.USER32(?), ref: 00129A19
ScreenToClient.USER32(?,?), ref: 00129A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00129A80
SendMessageW.USER32 ref: 00129AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00129AEB
SendMessageW.USER32 ref: 00129B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00129B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00129B4A
GetCursorPos.USER32(?), ref: 00129B68
ScreenToClient.USER32(?,?), ref: 00129B75
GetParent.USER32(?), ref: 00129B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00129BFA
SendMessageW.USER32 ref: 00129C2B
ClientToScreen.USER32(?,?), ref: 00129C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00129CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00129CDE
SendMessageW.USER32 ref: 00129D01
ClientToScreen.USER32(?,?), ref: 00129D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00129D82

Part of subcall function 000A9944: GetWindowLongW.USER32(?,000000EB), ref: 000A9952

GetWindowLongW.USER32(?,000000F0), ref: 00129E05

Strings

F, xrefs: 00129D07
@GUI_DRAGID, xrefs: 0012997D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: bc337b8702aaee776a86f0bc1cfeacc74d585e633ba2bdd2a9e080bbe8dc11a0
Instruction ID: 45c6939c2d4f721d247c09dba6446ff30fd71cf9b3de14a850ef303a8f86c39a
Opcode Fuzzy Hash: bc337b8702aaee776a86f0bc1cfeacc74d585e633ba2bdd2a9e080bbe8dc11a0
Instruction Fuzzy Hash: 89429A74204210AFDB24CF28DC84EAABBE5FF49314F144A19F699876A1D771E8B1CF91

Function 00124873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001248F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00124908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00124927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0012494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0012495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0012497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001249AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001249D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00124A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00124A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00124A7E
IsMenu.USER32(?), ref: 00124A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00124AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00124B20
GetWindowLongW.USER32(?,000000F0), ref: 00124B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00124BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00124C82
wsprintfW.USER32 ref: 00124CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00124CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00124CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00124D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00124D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00124D5A

Strings

%d/%02d/%02d, xrefs: 00124CA8

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 8d60b4196cd9d3f8a444d48356025a26422590152113e3851bc15edd235a1c4a
Instruction ID: 8ca851f89ff7d951c187943d232120f805290ba0cb5d5f8712fee287180be461
Opcode Fuzzy Hash: 8d60b4196cd9d3f8a444d48356025a26422590152113e3851bc15edd235a1c4a
Instruction Fuzzy Hash: 4E12D271600224ABEB298F68EC49FEE7BF8EF85710F104119F516DB2E1DB749951CB90

Function 000AF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 000AF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000EF474
IsIconic.USER32(00000000), ref: 000EF47D
ShowWindow.USER32(00000000,00000009), ref: 000EF48A
SetForegroundWindow.USER32(00000000), ref: 000EF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000EF4AA
GetCurrentThreadId.KERNEL32 ref: 000EF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000EF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 000EF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 000EF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 000EF4DE
SetForegroundWindow.USER32(00000000), ref: 000EF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 000EF4F6
keybd_event.USER32(00000012,00000000), ref: 000EF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 000EF50B
keybd_event.USER32(00000012,00000000), ref: 000EF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 000EF519
keybd_event.USER32(00000012,00000000), ref: 000EF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 000EF528
keybd_event.USER32(00000012,00000000), ref: 000EF52D
SetForegroundWindow.USER32(00000000), ref: 000EF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 000EF557

Strings

Shell_TrayWnd, xrefs: 000EF46F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1a9e362b9897dc904391e92338549c67a643eb7c2472570cf71d8e6352c0d739
Instruction ID: 5a96d7b1abec899877aa26860bef58b05df0d5610cf1a95df7159d4a8b4aed28
Opcode Fuzzy Hash: 1a9e362b9897dc904391e92338549c67a643eb7c2472570cf71d8e6352c0d739
Instruction Fuzzy Hash: BE315071A40218BEEB316BB65C4AFBF7E6CEB44B50F100065FB01F61D1D6B09951AEA0

Function 000F1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 000F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000F170D
Part of subcall function 000F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000F173A
Part of subcall function 000F16C3: GetLastError.KERNEL32 ref: 000F174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 000F1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 000F12A8
CloseHandle.KERNEL32(?), ref: 000F12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000F12D1
GetProcessWindowStation.USER32 ref: 000F12EA
SetProcessWindowStation.USER32(00000000), ref: 000F12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000F1310

Part of subcall function 000F10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000F11FC), ref: 000F10D4
Part of subcall function 000F10BF: CloseHandle.KERNEL32(?,?,000F11FC), ref: 000F10E9

Strings

default, xrefs: 000F130B
winsta0, xrefs: 000F12CC
, xrefs: 000F125A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: df390062b0eca2ea77cc9295027fb4c8b03efa24c7b8cd99b2a0ec4a2aa6b095
Instruction ID: 6c7cc67f924453e7cb8acf83aded89b1aa3ae41eb52b6b7978506e7eab50578a
Opcode Fuzzy Hash: df390062b0eca2ea77cc9295027fb4c8b03efa24c7b8cd99b2a0ec4a2aa6b095
Instruction Fuzzy Hash: B8818671900209FFDF24DFA4DC49BFE7BB9AF48700F144129FA11A66A1C7309A95DBA0

Function 000F0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000F1114
Part of subcall function 000F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1120
Part of subcall function 000F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F112F
Part of subcall function 000F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1136
Part of subcall function 000F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000F0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000F0C00
GetLengthSid.ADVAPI32(?), ref: 000F0C17
GetAce.ADVAPI32(?,00000000,?), ref: 000F0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000F0C6D
GetLengthSid.ADVAPI32(?), ref: 000F0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000F0C8C
HeapAlloc.KERNEL32(00000000), ref: 000F0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000F0CB4
CopySid.ADVAPI32(00000000), ref: 000F0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000F0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000F0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000F0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0D45
HeapFree.KERNEL32(00000000), ref: 000F0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0D55
HeapFree.KERNEL32(00000000), ref: 000F0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0D65
HeapFree.KERNEL32(00000000), ref: 000F0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 000F0D78
HeapFree.KERNEL32(00000000), ref: 000F0D7F

Part of subcall function 000F1193: GetProcessHeap.KERNEL32(00000008,000F0BB1,?,00000000,?,000F0BB1,?), ref: 000F11A1
Part of subcall function 000F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000F0BB1,?), ref: 000F11A8
Part of subcall function 000F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000F0BB1,?), ref: 000F11B7

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8ef80e8950332fde0b0ef85301c1b5b4e868271d947d8e8aeedf660043b9205d
Instruction ID: 4ad28c777fbf1f593c58389c150466cf8acf67c1178b5fe4e4d53cf78a36f67c
Opcode Fuzzy Hash: 8ef80e8950332fde0b0ef85301c1b5b4e868271d947d8e8aeedf660043b9205d
Instruction Fuzzy Hash: 5971697690020AFBDF20DFA4DC45BFEBBB9BF04300F044515FA14A6692D771AA56DBA0

Function 0010EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0012CC08), ref: 0010EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0010EB37
GetClipboardData.USER32(0000000D), ref: 0010EB43
CloseClipboard.USER32 ref: 0010EB4F
GlobalLock.KERNEL32(00000000), ref: 0010EB87
CloseClipboard.USER32 ref: 0010EB91
GlobalUnlock.KERNEL32(00000000), ref: 0010EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0010EBC9
GetClipboardData.USER32(00000001), ref: 0010EBD1
GlobalLock.KERNEL32(00000000), ref: 0010EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0010EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0010EC38
GetClipboardData.USER32(0000000F), ref: 0010EC44
GlobalLock.KERNEL32(00000000), ref: 0010EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0010EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0010EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0010ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0010ECF3
CountClipboardFormats.USER32 ref: 0010ED14
CloseClipboard.USER32 ref: 0010ED59

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 76cf145854cd4b67676242e755a88dd93b6ca0bb0f61fd891843a31ed8b0a1e0
Instruction ID: 211fda43db894f43ff2b70ee1603c8f1993e158304b2a07e16c0daa9c6242589
Opcode Fuzzy Hash: 76cf145854cd4b67676242e755a88dd93b6ca0bb0f61fd891843a31ed8b0a1e0
Instruction Fuzzy Hash: 9161ED30204201AFD710EF65D894F6E77E4EF84704F04491DF996972E2CBB1E986CBA2

Function 0010698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001069BE
FindClose.KERNEL32(00000000), ref: 00106A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00106A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00106A75

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00106AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00106ADF

Strings

%02d, xrefs: 00106C00, 00106C0A, 00106C5A, 00106CAA, 00106CFA, 00106D4A
%03d, xrefs: 00106DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00106B32
%4d%02d%02d%02d%02d%02d, xrefs: 00106B6A
%4d, xrefs: 00106BB1

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9053a934a03f1b054132613b8c39d0c275176c1166b451395f718f1ba42e04cf
Instruction ID: 64b93ecfa8b6aeb3cddb79e10b17cf861d09121d7b68d5eedf6510de0b85dbd6
Opcode Fuzzy Hash: 9053a934a03f1b054132613b8c39d0c275176c1166b451395f718f1ba42e04cf
Instruction Fuzzy Hash: 4FD140B2508300AEC714EBA4C891EEFB7ECAF98704F44491DF589D7192EB74DA44DB62

Function 00109642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00109663
GetFileAttributesW.KERNEL32(?), ref: 001096A1
SetFileAttributesW.KERNEL32(?,?), ref: 001096BB
FindNextFileW.KERNEL32(00000000,?), ref: 001096D3
FindClose.KERNEL32(00000000), ref: 001096DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001096FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0010974A
SetCurrentDirectoryW.KERNEL32(00156B7C), ref: 00109768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00109772
FindClose.KERNEL32(00000000), ref: 0010977F
FindClose.KERNEL32(00000000), ref: 0010978F

Strings

*.*, xrefs: 001096F5

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 1d7ff587e3d717b46ca67681b5af4e401b0c73e17f4649ab8bdd8f15653def9f
Instruction ID: 55ce454645ac11a3a248bfbbf995555faa957672b8cbe407a3fae4ebdf711b02
Opcode Fuzzy Hash: 1d7ff587e3d717b46ca67681b5af4e401b0c73e17f4649ab8bdd8f15653def9f
Instruction Fuzzy Hash: AA310232641219BECB24EFB4DC18ADE73ACAF09321F104195F990E20E1DB74DA848E94

Function 0010979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001097BE
FindNextFileW.KERNEL32(00000000,?), ref: 00109819
FindClose.KERNEL32(00000000), ref: 00109824
FindFirstFileW.KERNEL32(*.*,?), ref: 00109840
SetCurrentDirectoryW.KERNEL32(?), ref: 00109890
SetCurrentDirectoryW.KERNEL32(00156B7C), ref: 001098AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001098B8
FindClose.KERNEL32(00000000), ref: 001098C5
FindClose.KERNEL32(00000000), ref: 001098D5

Part of subcall function 000FDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000FDB00

Strings

*.*, xrefs: 0010983B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 8c6c0e4a363afd69e2aea28098ac491b93060bc56b86a09df281e9e858de53e1
Instruction ID: 7183f011b6a8891be76e42ba9c42839cc8c34b8a31e56b23c3f91cb949d22ece
Opcode Fuzzy Hash: 8c6c0e4a363afd69e2aea28098ac491b93060bc56b86a09df281e9e858de53e1
Instruction Fuzzy Hash: A231283150121DBEDF20EFB4EC58ADE73ACAF06320F148156E990A31D2DB74DD95CAA4

Function 0011BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0011C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011B6AE,?,?), ref: 0011C9B5
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011C9F1
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA68
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0011BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0011BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0011BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0011C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0011C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0011C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0011C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0011C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0011C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0011C382
RegCloseKey.ADVAPI32(00000000), ref: 0011C38F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 0bac9fd5b4860edfb4850e8925f8fc40dfdc75a0f5e379c0228a327b31d315e3
Instruction ID: 7fb02ea520be21f889986568134ab956d818ee717c9853622fd6c4efbabd0db5
Opcode Fuzzy Hash: 0bac9fd5b4860edfb4850e8925f8fc40dfdc75a0f5e379c0228a327b31d315e3
Instruction Fuzzy Hash: 7B024E71604200AFD718CF28C895E6AB7E5BF49304F19C4ADF459CB2A2D731ED86CB92

Function 00108195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00108257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00108267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00108273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00108310
SetCurrentDirectoryW.KERNEL32(?), ref: 00108324
SetCurrentDirectoryW.KERNEL32(?), ref: 00108356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0010838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00108395

Strings

*.*, xrefs: 0010839B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: c1dbffcbe902876a3640108018b97611f58e89abdecc071bda5e8ae2a6854356
Instruction ID: e46a1ad1950cd9f97bb466c56ce9f276d09b851ebcf2fcff41c069610f271b14
Opcode Fuzzy Hash: c1dbffcbe902876a3640108018b97611f58e89abdecc071bda5e8ae2a6854356
Instruction Fuzzy Hash: D0616C725087059FDB10EF64D8409AEB3E8FF89314F04492EF9D987252EB71E945CB92

Function 000FD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00093AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00093A97,?,?,00092E7F,?,?,?,00000000), ref: 00093AC2

Part of subcall function 000FE199: GetFileAttributesW.KERNEL32(?,000FCF95), ref: 000FE19A

FindFirstFileW.KERNEL32(?,?), ref: 000FD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 000FD1DD
MoveFileW.KERNEL32(?,?), ref: 000FD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 000FD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 000FD237

Part of subcall function 000FD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,000FD21C,?,?), ref: 000FD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 000FD253
FindClose.KERNEL32(00000000), ref: 000FD264

Strings

\*.*, xrefs: 000FD0CD, 000FD0D6, 000FD0EB

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b354bcbb3c0532719902d4397db8cb0d5ebe83217d25f41f5f276f56c1bfd8af
Instruction ID: 14eb13e82208489efc038d822a86efd376e144629836181ec2a79ed3b343443d
Opcode Fuzzy Hash: b354bcbb3c0532719902d4397db8cb0d5ebe83217d25f41f5f276f56c1bfd8af
Instruction Fuzzy Hash: C6616F3180110DABCF15EBE4D9929FDB7B6AF25300F64416AE50177192EF316F09EBA1

Function 0010ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0010ED91
EmptyClipboard.USER32 ref: 0010ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0010EDAC
CloseClipboard.USER32 ref: 0010EEA3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e697edf25cdfcb46a4cc1da83fab37471d23d9839535b72ff3dbcfc623850986
Instruction ID: 03e8a062c2e631748f34f53d0929cc5de4249863e078a57a093b02c0ae6d3d92
Opcode Fuzzy Hash: e697edf25cdfcb46a4cc1da83fab37471d23d9839535b72ff3dbcfc623850986
Instruction Fuzzy Hash: 57419F35604611AFE720DF16D848F59BBE1EF44318F15C499E4598BBA2C775EC82CBD0

Function 000FE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000F16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000F170D
Part of subcall function 000F16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000F173A
Part of subcall function 000F16C3: GetLastError.KERNEL32 ref: 000F174A

ExitWindowsEx.USER32(?,00000000), ref: 000FE932

Strings

, xrefs: 000FE95C
@, xrefs: 000FE925
, xrefs: 000FE920
SeShutdownPrivilege, xrefs: 000FE902

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 5ccd69a760c9c7cad797ab35b036b3ed2a439f791f9bf73ab29231fcb36eadfb
Instruction ID: 785160f9ee3fb7891d2c4ba86ee817ebac3698c7888f862d73ec04ccd8e63aca
Opcode Fuzzy Hash: 5ccd69a760c9c7cad797ab35b036b3ed2a439f791f9bf73ab29231fcb36eadfb
Instruction Fuzzy Hash: 1301F232614219BBEB6426B4DC86FFF729C9B14741F140521FB02E28E2DAE05C80A1E0

Function 00111204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00111276
WSAGetLastError.WSOCK32 ref: 00111283
bind.WSOCK32(00000000,?,00000010), ref: 001112BA
WSAGetLastError.WSOCK32 ref: 001112C5
closesocket.WSOCK32(00000000), ref: 001112F4
listen.WSOCK32(00000000,00000005), ref: 00111303
WSAGetLastError.WSOCK32 ref: 0011130D
closesocket.WSOCK32(00000000), ref: 0011133C

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 08a8feba5dc2264b7fc246b2e16361932ce79ee4868dd31141eb5437c8a749ba
Instruction ID: ddb4100ad68282522a716a5eaffb0c0364e7a47d7b289e0c678baf5e9cdd9577
Opcode Fuzzy Hash: 08a8feba5dc2264b7fc246b2e16361932ce79ee4868dd31141eb5437c8a749ba
Instruction Fuzzy Hash: 84419331600150AFD724DF24C484BA9FBE6BF46314F288198D9569F296C771ECC2CBE1

Function 000FD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00093AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00093A97,?,?,00092E7F,?,?,?,00000000), ref: 00093AC2

Part of subcall function 000FE199: GetFileAttributesW.KERNEL32(?,000FCF95), ref: 000FE19A

FindFirstFileW.KERNEL32(?,?), ref: 000FD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 000FD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 000FD481
FindClose.KERNEL32(00000000), ref: 000FD498
FindClose.KERNEL32(00000000), ref: 000FD4A1

Strings

\*.*, xrefs: 000FD3F2

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c60a6aeb0ace12d31236624ffce1a4e9931ee69a91178cb3f5f352a8d7ccaa6e
Instruction ID: 1c4936a4d4d46767740c3db383985e3422d0204b2c5b15b5ad5c31a7c8ccdf9a
Opcode Fuzzy Hash: c60a6aeb0ace12d31236624ffce1a4e9931ee69a91178cb3f5f352a8d7ccaa6e
Instruction Fuzzy Hash: 82317031008345ABC710EF64C8518FF77E9BFA2314F444A1EF5D593192EB20AA09EBA3

Function 000CE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000CE645

Strings

1#SNAN, xrefs: 000CF844
1#QNAN, xrefs: 000CF84B
1#INF, xrefs: 000CF852
1#IND, xrefs: 000CF83D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 05b713a50348d08e4da914d169a8ca80287d059a2a71574619c09be46345991e
Instruction ID: 030d96a583a1337315d398ddfdfba56333589a4d2bc3eca370067fe964b1fdbf
Opcode Fuzzy Hash: 05b713a50348d08e4da914d169a8ca80287d059a2a71574619c09be46345991e
Instruction Fuzzy Hash: 4FC21672E086698BDB65CF28DD40BEEB7B6EB48304F1441EAD44DE7241E774AE818F41

Function 0010648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001064DC
CoInitialize.OLE32(00000000), ref: 00106639
CoCreateInstance.OLE32(0012FCF8,00000000,00000001,0012FB68,?), ref: 00106650
CoUninitialize.OLE32 ref: 001068D4

Strings

.lnk, xrefs: 001064BA, 00106524, 001065E0

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 994c78bae1c11030f41d76d7978d57c0fdd4da2f26bb81b28263d2978027c15a
Instruction ID: 994131991991286810471e6ca85c5d34d303ed653052ab3d4a9e4436e51645dd
Opcode Fuzzy Hash: 994c78bae1c11030f41d76d7978d57c0fdd4da2f26bb81b28263d2978027c15a
Instruction Fuzzy Hash: 8CD13A71508301AFD714EF24C891DABB7E8FF94704F40496DF5998B292EB71E905CB92

Function 001122DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001122E8

Part of subcall function 0010E4EC: GetWindowRect.USER32(?,?), ref: 0010E504

GetDesktopWindow.USER32 ref: 00112312
GetWindowRect.USER32(00000000), ref: 00112319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00112355
GetCursorPos.USER32(?), ref: 00112381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001123DF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 1334dfd11d437a6cfd2804839eabceb117abcc643a67f5d1bd05d39c7e67c18a
Instruction ID: 2385d749e3c4efb98f7f73283d4badb46680b3f55b8869af32f7ccb3949070b6
Opcode Fuzzy Hash: 1334dfd11d437a6cfd2804839eabceb117abcc643a67f5d1bd05d39c7e67c18a
Instruction Fuzzy Hash: 2831D072504315AFC724DF14C845B9BB7A9FF88310F000929F995D7191DB74EA59CBD2

Function 00109B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00109B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00109C8B

Part of subcall function 00103874: GetInputState.USER32 ref: 001038CB
Part of subcall function 00103874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00103966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00109BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00109C75

Strings

*.*, xrefs: 00109B5D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 84a67732091713ff13fddca0d9df2327ae6279e2eafc602654c62252b83ffc95
Instruction ID: 5d0f9f5a375ed5018c97d82cc16211c60a0da6784fb9ee16116a996817605f6b
Opcode Fuzzy Hash: 84a67732091713ff13fddca0d9df2327ae6279e2eafc602654c62252b83ffc95
Instruction Fuzzy Hash: 4C419271D0020AAFDF14DF64C955AEEBBB8EF09310F244156E855A71D2EB709E94CFA0

Function 000A997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 000A9A4E
GetSysColor.USER32(0000000F), ref: 000A9B23
SetBkColor.GDI32(?,00000000), ref: 000A9B36

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 523129b30a624d141d28609168b5bef7885f2e2cfc973acf4e395b862fc327df
Instruction ID: 7e109bb0a17dc3defd1d9e41217cc3fed88bad248740203daa0d556228d6e567
Opcode Fuzzy Hash: 523129b30a624d141d28609168b5bef7885f2e2cfc973acf4e395b862fc327df
Instruction Fuzzy Hash: 25A14B70308490BEE778AABD9C48EBF36DDEB93344F15010AF502E6991CB259D51D2B3

Function 00111806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0011304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0011307A
Part of subcall function 0011304E: _wcslen.LIBCMT ref: 0011309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0011185D
WSAGetLastError.WSOCK32 ref: 00111884
bind.WSOCK32(00000000,?,00000010), ref: 001118DB
WSAGetLastError.WSOCK32 ref: 001118E6
closesocket.WSOCK32(00000000), ref: 00111915

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: a81dbb6f733b54c7dae2b2ee9272381bda01a25c418a504f6e701252cdb52b15
Instruction ID: 3423b9bda3ca724a9387383bf8e3ec9503b4ce62353b1a5760f31866bf87ff87
Opcode Fuzzy Hash: a81dbb6f733b54c7dae2b2ee9272381bda01a25c418a504f6e701252cdb52b15
Instruction Fuzzy Hash: 2351B671A00210AFDB14AF24C886FAAB7E5AB49718F44C05CFA195F3D3D771AD818BE1

Function 00121C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00121CC0
IsWindowEnabled.USER32 ref: 00121CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00121CDB
IsIconic.USER32 ref: 00121CE9
IsZoomed.USER32 ref: 00121CF7

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 50c8429e6424fef4fcb7a5e5a0940580717ca9fa815f06bfb216aeb19a30d779
Instruction ID: 35b16b824a14d4347f65efc5daf22ea1407e53067f7a638afb87fb57ea801808
Opcode Fuzzy Hash: 50c8429e6424fef4fcb7a5e5a0940580717ca9fa815f06bfb216aeb19a30d779
Instruction Fuzzy Hash: 2F21D6357402206FD720CF1AE844B6A7BA5EFA5314B198068E8498B351D771EC62CBD0

Function 00098060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000D5DF0
VUUU, xrefs: 000983FA
VUUU, xrefs: 0009843C
VUUU, xrefs: 000983E8
ERCP, xrefs: 0009813C

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 456e77c1a7314b50bca8bc4820fdf0ec8de89c4771dda231a33cd234a938891e
Instruction ID: ce142a887d9a6e263ece183fb69eb7adbb0fa6a64be5aabc686a89f38ce49a2c
Opcode Fuzzy Hash: 456e77c1a7314b50bca8bc4820fdf0ec8de89c4771dda231a33cd234a938891e
Instruction Fuzzy Hash: C5A26E71E0061ACBDF74CF58C8447AEB7B1BF55310F2481AAE815AB385EB319E81DB60

Function 000FAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 000FAAAC
SetKeyboardState.USER32(00000080), ref: 000FAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 000FAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 000FAB88

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f110bdaba81fe70b74c5abdba8008a0cf5ad4f12fd75429ec48c0a3bf6dd6a34
Instruction ID: cb96d2f3f2b5ba3ceca7dfd89fcbee3d59693d8773267eaac98f9c2825a2decd
Opcode Fuzzy Hash: f110bdaba81fe70b74c5abdba8008a0cf5ad4f12fd75429ec48c0a3bf6dd6a34
Instruction Fuzzy Hash: A6311AB0B4020CAEFF358B64CC05BFE77E6AB46310F04421AF389569D2D3748995E7A2

Function 000CBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000CBB7F

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

GetTimeZoneInformation.KERNEL32 ref: 000CBB91
WideCharToMultiByte.KERNEL32(00000000,?,0016121C,000000FF,?,0000003F,?,?), ref: 000CBC09
WideCharToMultiByte.KERNEL32(00000000,?,00161270,000000FF,?,0000003F,?,?,?,0016121C,000000FF,?,0000003F,?,?), ref: 000CBC36

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: d1aacd02960a933c30601d6a0c61555ffb95c1f03164941902614a2f852009a6
Instruction ID: bcebfdab907467fa35b1496c1521ff2f2c662b1a8bce76eb62613c478fcfc24e
Opcode Fuzzy Hash: d1aacd02960a933c30601d6a0c61555ffb95c1f03164941902614a2f852009a6
Instruction Fuzzy Hash: FE31C070904245EFCB11DF69CC92A6DBBF8FF45710B28426EE120D72A2D7709E51DB90

Function 0010CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0010CE89
GetLastError.KERNEL32(?,00000000), ref: 0010CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0010CEFE

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: df886c7e07882d219fc2858a3bcabacee6e4478b49e4e99c6eb83abfcd606184
Instruction ID: 40fde4e15668695003f11233f59cd23ea8f9ebac7e00298f8b8e30d806510c17
Opcode Fuzzy Hash: df886c7e07882d219fc2858a3bcabacee6e4478b49e4e99c6eb83abfcd606184
Instruction Fuzzy Hash: A0218C71500705ABD730DF65C948BAABBF8EB40354F20462AE686D2191E7B0EE458FA0

Function 000F8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 000F82AA

Strings

(, xrefs: 000F82F0
|, xrefs: 000F82DA

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 144e169f5ee1b4323670976378eb7257a99ca39bcf63f141514b2a42e445fcb1
Instruction ID: 590320a949d8df0342e69c152e82d0ebecb855b58e27220153fda2d1421f55ee
Opcode Fuzzy Hash: 144e169f5ee1b4323670976378eb7257a99ca39bcf63f141514b2a42e445fcb1
Instruction Fuzzy Hash: 3F322575A007099FCB28CF59C481AAAB7F0FF48710B15C56EE59ADB7A1EB70E941CB40

Function 00105C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00105CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00105D17
FindClose.KERNEL32(?), ref: 00105D5F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 94b535686c49b02b1e9306105aaadb37e83dbbc6f5df1040f070229136963e53
Instruction ID: f7b20b03a7f7eed7ff05a2c7097956566b10f977c4c51f4465265730b6c7f77a
Opcode Fuzzy Hash: 94b535686c49b02b1e9306105aaadb37e83dbbc6f5df1040f070229136963e53
Instruction Fuzzy Hash: 3A51B935604A019FC718CF68C494E9AB7E5FF0A324F14855EE99A8B3A2DB70EC44CF91

Function 000C2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 000C271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000C2724
UnhandledExceptionFilter.KERNEL32(?), ref: 000C2731

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3e7ab124e5fa271f6ee3c4629e6d91454e77254739be94a3617fdf52e07f3d53
Instruction ID: 8540c87b6bfc749bed5b99b8a41a568d216cfe32ba28b68d0e7576be6fa94e0b
Opcode Fuzzy Hash: 3e7ab124e5fa271f6ee3c4629e6d91454e77254739be94a3617fdf52e07f3d53
Instruction Fuzzy Hash: 7B31B474911218ABCB61DF64DC89BDDB7B8AF08710F5046EAE41CA6261E7709F818F45

Function 001051CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001051DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00105238
SetErrorMode.KERNEL32(00000000), ref: 001052A1

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9e82de055af75b1bc41a5f2d244bef5bdca48a4c0a070b69cf34512bcd443ed3
Instruction ID: 1df3d877893a461e7bbe76d84cadb572b256ea7d98656377e465bc6adcf99e0b
Opcode Fuzzy Hash: 9e82de055af75b1bc41a5f2d244bef5bdca48a4c0a070b69cf34512bcd443ed3
Instruction Fuzzy Hash: 85317F35A00508DFDB00DF54D885EAEBBB5FF08314F048099E949AB392DB71E856CB90

Function 000F16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 000AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000B0668
Part of subcall function 000AFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000B0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000F170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000F173A
GetLastError.KERNEL32 ref: 000F174A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: bc1367442fb40efcc2d258b2985f2fa363b8188ca043e5713a89830b8bdf0d01
Instruction ID: 27345c813f9ba9c0dccfcc1bb383316c6cdde683389a55ba4d5d2979a3dd3f3c
Opcode Fuzzy Hash: bc1367442fb40efcc2d258b2985f2fa363b8188ca043e5713a89830b8bdf0d01
Instruction Fuzzy Hash: 9A11B2B1404309BFD728AF94DC86DBBB7B9EB04714B20852EF15653641EB70BC428A60

Function 000FD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000FD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000FD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000FD650

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 3b1bd197fcd804ef29ac3416d371ef370492259fa283e9f23f05cee42039d81c
Instruction ID: d95bb5b2e72813a9771d167bf5873e63b2fedccbb62843ef912c0273e78d1e29
Opcode Fuzzy Hash: 3b1bd197fcd804ef29ac3416d371ef370492259fa283e9f23f05cee42039d81c
Instruction Fuzzy Hash: 1D115E75E05228BFDB209F95DC45FAFBBBCEB45B60F108116FA04E7290D6704A059BE1

Function 000F1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000F168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000F16A1
FreeSid.ADVAPI32(?), ref: 000F16B1

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 63b1fa4839698b5852d1622e48d39d87337f56681752689f431bc7005b67ab6a
Instruction ID: 4baafbdb156827be661e216d4501861959c186549417ac1bebbb6af72a77591a
Opcode Fuzzy Hash: 63b1fa4839698b5852d1622e48d39d87337f56681752689f431bc7005b67ab6a
Instruction Fuzzy Hash: 82F0447594030CFBDB00CFE09C89EAEBBBCFB08240F104460E600E2180E330AA448A94

Function 000ED27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000ED28C

Strings

X64, xrefs: 000ED2A8

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 33b210fa8988c805cee619452f1aa4f730405b3acdfce99ecad5513ec5ee0dfb
Instruction ID: 4959b95ab888944258f23babbf826d5ffb6353c7e50ca6efa9bbfcb165ad3f13
Opcode Fuzzy Hash: 33b210fa8988c805cee619452f1aa4f730405b3acdfce99ecad5513ec5ee0dfb
Instruction Fuzzy Hash: A9D0C9B480111DEECBA4CB90DC88DDDB37CBB14305F100156F206A2000D73095498F10

Function 000BCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 3c5661b153d666c77b46a57bb711abd4f419abc7a6cd860a53748c34461f7708
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 88020C71E002199BDF14CFA9C880AEEBBF1EF58314F25816AD919EB385D731AD41CB94

Function 001068EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00106918
FindClose.KERNEL32(00000000), ref: 00106961

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 26509fa332f8fcc813d734ddabd988e46a604678925809fd08e523e06d8b7e07
Instruction ID: b8f06dfe8fdc1a9b955eaaf9cf3f9ae154c117958c505fed5fef397e5b9da858
Opcode Fuzzy Hash: 26509fa332f8fcc813d734ddabd988e46a604678925809fd08e523e06d8b7e07
Instruction Fuzzy Hash: BE11D0316042009FD710CF29C484E1ABBE1FF88328F04C6A9F4A98F6A2CB70EC45CB90

Function 001037B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00114891,?,?,00000035,?), ref: 001037E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00114891,?,?,00000035,?), ref: 001037F4

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 7d844c80796b4f4bb6a80bbff69ff2de8e0629225012b089641ba20828e27dde
Instruction ID: b3691e4fff76b17e421690c70d424e48a3b6795e63a48d6581bdb25674e32ded
Opcode Fuzzy Hash: 7d844c80796b4f4bb6a80bbff69ff2de8e0629225012b089641ba20828e27dde
Instruction Fuzzy Hash: 25F0ECB06043147AE72057658C4DFDB365EEFC4761F000175F505D22C1DA605944C6F0

Function 000FB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 000FB25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 000FB270

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 76f9eaa1335aca446fc9a6675b226c7d23b31d581ff4c0168934c3c0219864e4
Instruction ID: 394722a617b5bed27f68726105ce8dddade11faadc821ac404aaf8c10c660ef5
Opcode Fuzzy Hash: 76f9eaa1335aca446fc9a6675b226c7d23b31d581ff4c0168934c3c0219864e4
Instruction Fuzzy Hash: 4AF01D7190428EABDF159FA0C805BBE7BB4FF04305F108009FA55A5191C779C6519F94

Function 000F10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000F11FC), ref: 000F10D4
CloseHandle.KERNEL32(?,?,000F11FC), ref: 000F10E9

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e80099fd7b896e90fce5ec4e886653c05226cef4eb1e7e715d519e75c20e9bc7
Instruction ID: 3b898e8d83123a5b84cb77c0dd4811344494025e1822553f78ec94d93553a629
Opcode Fuzzy Hash: e80099fd7b896e90fce5ec4e886653c05226cef4eb1e7e715d519e75c20e9bc7
Instruction Fuzzy Hash: 91E04F32004601FEE7352BA1FC05EB777E9EB04320B20882DF5A5808B1DB626CE1DB54

Function 0009CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 000E0C40

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: dbce76725cc8a3278265029499c2f974241782f8ac824029cee1d11a1f326373
Instruction ID: 5fff9dd219863b841069593f35cf5f157b58d8f26ac41e73e1f56e1259a85a17
Opcode Fuzzy Hash: dbce76725cc8a3278265029499c2f974241782f8ac824029cee1d11a1f326373
Instruction Fuzzy Hash: C0329A70D00218DFEF24DF90C994EEDB7B5BF05304F648069E806AB292D775AE85EB60

Function 000C676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000C6766,?,?,00000008,?,?,000CFEFE,00000000), ref: 000C6998

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 72f4091c5a19eb9168f8ca2a16932f4a3ca107cdeb8d26d689d37ae9178f3a30
Instruction ID: 52424ee0faacaf57d5b286547cab90b3cbbea75d134aa7a37c903153dcfb84d4
Opcode Fuzzy Hash: 72f4091c5a19eb9168f8ca2a16932f4a3ca107cdeb8d26d689d37ae9178f3a30
Instruction Fuzzy Hash: D3B13A316106089FD765CF28C48AF697BE0FF45364F25865CE89ACF2A2C736E995CB40

Function 000AB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 000E851F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7111b9de5aa54939826ab5017f4bd0239f19251763a01fa83bb1727c12b6cbd9
Instruction ID: 23c9a4e1a617a116953ce32162dd396e9c81f3212deb1c2bfeed6dda109369f4
Opcode Fuzzy Hash: 7111b9de5aa54939826ab5017f4bd0239f19251763a01fa83bb1727c12b6cbd9
Instruction Fuzzy Hash: 391241759002299FDB64CF99C8806EEB7F5FF49710F14819AE849EB256DB309E81CF90

Function 0010EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0010EABD

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 44233fe0ff8cfe7e6cc1c8c2f31808d60e11be809880e10683dde57bff323136
Instruction ID: d3fc19e2b0d8d0f630c84f36615cd01830a12a6d2802c1796e2a6b01e9864a5a
Opcode Fuzzy Hash: 44233fe0ff8cfe7e6cc1c8c2f31808d60e11be809880e10683dde57bff323136
Instruction Fuzzy Hash: 25E012312002049FDB10DF5AD404E9AB7D9AF58760F018816FD49C7392D7B0A8418B90

Function 000B09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000B03EE), ref: 000B09DA

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5953b017e4da601f13dd779321d6f6bfb92208504190f4909766cb6afa3e4bfb
Instruction ID: b6f442f93870b2d5f207a92ff420546b5d51c8f277db45df706e92173996cdbc
Opcode Fuzzy Hash: 5953b017e4da601f13dd779321d6f6bfb92208504190f4909766cb6afa3e4bfb
Instruction Fuzzy Hash:

Function 000B781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 000B798B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 2e5ec99669f2568df286449df61852f2a1d5d5e198990dcbf8f5005831033cd1
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: EF51677168C7055BDBB88968885EBFE23D99BD2340F280519D88ED7393CE15DE01D356

Function 000C6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835704769e6a4d69ccb7bbbcdbc67405a7f3ddaf60bf831896e0dbbe1fd23818
Instruction ID: 3cb888abb25315208bcb32ed3945212b2bdce3f687fff458139afb35a41d134e
Opcode Fuzzy Hash: 835704769e6a4d69ccb7bbbcdbc67405a7f3ddaf60bf831896e0dbbe1fd23818
Instruction Fuzzy Hash: DC320232D29F014DD7239634D82233AA689AFB73D5F15D73BE81AB5DA6EB29C4C34500

Function 000ACC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddba3f50c87ded65e4f0cf65e2f3e1c040e08b60615770530559e23b9889ef4b
Instruction ID: 52d2c98bbc4782b27acf2cab2c1a1a6bfd70148536667ce68ea0c001a0b23d5a
Opcode Fuzzy Hash: ddba3f50c87ded65e4f0cf65e2f3e1c040e08b60615770530559e23b9889ef4b
Instruction Fuzzy Hash: B8324831A082858FFF78CB6AC494E7D77E1EB46314F29852AD459AB291D332DD82DB01

Function 00097920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b0bbebe61bbce11f312011e4253cf91c02fe82d3c078ee21c1b23dec27dcc2
Instruction ID: a72593ee7f2a5e2c5253f39f3d8f6d73360c40ecc218339e0053c2a57ec20897
Opcode Fuzzy Hash: 46b0bbebe61bbce11f312011e4253cf91c02fe82d3c078ee21c1b23dec27dcc2
Instruction Fuzzy Hash: E422AF71A0060ADFDF14CFA8D881AEEB7F5FF44300F10452AE816A7391EB35AA55DB61

Function 000991C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103cc3fff7d2d96ff0bb3343d50a59ff0e44db397f286e0252ab264f314b2e2a
Instruction ID: 46c6bcb260d48e47c90b049e54e5ce9fb8cbd8167d0552601857a4d34e021f7e
Opcode Fuzzy Hash: 103cc3fff7d2d96ff0bb3343d50a59ff0e44db397f286e0252ab264f314b2e2a
Instruction Fuzzy Hash: E002B6B0A0020AEFDF15DF54D881AAEB7B5FF44300F118169E8169F391EB31EA51DB91

Function 000C9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d310b914918977364c32c7802d11529bee73291460ec3b57b02498c333682dd7
Instruction ID: 9607811a0edcfea6062ee7c9a7dee2ac925ed40c07d86c4144990fa03353f1d3
Opcode Fuzzy Hash: d310b914918977364c32c7802d11529bee73291460ec3b57b02498c333682dd7
Instruction Fuzzy Hash: 04B1DE20E2AF414DD62396398835336B65CBFBB6D5F91D71BFC2674D62EB2286C34140

Function 000B1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 75fd8b5bad991b3812535edccebc90e70db5c6877bc41cd05d9f89ccafcaf69d
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 0E9156726080E34ADBA9463E85740FEFFE15F923A135A07ADD4F2CA1C5FE24D964D620

Function 000B1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: be1e653c4062f35b1c75755960dfd014cf8ff88753198562df052b3a43e5248f
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 089167722190E349DBA9463D85740BEFFE15BA23A131A07ADD4F2CB1D6EE24C954D720

Function 000B19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 26caf82842936002b1322aeb0c92229b5e009e6a0db8f99c436fba4db7b23920
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: DB91C4322090E34EDBAD427A84744FEFFE15B923A235A079ED4F2CA1C5FE24D564D620

Function 000B7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a76efb747becd7a419834f35a987334610c80611e082528bbcd0d430386637c
Instruction ID: 548e3d7ccffa3c1dd7a0195c7d444af2eca3a6b345e1cc5a8586f23caa6ce661
Opcode Fuzzy Hash: 0a76efb747becd7a419834f35a987334610c80611e082528bbcd0d430386637c
Instruction Fuzzy Hash: 06614671208709A6DEF49A288CA5FFE23D8DFC1700F14491EE94EDB2D2DB119E42CB56

Function 000B7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5bbd52330e760fc32fc498fcf43be33d6c2d71d67d667e31941fb3e87006121
Instruction ID: ab306c3671f177d8c404adc01632aaa81153a07ea68c1e156767cbaf7f8e9b05
Opcode Fuzzy Hash: a5bbd52330e760fc32fc498fcf43be33d6c2d71d67d667e31941fb3e87006121
Instruction Fuzzy Hash: DA617A3120870956DEB85A2888A5BFF23F8DFC6780F104959E94FDF692DA12DD42C355

Function 000B1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 8e1ad93997e0e215becf7e92a5ca5a23e63155b42aac7db74fd770fe462ef254
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 1781643260D0E34ADBAD463A85344FEFFE16F923A135A079DD4F2CB1C1EE248654E620

Function 00102046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d72f0ba70bac5015ab489d5801f0125e73c7af19c2bc8caf5a02c27b5c5df54
Instruction ID: b9f99399a3786f92674a14b298269d32aee023d21006cc2ca5661e1da656c36d
Opcode Fuzzy Hash: 4d72f0ba70bac5015ab489d5801f0125e73c7af19c2bc8caf5a02c27b5c5df54
Instruction Fuzzy Hash: 9721B7326206118BD728CF79C8276BE73E5A754310F15866EF4A7C37D1DE79A944CB80

Function 00112ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00112B30
DeleteObject.GDI32(00000000), ref: 00112B43
DestroyWindow.USER32 ref: 00112B52
GetDesktopWindow.USER32 ref: 00112B6D
GetWindowRect.USER32(00000000), ref: 00112B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00112CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00112CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112CF8
GetClientRect.USER32(00000000,?), ref: 00112D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00112D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112D80
GlobalLock.KERNEL32(00000000), ref: 00112D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112D98
GlobalUnlock.KERNEL32(00000000), ref: 00112DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112DA8
GlobalFree.KERNEL32(00000000), ref: 00112DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0012FC38,00000000), ref: 00112DDB
GlobalFree.KERNEL32(00000000), ref: 00112DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00112E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00112E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00112E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0011303F

Strings

, xrefs: 00112FC5
static, xrefs: 00112D3A, 00112E91
AutoIt v3, xrefs: 00112CF2
DISPLAY, xrefs: 00112EA2

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 218512d896f3d7f7be7056e296c9a5141f8512da58ada728c512446cea761c2e
Instruction ID: f24353cad9be79c0ca13fadb45cbea4ed6af3f1f22f1af4b493ee21290ec3f36
Opcode Fuzzy Hash: 218512d896f3d7f7be7056e296c9a5141f8512da58ada728c512446cea761c2e
Instruction Fuzzy Hash: D4026B71900215EFDB24DF64DD89EAE7BB9FF48710F048158F915AB2A1CB70AD91CBA0

Function 001270D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0012712F
GetSysColorBrush.USER32(0000000F), ref: 00127160
GetSysColor.USER32(0000000F), ref: 0012716C
SetBkColor.GDI32(?,000000FF), ref: 00127186
SelectObject.GDI32(?,?), ref: 00127195
InflateRect.USER32(?,000000FF,000000FF), ref: 001271C0
GetSysColor.USER32(00000010), ref: 001271C8
CreateSolidBrush.GDI32(00000000), ref: 001271CF
FrameRect.USER32(?,?,00000000), ref: 001271DE
DeleteObject.GDI32(00000000), ref: 001271E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00127230
FillRect.USER32(?,?,?), ref: 00127262
GetWindowLongW.USER32(?,000000F0), ref: 00127284

Part of subcall function 001273E8: GetSysColor.USER32(00000012), ref: 00127421
Part of subcall function 001273E8: SetTextColor.GDI32(?,?), ref: 00127425
Part of subcall function 001273E8: GetSysColorBrush.USER32(0000000F), ref: 0012743B
Part of subcall function 001273E8: GetSysColor.USER32(0000000F), ref: 00127446
Part of subcall function 001273E8: GetSysColor.USER32(00000011), ref: 00127463
Part of subcall function 001273E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00127471
Part of subcall function 001273E8: SelectObject.GDI32(?,00000000), ref: 00127482
Part of subcall function 001273E8: SetBkColor.GDI32(?,00000000), ref: 0012748B
Part of subcall function 001273E8: SelectObject.GDI32(?,?), ref: 00127498
Part of subcall function 001273E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001274B7
Part of subcall function 001273E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001274CE
Part of subcall function 001273E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001274DB

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 4d883f82678b2a0e8a02cf1e5f0042fc912270d186d6cae3a8910098e47f688f
Instruction ID: f3538dda5445f2a57415f8d7cf3bb48e4b60a6639250e906c23e7acaf5425df5
Opcode Fuzzy Hash: 4d883f82678b2a0e8a02cf1e5f0042fc912270d186d6cae3a8910098e47f688f
Instruction Fuzzy Hash: 46A19272108311FFD7109F60DC49A6F7BA9FF89320F100A19FA62961E1D771E9A5CB92

Function 000A8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 000A8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 000E6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000E6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000E6F43

Part of subcall function 000A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000A8BE8,?,00000000,?,?,?,?,000A8BBA,00000000,?), ref: 000A8FC5

SendMessageW.USER32(?,00001053), ref: 000E6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000E6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 000E6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 000E6FB7

Strings

0, xrefs: 000E6DCF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 25b885a14067988429cbecbf89cda3e3ded12f661ef663450b9fbe0e94b12ec6
Instruction ID: 4481bd152e6e92b9f6b9449284abc80c761e41568ce28d0e3d8cd13de24b1917
Opcode Fuzzy Hash: 25b885a14067988429cbecbf89cda3e3ded12f661ef663450b9fbe0e94b12ec6
Instruction Fuzzy Hash: FA12CE30600281EFC765CF15E848BAAB7E1FB65340F188569F595AB661CB32EC92CF91

Function 00112711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0011273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0011286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001128A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001128B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00112900
GetClientRect.USER32(00000000,?), ref: 0011290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00112955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00112964
GetStockObject.GDI32(00000011), ref: 00112974
SelectObject.GDI32(00000000,00000000), ref: 00112978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00112988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00112991
DeleteDC.GDI32(00000000), ref: 0011299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001129C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001129DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00112A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00112A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00112A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00112A77
GetStockObject.GDI32(00000011), ref: 00112A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00112A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00112A97

Strings

static, xrefs: 0011294F, 00112A71
AutoIt v3, xrefs: 001128F8
msctls_progress32, xrefs: 00112A13
DISPLAY, xrefs: 0011295A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ddd323140508a7bf1b9f3afa671cabef265a207d5a35bb23d0e272ca4cbb68bb
Instruction ID: 86792ff3013100a90e6d6abff3c10acab13a62a5cf24b52e3b660ab7090d83e4
Opcode Fuzzy Hash: ddd323140508a7bf1b9f3afa671cabef265a207d5a35bb23d0e272ca4cbb68bb
Instruction Fuzzy Hash: 92B14B71A00215BFEB24DF68DC4AFAE7BA9FB08710F004114FA15E7691D7B0AD90CB94

Function 00104ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00104AED
GetDriveTypeW.KERNEL32(?,0012CB68,?,\\.\,0012CC08), ref: 00104BCA
SetErrorMode.KERNEL32(00000000,0012CB68,?,\\.\,0012CC08), ref: 00104D36

Strings

SSD, xrefs: 00104C4A
CDROM, xrefs: 00104BFB
Virtual, xrefs: 00104CE5
Fibre, xrefs: 00104CAD
Removable, xrefs: 00104C10, 00104C15
SCSI, xrefs: 00104C8A
RAID, xrefs: 00104CBB
1394, xrefs: 00104C9F
Fixed, xrefs: 00104C09
Network, xrefs: 00104C02
PhysicalDrive, xrefs: 00104B76
FileBackedVirtual, xrefs: 00104CEC
USB, xrefs: 00104CB4
SATA, xrefs: 00104CD0
iSCSI, xrefs: 00104CC2
MMC, xrefs: 00104CDE
SAS, xrefs: 00104CC9
ATAPI, xrefs: 00104C91
ATA, xrefs: 00104C98
\\.\, xrefs: 00104B3F
Unknown, xrefs: 00104BED, 00104C83
SSA, xrefs: 00104CA6
RAMDisk, xrefs: 00104BF4

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8a4f08412cb2447db3808416e16a8f41112c7d09ad2049465f50666e30640900
Instruction ID: f592ea4b528269338fa249bd5704889fdecf3ba3f7de7c255e42380d71970bec
Opcode Fuzzy Hash: 8a4f08412cb2447db3808416e16a8f41112c7d09ad2049465f50666e30640900
Instruction Fuzzy Hash: 0861F1B0205105EBDB08DF64CBC29BC77B0AB45301B648415FE96AF6D2DBB2ED45EB81

Function 001273E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00127421
SetTextColor.GDI32(?,?), ref: 00127425
GetSysColorBrush.USER32(0000000F), ref: 0012743B
GetSysColor.USER32(0000000F), ref: 00127446
CreateSolidBrush.GDI32(?), ref: 0012744B
GetSysColor.USER32(00000011), ref: 00127463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00127471
SelectObject.GDI32(?,00000000), ref: 00127482
SetBkColor.GDI32(?,00000000), ref: 0012748B
SelectObject.GDI32(?,?), ref: 00127498
InflateRect.USER32(?,000000FF,000000FF), ref: 001274B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001274CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001274DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0012752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00127554
InflateRect.USER32(?,000000FD,000000FD), ref: 00127572
DrawFocusRect.USER32(?,?), ref: 0012757D
GetSysColor.USER32(00000011), ref: 0012758E
SetTextColor.GDI32(?,00000000), ref: 00127596
DrawTextW.USER32(?,001270F5,000000FF,?,00000000), ref: 001275A8
SelectObject.GDI32(?,?), ref: 001275BF
DeleteObject.GDI32(?), ref: 001275CA
SelectObject.GDI32(?,?), ref: 001275D0
DeleteObject.GDI32(?), ref: 001275D5
SetTextColor.GDI32(?,?), ref: 001275DB
SetBkColor.GDI32(?,?), ref: 001275E5

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e1e1713ae32ccf6559aba851c2b244d89d66290fca18bb8c0632d14daa608e7b
Instruction ID: 0382114679021b8742f0155beff7793e16fd14c18104f539a6585df64898c27b
Opcode Fuzzy Hash: e1e1713ae32ccf6559aba851c2b244d89d66290fca18bb8c0632d14daa608e7b
Instruction Fuzzy Hash: F5616E72900218FFDB119FA4DC49AEEBFB9EF08320F114115FA11AB2A1D77499A1CB90

Function 00120FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00121128
GetDesktopWindow.USER32 ref: 0012113D
GetWindowRect.USER32(00000000), ref: 00121144
GetWindowLongW.USER32(?,000000F0), ref: 00121199
DestroyWindow.USER32(?), ref: 001211B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001211ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0012120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0012121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00121232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00121245
IsWindowVisible.USER32(00000000), ref: 001212A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001212BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001212D0
GetWindowRect.USER32(00000000,?), ref: 001212E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0012130E
GetMonitorInfoW.USER32(00000000,?), ref: 00121328
CopyRect.USER32(?,?), ref: 0012133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001213AA

Strings

tooltips_class32, xrefs: 001211E6
0, xrefs: 001210D3
(, xrefs: 0012131B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: ee36bf26f0f15065ed66adbfc741797f93c7a1a2b96a78110e80c66a0f06e35e
Instruction ID: 3419fedcb35d9e4482f2fb48f9a265e5fe512b58eedcfc2f1c1a2a4ee19cbe3b
Opcode Fuzzy Hash: ee36bf26f0f15065ed66adbfc741797f93c7a1a2b96a78110e80c66a0f06e35e
Instruction Fuzzy Hash: 70B1BD71608350AFDB14DF64D884BAEBBE5FF98350F00891CF9999B262C731E855CB91

Function 000A8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000A8968
GetSystemMetrics.USER32(00000007), ref: 000A8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000A899B
GetSystemMetrics.USER32(00000008), ref: 000A89A3
GetSystemMetrics.USER32(00000004), ref: 000A89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000A89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000A89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000A8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000A8A3C
GetClientRect.USER32(00000000,000000FF), ref: 000A8A5A
GetStockObject.GDI32(00000011), ref: 000A8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 000A8A81

Part of subcall function 000A912D: GetCursorPos.USER32(?), ref: 000A9141
Part of subcall function 000A912D: ScreenToClient.USER32(00000000,?), ref: 000A915E
Part of subcall function 000A912D: GetAsyncKeyState.USER32(00000001), ref: 000A9183
Part of subcall function 000A912D: GetAsyncKeyState.USER32(00000002), ref: 000A919D

SetTimer.USER32(00000000,00000000,00000028,000A90FC), ref: 000A8AA8

Strings

AutoIt v3 GUI, xrefs: 000A8A20

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4cada3b26587617788220dc2a5230da77762d36e979c011663bdbf93b5c6bac0
Instruction ID: eab1db3364ad5ff5213b52ae052e63623badcc3ce1186fa8cb069b3007cf11b4
Opcode Fuzzy Hash: 4cada3b26587617788220dc2a5230da77762d36e979c011663bdbf93b5c6bac0
Instruction Fuzzy Hash: A8B18D31A00209AFDB24DFA8DD45BAE7BB5FB48314F144229FA15E7290DB74E851CB51

Function 000F0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000F1114
Part of subcall function 000F10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1120
Part of subcall function 000F10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F112F
Part of subcall function 000F10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1136
Part of subcall function 000F10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000F114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000F0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000F0E29
GetLengthSid.ADVAPI32(?), ref: 000F0E40
GetAce.ADVAPI32(?,00000000,?), ref: 000F0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000F0E96
GetLengthSid.ADVAPI32(?), ref: 000F0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000F0EB5
HeapAlloc.KERNEL32(00000000), ref: 000F0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000F0EDD
CopySid.ADVAPI32(00000000), ref: 000F0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000F0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000F0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000F0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0F6E
HeapFree.KERNEL32(00000000), ref: 000F0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0F7E
HeapFree.KERNEL32(00000000), ref: 000F0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F0F8E
HeapFree.KERNEL32(00000000), ref: 000F0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 000F0FA1
HeapFree.KERNEL32(00000000), ref: 000F0FA8

Part of subcall function 000F1193: GetProcessHeap.KERNEL32(00000008,000F0BB1,?,00000000,?,000F0BB1,?), ref: 000F11A1
Part of subcall function 000F1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000F0BB1,?), ref: 000F11A8
Part of subcall function 000F1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000F0BB1,?), ref: 000F11B7

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0f99fc6c59865edc61824eed4cbb85f28a6a26766840e02e73d8fd4c34c2a275
Instruction ID: a373e1b1c402c20317a526131a38823e347a23a0bc79537f75d29664539784ef
Opcode Fuzzy Hash: 0f99fc6c59865edc61824eed4cbb85f28a6a26766840e02e73d8fd4c34c2a275
Instruction Fuzzy Hash: A6715D7190020AFBDB609FA4DC45FFEBBB8BF04300F144125FA19A6992D771995ADBA0

Function 0011C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0011C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0012CC08,00000000,?,00000000,?,?), ref: 0011C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0011C5A4
_wcslen.LIBCMT ref: 0011C5F4
_wcslen.LIBCMT ref: 0011C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0011C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0011C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0011C84D
RegCloseKey.ADVAPI32(?), ref: 0011C881
RegCloseKey.ADVAPI32(00000000), ref: 0011C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0011C960

Strings

REG_SZ, xrefs: 0011C644
REG_BINARY, xrefs: 0011C913
REG_DWORD, xrefs: 0011C804
REG_MULTI_SZ, xrefs: 0011C6F5
REG_EXPAND_SZ, xrefs: 0011C5CD
REG_QWORD, xrefs: 0011C8C3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: d8d3a5a8e15ab762906a3710ca9cc867a2a6c10c67e12fa60134b721249874f9
Instruction ID: bbbde9f4d441f5d1c3b40fee7afc69555f0a2be9c25645a61227099b90e5a524
Opcode Fuzzy Hash: d8d3a5a8e15ab762906a3710ca9cc867a2a6c10c67e12fa60134b721249874f9
Instruction Fuzzy Hash: B4127B356086019FDB18DF14C891BAAB7E5FF88714F05886CF85A9B3A2DB71ED41CB81

Function 0012091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001209C6
_wcslen.LIBCMT ref: 00120A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00120A54
_wcslen.LIBCMT ref: 00120A8A
_wcslen.LIBCMT ref: 00120B06
_wcslen.LIBCMT ref: 00120B81

Part of subcall function 000AF9F2: _wcslen.LIBCMT ref: 000AF9FD

Part of subcall function 000F2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000F2BFA

Strings

CHECK, xrefs: 00120A85, 00120AA0
GETTEXT, xrefs: 00120C97
GETITEMCOUNT, xrefs: 00120C1E
ISCHECKED, xrefs: 00120CE1
GETSELECTED, xrefs: 00120C4E
SELECT, xrefs: 00120D11
UNCHECK, xrefs: 00120D3E
EXISTS, xrefs: 00120B7C, 00120B97
EXPAND, xrefs: 00120BF8
GETTOTALCOUNT, xrefs: 001209F2, 00120A17
COLLAPSE, xrefs: 00120B01, 00120B1C

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 2db836141231299c3cc062ba2ca35b777542d148942335a41f3d2e87423712cd
Instruction ID: 3d6e959fd12a4937b9d2d24a4af81bb9fbdee6012880887a208d1db99b5fe17f
Opcode Fuzzy Hash: 2db836141231299c3cc062ba2ca35b777542d148942335a41f3d2e87423712cd
Instruction Fuzzy Hash: 65E1CC362083118FCB15DF64D45096AB7E2BF88314B518A5CF89AAB3A3D731ED59CB81

Function 0011C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011B6AE,?,?), ref: 0011C9B5
_wcslen.LIBCMT ref: 0011C9F1
_wcslen.LIBCMT ref: 0011CA68
_wcslen.LIBCMT ref: 0011CA9E
_wcslen.LIBCMT ref: 0011CAF9
_wcslen.LIBCMT ref: 0011CB2F
_wcslen.LIBCMT ref: 0011CB7F

Strings

HKLM, xrefs: 0011CA98, 0011CA9D
HKU, xrefs: 0011CBF0
HKEY_LOCAL_MACHINE, xrefs: 0011CA62, 0011CA67
HKEY_CLASSES_ROOT, xrefs: 0011CAF3, 0011CAF8
HKCC, xrefs: 0011CBAC
HKCU, xrefs: 0011CBCE
HKCR, xrefs: 0011CB29, 0011CB2E
HKEY_CURRENT_USER, xrefs: 0011CBBD
HKEY_USERS, xrefs: 0011CBDF
HKEY_CURRENT_CONFIG, xrefs: 0011CB79, 0011CB7E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 00dce50ca8c233806958da078eacc58fe05ac59be3a21daf43334085bd86e400
Instruction ID: e5cab0f5aeee52dbeab36f97dc0de07cfb1452325020187c9c283d4592fad35e
Opcode Fuzzy Hash: 00dce50ca8c233806958da078eacc58fe05ac59be3a21daf43334085bd86e400
Instruction Fuzzy Hash: 6B71D33268412A8BCB28DE68A9516FF3391AFA5794B150538EC66EB285F731CDC4C3D0

Function 0012833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0012835A
_wcslen.LIBCMT ref: 0012836E
_wcslen.LIBCMT ref: 00128391
_wcslen.LIBCMT ref: 001283B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001283F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0012361A,?), ref: 0012844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00128487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001284CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00128501
FreeLibrary.KERNEL32(?), ref: 0012850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0012851D
DestroyIcon.USER32(?), ref: 0012852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00128549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00128555

Strings

.exe, xrefs: 00128388
.dll, xrefs: 001283AB
.icl, xrefs: 00128368

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 29024be1da842112f66d60b9e830a4af7f63acf1f1a16f1c278f7606128f0934
Instruction ID: 1886f9be9b31618c4c05a7b8fa6708325d5fae7291928d193955dc5061d10a98
Opcode Fuzzy Hash: 29024be1da842112f66d60b9e830a4af7f63acf1f1a16f1c278f7606128f0934
Instruction Fuzzy Hash: 2761BE71500625BBEB24DF64DC42BFE77A8BF08B11F104509F915D61D2DBB4EAA1C7A0

Function 00097778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00097817
#notrayicon, xrefs: 000977E7
Unterminated group of comments, xrefs: 000D528C
#pragma compile, xrefs: 000977D3
#comments-start, xrefs: 0009785F, 000978B1
#include, xrefs: 00097847
#cs, xrefs: 00097873, 000978C5
", xrefs: 000D5153
Cannot parse #include, xrefs: 000D5279
', xrefs: 000D5169
#comments-end, xrefs: 000978D9
Bad directive syntax error, xrefs: 000D519A
#include-once, xrefs: 0009782F
#ce, xrefs: 000978ED
#requireadmin, xrefs: 000977FF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: f6df706f9a93f7506b88797cb73d9973e49e6b1c06b3148fb40fd166fa560672
Instruction ID: be0d22eb30daddb015cb2e6422a9d2c55fd28730fed866b6747e97054ba8a88a
Opcode Fuzzy Hash: f6df706f9a93f7506b88797cb73d9973e49e6b1c06b3148fb40fd166fa560672
Instruction Fuzzy Hash: 0681F072654605ABDF24AFA0DC42FFE77A9AF15300F044025FD18AA293EB70DA15E7A1

Function 00103E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00103EF8
_wcslen.LIBCMT ref: 00103F03
_wcslen.LIBCMT ref: 00103F5A
_wcslen.LIBCMT ref: 00103F98
GetDriveTypeW.KERNEL32(?), ref: 00103FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0010401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00104059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00104087

Strings

open, xrefs: 00103F54, 00103F59
type cdaudio alias cd wait, xrefs: 00104001
closed, xrefs: 00103F08, 00103F2D, 00103F46, 00103F7E, 00103F97
wait, xrefs: 00104044
open , xrefs: 00103FE5
close cd wait, xrefs: 00104072
close, xrefs: 00103EFE, 00103F18
set cd door , xrefs: 00104028

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 95127559a4df40898df79b8ec084fd789223fc0afcdaa01de49a0ca2627e2d0a
Instruction ID: 934cdc441d0c617e728da20097d71a37af16cfc61ca12358eba96f8d4d052b03
Opcode Fuzzy Hash: 95127559a4df40898df79b8ec084fd789223fc0afcdaa01de49a0ca2627e2d0a
Instruction Fuzzy Hash: 9371C3726042029FC710EF24C8818AEB7F4EF94754F50492DF9E697292EB71DE49CB92

Function 000F5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 000F5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000F5A40
SetWindowTextW.USER32(?,?), ref: 000F5A57
GetDlgItem.USER32(?,000003EA), ref: 000F5A6C
SetWindowTextW.USER32(00000000,?), ref: 000F5A72
GetDlgItem.USER32(?,000003E9), ref: 000F5A82
SetWindowTextW.USER32(00000000,?), ref: 000F5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000F5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000F5AC3
GetWindowRect.USER32(?,?), ref: 000F5ACC
_wcslen.LIBCMT ref: 000F5B33
SetWindowTextW.USER32(?,?), ref: 000F5B6F
GetDesktopWindow.USER32 ref: 000F5B75
GetWindowRect.USER32(00000000), ref: 000F5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 000F5BD3
GetClientRect.USER32(?,?), ref: 000F5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 000F5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000F5C2F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 27e7b3d6dd72ce6b872ccedae135bafaacc70b9dfe6a45aedcfc98c1cbfc2ccb
Instruction ID: 9fac66889c523ab8fea95a5f8ef2e8d6cb5aaba8f4d217e43ec8f0fc2cfef1da
Opcode Fuzzy Hash: 27e7b3d6dd72ce6b872ccedae135bafaacc70b9dfe6a45aedcfc98c1cbfc2ccb
Instruction Fuzzy Hash: 28717C31900B09AFDB20DFA8CE85AAEBBF5FF48705F104518E742A3AA0D775E954DB50

Function 0010FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0010FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0010FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0010FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0010FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0010FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0010FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0010FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0010FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0010FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0010FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0010FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0010FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0010FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0010FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0010FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0010FECC
GetCursorInfo.USER32(?), ref: 0010FEDC
GetLastError.KERNEL32 ref: 0010FF1E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 662623871da9c1ed5701f698cb95825ac99634885a9c1fc539292690d07d86ef
Instruction ID: b613792498042a87e4445028de617023381c3c80b0d8b109650a1186ca438fc4
Opcode Fuzzy Hash: 662623871da9c1ed5701f698cb95825ac99634885a9c1fc539292690d07d86ef
Instruction Fuzzy Hash: FF4154B1D0431A6ADB20DFBA8C89C5EBFE8FF04754B50452AF11DE7681DB78A901CE91

Function 000B00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000B00C6

Part of subcall function 000B00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0016070C,00000FA0,C298BB6C,?,?,?,?,000D23B3,000000FF), ref: 000B011C
Part of subcall function 000B00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000D23B3,000000FF), ref: 000B0127
Part of subcall function 000B00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000D23B3,000000FF), ref: 000B0138
Part of subcall function 000B00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 000B014E
Part of subcall function 000B00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 000B015C
Part of subcall function 000B00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 000B016A
Part of subcall function 000B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000B0195
Part of subcall function 000B00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000B01A0

___scrt_fastfail.LIBCMT ref: 000B00E7

Part of subcall function 000B00A3: __onexit.LIBCMT ref: 000B00A9

Strings

WakeAllConditionVariable, xrefs: 000B0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 000B0122
InitializeConditionVariable, xrefs: 000B0148
kernel32.dll, xrefs: 000B0133
SleepConditionVariableCS, xrefs: 000B0154

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 78281c312898550bad8a79c0fb1178d28155b4df7f15e3e99e54ec721795ae23
Instruction ID: e19a7b6dc3bae6d369d497ee16c677d9fb0910658311d254cff1f2cde168df5e
Opcode Fuzzy Hash: 78281c312898550bad8a79c0fb1178d28155b4df7f15e3e99e54ec721795ae23
Instruction Fuzzy Hash: 1821FC32645715BBD7259BE8EC06BAF73E4EB09B51F000939F901A6691DB7098518AD0

Function 000F30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000F318D
_wcslen.LIBCMT ref: 000F31F8

Strings

TEXT, xrefs: 000F347C
INSTANCE, xrefs: 000F3453
NAME, xrefs: 000F3335, 000F3346
CLASSNN, xrefs: 000F31F3, 000F3204
CLASS, xrefs: 000F3188, 000F31A5
REGEXPCLASS, xrefs: 000F3255, 000F3266

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 9754d93c44d5877d7529e08c11ea1f74a1345eb60c7d7c1a8421520c3baf5eca
Instruction ID: 9f9641cfd6f41d840ebd1fc6b70543c7bb7d531126d434dd4368b63febc9ec53
Opcode Fuzzy Hash: 9754d93c44d5877d7529e08c11ea1f74a1345eb60c7d7c1a8421520c3baf5eca
Instruction Fuzzy Hash: 82E10732A0051A9BCB68DFB4C4517FEBBB1BF44720F148119EA56F7641DB30AF85A790

Function 001044C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0012CC08), ref: 00104527
_wcslen.LIBCMT ref: 0010453B
_wcslen.LIBCMT ref: 00104599
_wcslen.LIBCMT ref: 001045F4
_wcslen.LIBCMT ref: 0010463F
_wcslen.LIBCMT ref: 001046A7

Part of subcall function 000AF9F2: _wcslen.LIBCMT ref: 000AF9FD

GetDriveTypeW.KERNEL32(?,00156BF0,00000061), ref: 00104743

Strings

fixed, xrefs: 00104635, 0010463A
removable, xrefs: 001045EA, 001045EF
ramdisk, xrefs: 001046F1
unknown, xrefs: 00104708
cdrom, xrefs: 0010458F, 00104594
network, xrefs: 0010469D, 001046A2
all, xrefs: 00104531, 00104536

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 393a67c2944779fa5e325238b87c52208c2c8287d0541327817cb937e3f65a5a
Instruction ID: 13682add6a9be5489293c11ba347a66ebbe9464cdda72f88ea649684f47e8087
Opcode Fuzzy Hash: 393a67c2944779fa5e325238b87c52208c2c8287d0541327817cb937e3f65a5a
Instruction Fuzzy Hash: 1EB1DFB16083029FC714DF28C8D0AAAB7E5AFA5720F50491DF6D6C72D2E7B1D944CA92

Function 00113FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0012CC08), ref: 001140BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001140CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0012CC08), ref: 001140F2
FreeLibrary.KERNEL32(00000000,?,0012CC08), ref: 0011413E
StringFromGUID2.OLE32(?,?,00000028,?,0012CC08), ref: 001141A8
SysFreeString.OLEAUT32(00000009), ref: 00114262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001142C8
SysFreeString.OLEAUT32(?), ref: 001142F2

Strings

kernel32.dll, xrefs: 001140B6
GetModuleHandleExW, xrefs: 001140C7

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 7a29f734215f5bcf110e0a34b68ccfbb6c59285ec9c7ed8d20a9e635a781762a
Instruction ID: cc9e34c0ee6a7cab135ddb8af2c1ab47ceb173a4ade57434c15b92a7efb7f721
Opcode Fuzzy Hash: 7a29f734215f5bcf110e0a34b68ccfbb6c59285ec9c7ed8d20a9e635a781762a
Instruction Fuzzy Hash: A0122975A00115EFDB18CF94C884EEEBBB5FF49714F2580A8E905AB251D731ED86CBA0

Function 0009326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00161990), ref: 000D2F8D
GetMenuItemCount.USER32(00161990), ref: 000D303D
GetCursorPos.USER32(?), ref: 000D3081
SetForegroundWindow.USER32(00000000), ref: 000D308A
TrackPopupMenuEx.USER32(00161990,00000000,?,00000000,00000000,00000000), ref: 000D309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000D30A9

Strings

0, xrefs: 0009327D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 9ebd7436fed883a0e5e244aa4bd4abcff65394e4f2caafaeffdd3654faad8156
Instruction ID: 86bc309546ad4c56f180bc058f54589cc4820464f9c0e2f6d186080412c7908e
Opcode Fuzzy Hash: 9ebd7436fed883a0e5e244aa4bd4abcff65394e4f2caafaeffdd3654faad8156
Instruction Fuzzy Hash: 43710871644315BEEB319F24CC49FAEBFA4FF05364F204226F614662E1C7B1A950DBA1

Function 00126CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00126DEB

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00126E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00126E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00126E94
DestroyWindow.USER32(?), ref: 00126EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00090000,00000000), ref: 00126EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00126EFD
GetDesktopWindow.USER32 ref: 00126F16
GetWindowRect.USER32(00000000), ref: 00126F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00126F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00126F4D

Part of subcall function 000A9944: GetWindowLongW.USER32(?,000000EB), ref: 000A9952

Strings

tooltips_class32, xrefs: 00126E58, 00126EDD
0, xrefs: 00126D98

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 8571405a973367866710c0a3ff9e1d70753cfe1763e70b64d804360d110f1095
Instruction ID: f2114996860e4234128a3dd6e649db9492c578c4c05e2151d71ac4c6219f6646
Opcode Fuzzy Hash: 8571405a973367866710c0a3ff9e1d70753cfe1763e70b64d804360d110f1095
Instruction Fuzzy Hash: 34717770104244AFDB21CF18EC54FAABBF9FB89304F08041DFA99972A1C770A966DF52

Function 0012911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

DragQueryPoint.SHELL32(?,?), ref: 00129147

Part of subcall function 00127674: ClientToScreen.USER32(?,?), ref: 0012769A
Part of subcall function 00127674: GetWindowRect.USER32(?,?), ref: 00127710
Part of subcall function 00127674: PtInRect.USER32(?,?,00128B89), ref: 00127720

SendMessageW.USER32(?,000000B0,?,?), ref: 001291B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001291BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001291DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00129225
SendMessageW.USER32(?,000000B0,?,?), ref: 0012923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00129255
SendMessageW.USER32(?,000000B1,?,?), ref: 00129277
DragFinish.SHELL32(?), ref: 0012927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00129371

Strings

@GUI_DRAGID, xrefs: 001292E9
@GUI_DROPID, xrefs: 0012929E
@GUI_DRAGFILE, xrefs: 00129320

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 00a6547415c6a62dfac744a3ff0dda3eb5fcfa130e80597e72c2821429baa284
Instruction ID: 4c95637b0112e7c300b51a84ac2130abe449a9d40177e5a65183af7aac7b53c0
Opcode Fuzzy Hash: 00a6547415c6a62dfac744a3ff0dda3eb5fcfa130e80597e72c2821429baa284
Instruction Fuzzy Hash: 54617971108301AFD701EF64DC85DAFBBE8FF89350F40092EF595921A1DB709A59CBA2

Function 0010C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0010C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0010C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0010C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0010C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0010C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0010C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0010C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0010C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0010C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0010C5F0
InternetCloseHandle.WININET(00000000), ref: 0010C5FB

Strings

, xrefs: 0010C575

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 50d8b54038eabea6cbb11e7d3ff0052a530135d5382487771dc4e5582819a124
Instruction ID: c3247e95f618c0f70fbabbe3f54d5f46dd0fc2e7b54a34a0b882a39f00c1f1fd
Opcode Fuzzy Hash: 50d8b54038eabea6cbb11e7d3ff0052a530135d5382487771dc4e5582819a124
Instruction Fuzzy Hash: 37516BB4600609BFDB219FA4CD88AAB7BBCFF08354F004619F985D6690DB70E9559FE0

Function 0012856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00128592
GetFileSize.KERNEL32(00000000,00000000), ref: 001285A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 001285AD
CloseHandle.KERNEL32(00000000), ref: 001285BA
GlobalLock.KERNEL32(00000000), ref: 001285C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001285D7
GlobalUnlock.KERNEL32(00000000), ref: 001285E0
CloseHandle.KERNEL32(00000000), ref: 001285E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001285F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0012FC38,?), ref: 00128611
GlobalFree.KERNEL32(00000000), ref: 00128621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00128641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00128671
DeleteObject.GDI32(00000000), ref: 00128699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001286AF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: fdf946f8a0a7fa2f0ec94c790ceb6c1e7c8f491a4c75d3b22798e9c5e6f53462
Instruction ID: 0943e603fb712f93d65d8d96517294a3dec43125636c97dc2bc956cb6ab37f05
Opcode Fuzzy Hash: fdf946f8a0a7fa2f0ec94c790ceb6c1e7c8f491a4c75d3b22798e9c5e6f53462
Instruction Fuzzy Hash: 0C410975601214FFDB219FA5DC48EAE7BB8FF89715F104158FA05E7260DB30A962CBA0

Function 001014BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00101502
VariantCopy.OLEAUT32(?,?), ref: 0010150B
VariantClear.OLEAUT32(?), ref: 00101517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001015FB
VarR8FromDec.OLEAUT32(?,?), ref: 00101657
VariantInit.OLEAUT32(?), ref: 00101708
SysFreeString.OLEAUT32(?), ref: 0010178C
VariantClear.OLEAUT32(?), ref: 001017D8
VariantClear.OLEAUT32(?), ref: 001017E7
VariantInit.OLEAUT32(00000000), ref: 00101823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00101625
Default, xrefs: 001016AF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: ada291b548bc4cdb5515629aaff824cfa6c5ffd22124d76651a066eb59808076
Instruction ID: 3ad48cc0c0cbe3017d6444b0b3a97aec239321e2e0b9ec1d780544e543d48af6
Opcode Fuzzy Hash: ada291b548bc4cdb5515629aaff824cfa6c5ffd22124d76651a066eb59808076
Instruction Fuzzy Hash: 01D1F031A00605FBDB14AFA4D885BBDB7B5BF46700F11805AE486AF1C1DBB8EC45DBA1

Function 0011B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 0011C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011B6AE,?,?), ref: 0011C9B5
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011C9F1
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA68
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0011B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0011B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0011B80A
RegCloseKey.ADVAPI32(?), ref: 0011B87E
RegCloseKey.ADVAPI32(?), ref: 0011B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0011B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0011B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0011B922
FreeLibrary.KERNEL32(00000000), ref: 0011B983
RegCloseKey.ADVAPI32(00000000), ref: 0011B994

Strings

advapi32.dll, xrefs: 0011B8ED
RegDeleteKeyExW, xrefs: 0011B8FE

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 2187f64c6e73706cd6c35d658cd7c3dd978a86a290cfb87750a07567eb4da79b
Instruction ID: d761210b4dd20a3e71b886dcee51d0fcef18b828494e13a046ad5cb7925f6ec7
Opcode Fuzzy Hash: 2187f64c6e73706cd6c35d658cd7c3dd978a86a290cfb87750a07567eb4da79b
Instruction Fuzzy Hash: 42C17D75208201EFD718DF14C495FAABBE5BF84308F54846CF59A4B2A2CB71ED86CB91

Function 0011255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001125D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001125E8
CreateCompatibleDC.GDI32(?), ref: 001125F4
SelectObject.GDI32(00000000,?), ref: 00112601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0011266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001126AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001126D0
SelectObject.GDI32(?,?), ref: 001126D8
DeleteObject.GDI32(?), ref: 001126E1
DeleteDC.GDI32(?), ref: 001126E8
ReleaseDC.USER32(00000000,?), ref: 001126F3

Strings

(, xrefs: 0011268D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7600dbdc108176cf9286d192035ccc5952e91b744291429a74cb49f01e750eba
Instruction ID: bd833abb8ef30ac03b2743e9006172a95dd47b531ff86bffd702e9931db435ad
Opcode Fuzzy Hash: 7600dbdc108176cf9286d192035ccc5952e91b744291429a74cb49f01e750eba
Instruction Fuzzy Hash: B561E375D00219EFCF14CFA4D885AAEBBB6FF48310F208529E955A7250D770A9A1CF94

Function 000CDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 000CDAA1

Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD659
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD66B
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD67D
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD68F
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6A1
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6B3
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6C5
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6D7
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6E9
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD6FB
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD70D
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD71F
Part of subcall function 000CD63C: _free.LIBCMT ref: 000CD731

_free.LIBCMT ref: 000CDA96

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

_free.LIBCMT ref: 000CDAB8
_free.LIBCMT ref: 000CDACD
_free.LIBCMT ref: 000CDAD8
_free.LIBCMT ref: 000CDAFA
_free.LIBCMT ref: 000CDB0D
_free.LIBCMT ref: 000CDB1B
_free.LIBCMT ref: 000CDB26
_free.LIBCMT ref: 000CDB5E
_free.LIBCMT ref: 000CDB65
_free.LIBCMT ref: 000CDB82
_free.LIBCMT ref: 000CDB9A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d58b2d23af192f9ca4444d7d54cf51a79b8594dbb395f34f252e315fa9fed46f
Instruction ID: 0cd26f192a9a2c02a848fb5aca8d0b4b199818a3534a7908c311d400025cfbf6
Opcode Fuzzy Hash: d58b2d23af192f9ca4444d7d54cf51a79b8594dbb395f34f252e315fa9fed46f
Instruction Fuzzy Hash: 58310432604605DEEB62AB39E845F9EB7E9FB00311F15442EE459D75A2DB31EC80DB21

Function 000F365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000F369C
_wcslen.LIBCMT ref: 000F36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000F3797
GetClassNameW.USER32(?,?,00000400), ref: 000F380C
GetDlgCtrlID.USER32(?), ref: 000F385D
GetWindowRect.USER32(?,?), ref: 000F3882
GetParent.USER32(?), ref: 000F38A0
ScreenToClient.USER32(00000000), ref: 000F38A7
GetClassNameW.USER32(?,?,00000100), ref: 000F3921
GetWindowTextW.USER32(?,?,00000400), ref: 000F395D

Strings

%s%u, xrefs: 000F3734

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: ffc7cb1e10bbd08066fa6203cadd71ef9d7468b0254d1acd9b2285a00cb5f1e3
Instruction ID: f1a8a2fe75b2d3b9a733e58a32eddfeb15c00a9e6f34feb905eb5778a549a4a6
Opcode Fuzzy Hash: ffc7cb1e10bbd08066fa6203cadd71ef9d7468b0254d1acd9b2285a00cb5f1e3
Instruction Fuzzy Hash: 5891D07120430AAFD718DF24C885BFAB7E8FF44360F008619FA99C2591DB74AA46DB91

Function 000F4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 000F4994
GetWindowTextW.USER32(?,?,00000400), ref: 000F49DA
_wcslen.LIBCMT ref: 000F49EB
CharUpperBuffW.USER32(?,00000000), ref: 000F49F7
_wcsstr.LIBVCRUNTIME ref: 000F4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 000F4A64
GetWindowTextW.USER32(?,?,00000400), ref: 000F4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 000F4AE6
GetClassNameW.USER32(?,?,00000400), ref: 000F4B20
GetWindowRect.USER32(?,?), ref: 000F4B8B

Strings

ThumbnailClass, xrefs: 000F4A6F, 000F4AF1

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 2be467fc1da1a319f2650ea4bc9afb5dbc9a41f4e4f30dbc11f6177c9f44aeb2
Instruction ID: 535c0ab484efe3c8f700d8bcb8207661a061db7b13a3d4064adaf26b01dc21c4
Opcode Fuzzy Hash: 2be467fc1da1a319f2650ea4bc9afb5dbc9a41f4e4f30dbc11f6177c9f44aeb2
Instruction Fuzzy Hash: 9D91CE71108209AFDB14CF14C981BBB77E8FF84314F04846AFE859A596EB34ED49DBA1

Function 000FBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00161990,000000FF,00000000,00000030), ref: 000FBFAC
SetMenuItemInfoW.USER32(00161990,00000004,00000000,00000030), ref: 000FBFE1
Sleep.KERNEL32(000001F4), ref: 000FBFF3
GetMenuItemCount.USER32(?), ref: 000FC039
GetMenuItemID.USER32(?,00000000), ref: 000FC056
GetMenuItemID.USER32(?,-00000001), ref: 000FC082
GetMenuItemID.USER32(?,?), ref: 000FC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000FC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000FC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000FC145

Strings

0, xrefs: 000FBF3D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 9ea87ae423eb675a4fc7c4c58f29b38498fb7bc1d9af2a15164a6063c051a10d
Instruction ID: d03b3f9663b287f721394ef73cae4660e3ed6f28ba762fcbad2f73e4f0635489
Opcode Fuzzy Hash: 9ea87ae423eb675a4fc7c4c58f29b38498fb7bc1d9af2a15164a6063c051a10d
Instruction Fuzzy Hash: 7761837050024DAFEF25CF54CE89EFE7BA8FB45344F040515EA11A3A92C735AD56EBA0

Function 0011CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0011CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0011CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0011CD48

Part of subcall function 0011CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0011CCAA
Part of subcall function 0011CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0011CCBD
Part of subcall function 0011CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0011CCCF
Part of subcall function 0011CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0011CD05
Part of subcall function 0011CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0011CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0011CCF3

Strings

advapi32.dll, xrefs: 0011CCB8
RegDeleteKeyExW, xrefs: 0011CCC9

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 78078a9467188077107387071a9b68c5d7a0755d375f87ea3712c1a324967fe8
Instruction ID: ad6eebc6ebd700e44f9c1329e14433ab31a8541562e8a15cfe15ecf104b218b8
Opcode Fuzzy Hash: 78078a9467188077107387071a9b68c5d7a0755d375f87ea3712c1a324967fe8
Instruction Fuzzy Hash: C8317A75941129BBDB248B94EC88EFFBB7CEF55740F000175BA06E2640DB709E86DAE0

Function 00103D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00103D40
_wcslen.LIBCMT ref: 00103D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00103D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00103DBE
RemoveDirectoryW.KERNEL32(?), ref: 00103DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00103E55
CloseHandle.KERNEL32(00000000), ref: 00103E60
CloseHandle.KERNEL32(00000000), ref: 00103E6B

Strings

\, xrefs: 00103D77
\??\%s, xrefs: 00103D5B
:, xrefs: 00103D82

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b3a253ad972ab2b8b154fa1d9451fe4e8c31f378861bd09f9f358cb662452e95
Instruction ID: c1dbfc8312a5cf49c27731bc1bd74ffcd5681f5c2ac99d7052ff560085f823c9
Opcode Fuzzy Hash: b3a253ad972ab2b8b154fa1d9451fe4e8c31f378861bd09f9f358cb662452e95
Instruction Fuzzy Hash: C331A171900209ABDB21DBA0DC49FEF37BDEF88700F5041B6F655D61A1EBB097858B64

Function 000FE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000FE6B4

Part of subcall function 000AE551: timeGetTime.WINMM(?,?,000FE6D4), ref: 000AE555

Sleep.KERNEL32(0000000A), ref: 000FE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 000FE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 000FE727
SetActiveWindow.USER32 ref: 000FE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000FE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 000FE773
Sleep.KERNEL32(000000FA), ref: 000FE77E
IsWindow.USER32 ref: 000FE78A
EndDialog.USER32(00000000), ref: 000FE79B

Strings

BUTTON, xrefs: 000FE719

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: c7069cfee5b6c2a3b132c0b32da382bd64b6f1be8e24af3c458c5885fd0850f4
Instruction ID: 7eb89cf2629da4620dfd487a6e126dbf37531bb6acc3ffb3336c273f8ad0489c
Opcode Fuzzy Hash: c7069cfee5b6c2a3b132c0b32da382bd64b6f1be8e24af3c458c5885fd0850f4
Instruction Fuzzy Hash: 1D218470200788BFEB206F64EC8DA3D3B69F754759B100425FB12C1EB1DBB19CA1AB64

Function 000FE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000FEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000FEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000FEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000FEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000FEAA7

Strings

close PlayMe, xrefs: 000FEA6E, 000FEA9B
open , xrefs: 000FEA0C
alias PlayMe, xrefs: 000FEA36
play PlayMe, xrefs: 000FEAA2
play PlayMe wait, xrefs: 000FEA91
status PlayMe mode, xrefs: 000FEA58

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: daa9a60a37f12a1fa65792bb678b8e991b3cfc26ab243c59b3c36b091f2a9239
Instruction ID: f1029541b8d2c481747a5417c864d5c3e130d41d09716e4d969cfe10fe387a7f
Opcode Fuzzy Hash: daa9a60a37f12a1fa65792bb678b8e991b3cfc26ab243c59b3c36b091f2a9239
Instruction Fuzzy Hash: FD119171A90259BDDB20A7A1DC4ADFF6ABCEBD1F04F4004297921A70E1EF701A09D5F1

Function 000F9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000FA012
SetKeyboardState.USER32(?), ref: 000FA07D
GetAsyncKeyState.USER32(000000A0), ref: 000FA09D
GetKeyState.USER32(000000A0), ref: 000FA0B4
GetAsyncKeyState.USER32(000000A1), ref: 000FA0E3
GetKeyState.USER32(000000A1), ref: 000FA0F4
GetAsyncKeyState.USER32(00000011), ref: 000FA120
GetKeyState.USER32(00000011), ref: 000FA12E
GetAsyncKeyState.USER32(00000012), ref: 000FA157
GetKeyState.USER32(00000012), ref: 000FA165
GetAsyncKeyState.USER32(0000005B), ref: 000FA18E
GetKeyState.USER32(0000005B), ref: 000FA19C

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 402bd08f2032459e75c1afaef110dc8850a3ad32288c08a29a3c4f06e02d45ca
Instruction ID: 0489e6f1bef0e31a66be6d0a9330df83fc7145d157c0ea6faf6ca5bcf783209e
Opcode Fuzzy Hash: 402bd08f2032459e75c1afaef110dc8850a3ad32288c08a29a3c4f06e02d45ca
Instruction Fuzzy Hash: 5651D760A0478C29FB75DBA088147FABFF49F13380F088599D7C6579C3DA54AA8CD762

Function 000F5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 000F5CE2
GetWindowRect.USER32(00000000,?), ref: 000F5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 000F5D59
GetDlgItem.USER32(?,00000002), ref: 000F5D69
GetWindowRect.USER32(00000000,?), ref: 000F5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 000F5DCF
GetDlgItem.USER32(?,000003E9), ref: 000F5DDD
GetWindowRect.USER32(00000000,?), ref: 000F5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 000F5E31
GetDlgItem.USER32(?,000003EA), ref: 000F5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000F5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 000F5E67

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9515b88ebc61347c23507b7b10368928f0d639cb55e315a277687a78489b491f
Instruction ID: ccf19f93239e1134e3d183c40dbd3e56ec7dd5735ae0f82bc53a072cfe923978
Opcode Fuzzy Hash: 9515b88ebc61347c23507b7b10368928f0d639cb55e315a277687a78489b491f
Instruction Fuzzy Hash: 1C512D70A00609AFDB18CF68CD89AAEBBB5FB48301F108129FA15E7690D7709E55CB90

Function 000A8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000A8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000A8BE8,?,00000000,?,?,?,?,000A8BBA,00000000,?), ref: 000A8FC5

DestroyWindow.USER32(?), ref: 000A8C81
KillTimer.USER32(00000000,?,?,?,?,000A8BBA,00000000,?), ref: 000A8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 000E6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,000A8BBA,00000000,?), ref: 000E69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,000A8BBA,00000000,?), ref: 000E69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000A8BBA,00000000), ref: 000E69D4
DeleteObject.GDI32(00000000), ref: 000E69E6

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: a51ac1df171e62e46c4669e250380d1f5e6eb8f283df0192524ecec263d97196
Instruction ID: dcd2792fdc625d6bf1d4e862c71ed7440571c4f8c1d98c510bdad25a25c25d87
Opcode Fuzzy Hash: a51ac1df171e62e46c4669e250380d1f5e6eb8f283df0192524ecec263d97196
Instruction Fuzzy Hash: F7619A31502640EFCB359F55DD49B29B7F1FB52366F18852CE042AB960CB72A9D1CF90

Function 000A9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 000A9944: GetWindowLongW.USER32(?,000000EB), ref: 000A9952

GetSysColor.USER32(0000000F), ref: 000A9862

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1848e8a9e417e0ea78aa0796d562473cbb14ab6a03dc6c34e187d07fd4ef2d58
Instruction ID: f28ce5e7d6e5f3dde4148e6fd6adf3a4794221e5dafa3bbcfdc0c7a6646d4ce2
Opcode Fuzzy Hash: 1848e8a9e417e0ea78aa0796d562473cbb14ab6a03dc6c34e187d07fd4ef2d58
Instruction Fuzzy Hash: A841B131204640EFDB305F789C85BB93BA5EB47330F144615FAA2971E1CB799C92DB60

Function 000F96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,000DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 000F9717
LoadStringW.USER32(00000000,?,000DF7F8,00000001), ref: 000F9720

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,000DF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 000F9742
LoadStringW.USER32(00000000,?,000DF7F8,00000001), ref: 000F9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 000F9866

Strings

^ ERROR, xrefs: 000F97FB
%s (%d) : ==> %s: %s %s, xrefs: 000F984A
Line %d (File "%s"):, xrefs: 000F978F
Line %d:, xrefs: 000F97A0
Error: , xrefs: 000F981D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: f846bc1d891b424bcb1f78bd0c022d3555d4e4653d9c0f6fbdbf01a35184eff5
Instruction ID: d5a2baa9b5dc3f845e1fb5bd248960cffeda0a35738031e538db304e9d003510
Opcode Fuzzy Hash: f846bc1d891b424bcb1f78bd0c022d3555d4e4653d9c0f6fbdbf01a35184eff5
Instruction Fuzzy Hash: 2F413C72900209AACF14EBE4DE46EFE7378AF15340F504029F60572092EF756F49EBA1

Function 000F06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000F07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000F07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000F07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000F0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 000F082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000F0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000F083C

Strings

\CLSID, xrefs: 000F0724
\IPC$, xrefs: 000F0784
SOFTWARE\Classes\, xrefs: 000F070E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 816c37f6cc053ad6a4b2177f98e7974ce681aba61fc46ef8c8db89cc5102e2aa
Instruction ID: b8b81b0a66c9baae0f821bacecb9a8d66415194720c424a7175359cfb678c006
Opcode Fuzzy Hash: 816c37f6cc053ad6a4b2177f98e7974ce681aba61fc46ef8c8db89cc5102e2aa
Instruction Fuzzy Hash: 9B411572D1022DABCF21EBA4DC95CEEB7B8BF44750B044169F911A7162EB309E45DBA0

Function 00123F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0012403B
CreateCompatibleDC.GDI32(00000000), ref: 00124042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00124055
SelectObject.GDI32(00000000,00000000), ref: 0012405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00124068
DeleteDC.GDI32(00000000), ref: 00124072
GetWindowLongW.USER32(?,000000EC), ref: 0012407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00124092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0012409E

Strings

static, xrefs: 00123FD3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 31d889279129e626d65aa97f572297ce540b03c0196479c0927f91fc8ea0b4d3
Instruction ID: 448657b05ddbf8d1ea9959e9654722a09373a1751265d3cc495325e3cd7c0f2c
Opcode Fuzzy Hash: 31d889279129e626d65aa97f572297ce540b03c0196479c0927f91fc8ea0b4d3
Instruction Fuzzy Hash: 76311832501225BBDF219FA4EC49FDE3B69EF09724F110211FB19A61A0C775D8B1DB94

Function 00113C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00113C5C
CoInitialize.OLE32(00000000), ref: 00113C8A
CoUninitialize.OLE32 ref: 00113C94
_wcslen.LIBCMT ref: 00113D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00113DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00113ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00113F0E
CoGetObject.OLE32(?,00000000,0012FB98,?), ref: 00113F2D
SetErrorMode.KERNEL32(00000000), ref: 00113F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00113FC4
VariantClear.OLEAUT32(?), ref: 00113FD8

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a6eb4f0252830626a601d9a16c7e513ab6c839bcfefae82acce9a0e9f33921ac
Instruction ID: 01d751c26507b272fcd39e4e0ba61f95b6dc80d39064007beb394307279516ab
Opcode Fuzzy Hash: a6eb4f0252830626a601d9a16c7e513ab6c839bcfefae82acce9a0e9f33921ac
Instruction Fuzzy Hash: FEC16A71608305AFD704DF68C8849ABB7E9FF89744F00492DF99A9B251D730ED86CB92

Function 00107A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00107AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00107B8F
SHGetDesktopFolder.SHELL32(?), ref: 00107BA3
CoCreateInstance.OLE32(0012FD08,00000000,00000001,00156E6C,?), ref: 00107BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00107C74
CoTaskMemFree.OLE32(?,?), ref: 00107CCC
SHBrowseForFolderW.SHELL32(?), ref: 00107D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00107D7A
CoTaskMemFree.OLE32(00000000), ref: 00107D81
CoTaskMemFree.OLE32(00000000), ref: 00107DD6
CoUninitialize.OLE32 ref: 00107DDC

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: d43636c374303ea57543798cd8d80a6f4f07bfcd10ba78dd889a681057239aa5
Instruction ID: 7a2cd05c407444565a59e7469fe78798810fb5f61c00c415db295df3992cdaea
Opcode Fuzzy Hash: d43636c374303ea57543798cd8d80a6f4f07bfcd10ba78dd889a681057239aa5
Instruction Fuzzy Hash: 3BC11C75A04109AFCB14DFA4C884DAEBBF5FF48304B148499F559DB2A1D770ED45CB90

Function 0012541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00125504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00125515
CharNextW.USER32(00000158), ref: 00125544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00125585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0012559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001255AC

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 80a0bf1d6da3bb09426bd367a726272c82417fb607c584f921a6c24820eeb93d
Instruction ID: 835ff5977a18ced8f7bfb858c7e17de69500a7ed0a3806ed471a3583d17b08ca
Opcode Fuzzy Hash: 80a0bf1d6da3bb09426bd367a726272c82417fb607c584f921a6c24820eeb93d
Instruction Fuzzy Hash: C4617D30900628FBDF209F54ECC49FE7BBAEF05724F108145FA25A6291D7748AA1DB60

Function 000EFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000EFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 000EFB08
VariantInit.OLEAUT32(?), ref: 000EFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 000EFB3A
VariantCopy.OLEAUT32(?,?), ref: 000EFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 000EFBA1
VariantClear.OLEAUT32(?), ref: 000EFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 000EFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000EFBCC
VariantClear.OLEAUT32(?), ref: 000EFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000EFBE9

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bc35c2c4bd696c22d9540c78867a6572ed96ea182739296837447dd236d346e2
Instruction ID: 24bc1ce41dca2a0481201c17331de309ab2700f5382b1f4b196153e7d5876729
Opcode Fuzzy Hash: bc35c2c4bd696c22d9540c78867a6572ed96ea182739296837447dd236d346e2
Instruction Fuzzy Hash: 3F415F75A0025AAFCF10EF65DC549FEBBB9EF48344F008069E945A7261DB70A946CBA0

Function 000F9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000F9CA1
GetAsyncKeyState.USER32(000000A0), ref: 000F9D22
GetKeyState.USER32(000000A0), ref: 000F9D3D
GetAsyncKeyState.USER32(000000A1), ref: 000F9D57
GetKeyState.USER32(000000A1), ref: 000F9D6C
GetAsyncKeyState.USER32(00000011), ref: 000F9D84
GetKeyState.USER32(00000011), ref: 000F9D96
GetAsyncKeyState.USER32(00000012), ref: 000F9DAE
GetKeyState.USER32(00000012), ref: 000F9DC0
GetAsyncKeyState.USER32(0000005B), ref: 000F9DD8
GetKeyState.USER32(0000005B), ref: 000F9DEA

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c8177f9a866af7b4d6ece182a3e10092e15b3d0e505e7749390188fca4c8398a
Instruction ID: 4b28f59613e69fddd31d8764ba133ce077b25710ae1ea9ae0c562877344b773f
Opcode Fuzzy Hash: c8177f9a866af7b4d6ece182a3e10092e15b3d0e505e7749390188fca4c8398a
Instruction Fuzzy Hash: BE41D834604BCE69FFB0966088043B5BEE06F12344F18805ADBC656DC2DBE499D8D7E2

Function 0011055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001105BC
inet_addr.WSOCK32(?), ref: 0011061C
gethostbyname.WSOCK32(?), ref: 00110628
IcmpCreateFile.IPHLPAPI ref: 00110636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001106C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001106E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001107B9
WSACleanup.WSOCK32 ref: 001107BF

Strings

Ping, xrefs: 00110676

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 95e3c2d6ea5a57b89f7a55f94caa961400b6fa65a12c2cdb935a3098b221f865
Instruction ID: 77a28d6b22170d3f8b0650b5878c03d429a64e92986c1ff67f0040d1f5bc1661
Opcode Fuzzy Hash: 95e3c2d6ea5a57b89f7a55f94caa961400b6fa65a12c2cdb935a3098b221f865
Instruction Fuzzy Hash: EC91B035904201AFD725DF15C889F5ABBE1AF48318F1585A9F4A98B6A2C7B0EDC1CF81

Function 00118CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00118CF3

Part of subcall function 000F8E54: _wcslen.LIBCMT ref: 000F8E77

_wcslen.LIBCMT ref: 00118D4E
_wcslen.LIBCMT ref: 00118D9C
_wcslen.LIBCMT ref: 00118DDC
_wcslen.LIBCMT ref: 00118E6E

Strings

winapi, xrefs: 00118D96, 00118D9B
stdcall, xrefs: 00118DD6, 00118DDB
none, xrefs: 00118E65, 00118E6A
cdecl, xrefs: 00118D48, 00118D4D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: cfcc8c38b27afca7d9a15e6e1de1f4f639dab45fd4871e815a0d17d74e0dedd1
Instruction ID: d8fd68ce25e13cb45744ea2869ac7320d32dbe28050689827191242e91e14057
Opcode Fuzzy Hash: cfcc8c38b27afca7d9a15e6e1de1f4f639dab45fd4871e815a0d17d74e0dedd1
Instruction Fuzzy Hash: A5519331A011169BCF18DFACC9518FEB7A6BF65724B618239E825E72C5DB31DE80C790

Function 0011372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00113774
CoUninitialize.OLE32 ref: 0011377F
CoCreateInstance.OLE32(?,00000000,00000017,0012FB78,?), ref: 001137D9
IIDFromString.OLE32(?,?), ref: 0011384C
VariantInit.OLEAUT32(?), ref: 001138E4
VariantClear.OLEAUT32(?), ref: 00113936

Strings

Invalid parameter, xrefs: 00113865
Failed to create object, xrefs: 001137E4, 0011389A
NULL Pointer assignment, xrefs: 0011381E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 49309b9bac0305e76b4d61f1da827e8bd9b102dfb0a020bb9686f3d1c018fd8a
Instruction ID: a9f39f95b1980d1927fa2f074c9dc951bb2b612c2987686d955eda3a33a954a8
Opcode Fuzzy Hash: 49309b9bac0305e76b4d61f1da827e8bd9b102dfb0a020bb9686f3d1c018fd8a
Instruction Fuzzy Hash: 6261D171208301AFD719DF54C849BAEBBE8EF48710F00092DF9959B291C770EE89CB92

Function 00103388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001033CF

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001033F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00103504
"%s" (%d) : ==> %s:, xrefs: 00103522
Line %d (File "%s"):, xrefs: 00103443, 0010345C
Incorrect parameters to object property !, xrefs: 001034AB
Error: , xrefs: 001034D1
^ ERROR , xrefs: 0010349E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: c5c435b14a16b66bb152556d3fc1b11abfe108211fe384c555769db3ac7b3962
Instruction ID: 782381fae209b27e732a84590e0d3d2179aa5230ad712f236c8a7a89b82886b8
Opcode Fuzzy Hash: c5c435b14a16b66bb152556d3fc1b11abfe108211fe384c555769db3ac7b3962
Instruction Fuzzy Hash: 7C517B72900209BADF15EBE0CD42EEEB778AF14340F548165F515721A2EB712F98EBA0

Function 000FB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000FB5FC
_wcslen.LIBCMT ref: 000FB608
_wcslen.LIBCMT ref: 000FB64D
_wcslen.LIBCMT ref: 000FB68C
_wcslen.LIBCMT ref: 000FB6C7

Strings

APPEND, xrefs: 000FB6C1, 000FB6C6
EXISTS, xrefs: 000FB686, 000FB68B
REMOVE, xrefs: 000FB602, 000FB607
KEYS, xrefs: 000FB647, 000FB64C

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 9c6092e94d2a36ff2d42b94bf0b3ebb2b227732e2408a3df163bf856b8881fcf
Instruction ID: 50d76a79dd84da9b61c37afee0cb3ac1a3a07ffdd7280df0a06309600d36d638
Opcode Fuzzy Hash: 9c6092e94d2a36ff2d42b94bf0b3ebb2b227732e2408a3df163bf856b8881fcf
Instruction Fuzzy Hash: AE413932A0012B9BCB206F7DCC905BE77E5BFA0754B244129E621DB680F739CD81EB90

Function 00105393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001053A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00105416
GetLastError.KERNEL32 ref: 00105420
SetErrorMode.KERNEL32(00000000,READY), ref: 001054A7

Strings

UNKNOWN, xrefs: 00105444
NOTREADY, xrefs: 0010544B
INVALID, xrefs: 00105459
READONLY, xrefs: 00105452
READY, xrefs: 00105460, 00105468

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 59e56862b8e27bb635b36c252240e2e8243e9385e417bbd599a0f217a78716fd
Instruction ID: 54e7f827bd20855172b69bbb34711d868c4476124e7cbc33ba24210c047d62e7
Opcode Fuzzy Hash: 59e56862b8e27bb635b36c252240e2e8243e9385e417bbd599a0f217a78716fd
Instruction Fuzzy Hash: 7131A075A00605DFCB10DF68C485AEABBB5EF04305F548069E945DF292EBB0DD86CFA1

Function 00123C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00123C79
SetMenu.USER32(?,00000000), ref: 00123C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00123D10
IsMenu.USER32(?), ref: 00123D24
CreatePopupMenu.USER32 ref: 00123D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00123D5B
DrawMenuBar.USER32 ref: 00123D63

Strings

0, xrefs: 00123C54
F, xrefs: 00123D4E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 62b4eb45bd5f5a3d6698eff0414eebefbdd68158e1232554ec5e49b67fc888ab
Instruction ID: 6cf524886823b24d4f4970258497726ce6f9bce5b7a9dfa2299e04e33e9f534b
Opcode Fuzzy Hash: 62b4eb45bd5f5a3d6698eff0414eebefbdd68158e1232554ec5e49b67fc888ab
Instruction Fuzzy Hash: EC417C75A01219EFDB24CFA4E844AEA7BB5FF49350F140029FA5697360D774EA21CF90

Function 000F1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 000F1F64
GetDlgCtrlID.USER32 ref: 000F1F6F
GetParent.USER32 ref: 000F1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 000F1F8E
GetDlgCtrlID.USER32(?), ref: 000F1F97
GetParent.USER32(?), ref: 000F1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 000F1FAE

Strings

ComboBox, xrefs: 000F1EEC
ListBox, xrefs: 000F1F21

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: ee4e58bb110c208917c897409dae2a1c510d33d129878c792477d97cac03953e
Instruction ID: 9e63f3350dd0797fadfb10b225c14ba4ae5e6571e1e65d5ef060b0df3bc968b6
Opcode Fuzzy Hash: ee4e58bb110c208917c897409dae2a1c510d33d129878c792477d97cac03953e
Instruction Fuzzy Hash: A421C270900218FBCF14AFA4CC95DFEBBB9EF05350B000119FA61A76A2CB345959EBA0

Function 000F1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 000F2043
GetDlgCtrlID.USER32 ref: 000F204E
GetParent.USER32 ref: 000F206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 000F206D
GetDlgCtrlID.USER32(?), ref: 000F2076
GetParent.USER32(?), ref: 000F208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 000F208D

Strings

ComboBox, xrefs: 000F1FCD
ListBox, xrefs: 000F2002

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 207952f24aecc312aaca718e7a6aa0bc6cb522370d2e3b758e1cff9d78ba36f4
Instruction ID: 6d2264152fc9c69728934461cae4e796776eba2335afb05071160416f8064197
Opcode Fuzzy Hash: 207952f24aecc312aaca718e7a6aa0bc6cb522370d2e3b758e1cff9d78ba36f4
Instruction Fuzzy Hash: 1221C6B5900218BBCF10AFA4CC45EFEBBB9EF05340F004015FA51A76A2DB755959EBA0

Function 00123A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00123A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00123AA0
GetWindowLongW.USER32(?,000000F0), ref: 00123AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00123AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00123B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00123BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00123BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00123BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00123BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00123C13

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 55fa148e845dfcc84cfc200026b5090f8aea08e78edb0270f5cf533233fcdf22
Instruction ID: 90131f23d74bb31b8b2027ff9ebb8f5ef477b4cc80dfb3453979e1dd02b91b7f
Opcode Fuzzy Hash: 55fa148e845dfcc84cfc200026b5090f8aea08e78edb0270f5cf533233fcdf22
Instruction Fuzzy Hash: D8618B75900218AFDB10DFA8DC81EEE77B8EF09704F14409AFA15A72A1C774AEA1DF50

Function 000FB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000FB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB165
GetWindowThreadProcessId.USER32(00000000), ref: 000FB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 000FB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,000FA1E1,?,00000001), ref: 000FB21D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b9c81db215050a97c7f5d92d2d01084b1975d1c4f32bc9e79cebef32d34b15ba
Instruction ID: 53a7a5b85390d939f283a8e37a1c7633ce0787851337ebbe45e7c9aa2bfa5b03
Opcode Fuzzy Hash: b9c81db215050a97c7f5d92d2d01084b1975d1c4f32bc9e79cebef32d34b15ba
Instruction Fuzzy Hash: 9931AD71500208BFEB609F28DC48BBEBBA9FB61311F104005FB11D6A90D7B49E85DFA0

Function 000C2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000C2C94

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

_free.LIBCMT ref: 000C2CA0
_free.LIBCMT ref: 000C2CAB
_free.LIBCMT ref: 000C2CB6
_free.LIBCMT ref: 000C2CC1
_free.LIBCMT ref: 000C2CCC
_free.LIBCMT ref: 000C2CD7
_free.LIBCMT ref: 000C2CE2
_free.LIBCMT ref: 000C2CED
_free.LIBCMT ref: 000C2CFB

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cb28fa29223f707854e4707f680cbd7c0bfc9e835466ea4393001727a926f4cd
Instruction ID: 7a7a5e04cd32553235cb87ca5c9ebe06c9b13b1aa311c8a8d78ce5a7744e93d2
Opcode Fuzzy Hash: cb28fa29223f707854e4707f680cbd7c0bfc9e835466ea4393001727a926f4cd
Instruction Fuzzy Hash: 24115676510108BFCB02EF54D982EDD3BA5FF05350F5145A9FA489FA23DA31EE509B90

Function 00107DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00107FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00107FC1
GetFileAttributesW.KERNEL32(?), ref: 00107FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00108005
SetCurrentDirectoryW.KERNEL32(?), ref: 00108017
SetCurrentDirectoryW.KERNEL32(?), ref: 00108060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001080B0

Strings

*.*, xrefs: 00108066

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: eb4b202b771b280a3471e24d5b33f8f158a465e087e5a182afeb17f5f9256eab
Instruction ID: a3cfd99b314c5a56f0560ccec430334026fe961f446ed2af94f6d632ba2cc043
Opcode Fuzzy Hash: eb4b202b771b280a3471e24d5b33f8f158a465e087e5a182afeb17f5f9256eab
Instruction Fuzzy Hash: FC8190729082059BCB24EF14C4549AEB3E9BF88310F544C6AF8C9C72D1EBB5ED45CB92

Function 00095BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00095C7A

Part of subcall function 00095D0A: GetClientRect.USER32(?,?), ref: 00095D30
Part of subcall function 00095D0A: GetWindowRect.USER32(?,?), ref: 00095D71
Part of subcall function 00095D0A: ScreenToClient.USER32(?,?), ref: 00095D99

GetDC.USER32 ref: 000D46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000D4708
SelectObject.GDI32(00000000,00000000), ref: 000D4716
SelectObject.GDI32(00000000,00000000), ref: 000D472B
ReleaseDC.USER32(?,00000000), ref: 000D4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000D47C4

Strings

U, xrefs: 000D4693

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a368638096b0d5d5a2ed72a36aa3dc65e513103a05e27a82a42c27bc944b933c
Instruction ID: 396b576acfb95ff988a8fb3ffece80f3fe20a9c9ee581a9be9414b843818c06f
Opcode Fuzzy Hash: a368638096b0d5d5a2ed72a36aa3dc65e513103a05e27a82a42c27bc944b933c
Instruction Fuzzy Hash: 4B71C031504305EFCF218F64CD84ABE7BF5FF4A355F18426AE9565A2A6C7308891EF60

Function 0010359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001035E4

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

LoadStringW.USER32(00162390,?,00000FFF,?), ref: 0010360A

Strings

^ ERROR, xrefs: 001036C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00103724
"%s" (%d) : ==> %s:, xrefs: 00103742
Line %d (File "%s"):, xrefs: 0010366B
Error: , xrefs: 001036EF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 5ff1e3e4ec81922d1ce514fbdd3f27669f56fd3e72633611c5a4f0806809ed58
Instruction ID: a8676e6321919d77516b08f0de2b15a1379b47f748dd9134035ee6799044f52f
Opcode Fuzzy Hash: 5ff1e3e4ec81922d1ce514fbdd3f27669f56fd3e72633611c5a4f0806809ed58
Instruction Fuzzy Hash: 76516C72800209BBDF15EBE0DC42EEEBB78AF14310F544129F515721A2EB711B99EFA1

Function 0010C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0010C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0010C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0010C2CA
GetLastError.KERNEL32 ref: 0010C322
SetEvent.KERNEL32(?), ref: 0010C336
InternetCloseHandle.WININET(00000000), ref: 0010C341

Strings

, xrefs: 0010C2BB

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fb3c9f4a87857d667925f4281dec9cf2ea6ceed8283bcc2bcc1b6aeec4a44c21
Instruction ID: 3eb14c92e9f70365d71e196e13dd8dce4354bd573b6d0d14db2d4e4599baf848
Opcode Fuzzy Hash: fb3c9f4a87857d667925f4281dec9cf2ea6ceed8283bcc2bcc1b6aeec4a44c21
Instruction Fuzzy Hash: 91318DB1500604AFD7219FA48888AAB7AFCFB59740B10861EF48696680DBB0DD459FE0

Function 000F989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000D3AAF,?,?,Bad directive syntax error,0012CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 000F98BC
LoadStringW.USER32(00000000,?,000D3AAF,?), ref: 000F98C3

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000F9987

Strings

Error: , xrefs: 000F9955
Line %d (File "%s"):, xrefs: 000F992D
., xrefs: 000F996D
Line %d:, xrefs: 000F9912
%s (%d) : ==> %s.: %s %s, xrefs: 000F98F1

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 4a3c07148a94952b4cf3643f52f5057ea1d3a2aa0089f68343f9ea9e67959bfe
Instruction ID: 85865f7a430782b04d08e368b2ea002ff149c76708fb6c52624f30a41f1fa7cd
Opcode Fuzzy Hash: 4a3c07148a94952b4cf3643f52f5057ea1d3a2aa0089f68343f9ea9e67959bfe
Instruction Fuzzy Hash: 4C215E3194421EFBCF15AF90CC06EFE7775BF18301F44446AFA25660A2EB719668EB60

Function 000F209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000F20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 000F20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000F214D

Strings

largeicons, xrefs: 000F20E1
details, xrefs: 000F20FB
smallicons, xrefs: 000F2115
list, xrefs: 000F212F
SHELLDLL_DefView, xrefs: 000F20CC

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a2666cca7e14248f7558eb985275557742a9da523e61debcdd5c813c24868227
Instruction ID: 6a3c064034dd58b108f0fb808d82f597254832492b6f2aacd4d600f0ce2644c5
Opcode Fuzzy Hash: a2666cca7e14248f7558eb985275557742a9da523e61debcdd5c813c24868227
Instruction Fuzzy Hash: 68115C7628470AF9FB116220DC1BDFB73DDEF15325B200116FB04A84D3FFA1A8566519

Function 000C8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd428e64b40422959acc3251a1049ff0a58be2b8b9cbea2b3e8a7a86a35d8e4
Instruction ID: a4cb4ed7d19a36319615b997dc0b83f9fc0f5b90d1115115f94f333dfe282da2
Opcode Fuzzy Hash: 1bd428e64b40422959acc3251a1049ff0a58be2b8b9cbea2b3e8a7a86a35d8e4
Instruction Fuzzy Hash: 38C1D074A04249AFDB21DFA8CC49FEDBBF0AF09310F14419DE915A7392CB709942CB65

Function 000CCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000CCEB7
_free.LIBCMT ref: 000CCF22
_free.LIBCMT ref: 000CCF48
_free.LIBCMT ref: 000CCF71
_free.LIBCMT ref: 000CCFA9
_free.LIBCMT ref: 000CCFDA
_free.LIBCMT ref: 000CD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 000CD09C
_free.LIBCMT ref: 000CD0B5

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: de839911d754aeb690e76cc1a443af2496d08e9e59ff2d7ea939f1c5c3442fd8
Instruction ID: 0a41962160d62c2d33724cbf6498c84559b68483db29c4027543ecfa2ca9c561
Opcode Fuzzy Hash: de839911d754aeb690e76cc1a443af2496d08e9e59ff2d7ea939f1c5c3442fd8
Instruction Fuzzy Hash: CD611571904301AFEB21AFB8DC81FAE7BE5EF05320F19427EF94997282D6719D428790

Function 001250D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00125186
ShowWindow.USER32(?,00000000), ref: 001251C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001251CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001251D1

Part of subcall function 00126FBA: DeleteObject.GDI32(00000000), ref: 00126FE6

GetWindowLongW.USER32(?,000000F0), ref: 0012520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0012521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0012524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00125287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00125296

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 80f9a5e50097aff7e0c855fbd3bf66d40ae1c63c31315580be2077087ca9479a
Instruction ID: 1866615dd884e6cdbf3f3e84bd0e0e89248e426fb34fbf11059ac45fd2a08cd8
Opcode Fuzzy Hash: 80f9a5e50097aff7e0c855fbd3bf66d40ae1c63c31315580be2077087ca9479a
Instruction Fuzzy Hash: B851C030A50A28FEEF349F24EC8ABE83B67FB05365F184011F615962E1C375A9B0DB50

Function 000A8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 000E6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000E68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000E68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000E68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000E68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000A8874,00000000,00000000,00000000,000000FF,00000000), ref: 000E6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000E691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000A8874,00000000,00000000,00000000,000000FF,00000000), ref: 000E692D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 60d296a37f1f3a71984567575bace4d02f44fd959fe84504ab5b15e7a37b5623
Instruction ID: 2bc8a445810d4129fdc4f8bdfafb2207149bc2a7c628dd8642a45f3adb9774bc
Opcode Fuzzy Hash: 60d296a37f1f3a71984567575bace4d02f44fd959fe84504ab5b15e7a37b5623
Instruction Fuzzy Hash: AE51A870610209EFDB20CF65DC55BAA7BF5FB58350F108628FA12A76A0DB71E990DB60

Function 0010C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0010C182
GetLastError.KERNEL32 ref: 0010C195
SetEvent.KERNEL32(?), ref: 0010C1A9

Part of subcall function 0010C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0010C272
Part of subcall function 0010C253: GetLastError.KERNEL32 ref: 0010C322
Part of subcall function 0010C253: SetEvent.KERNEL32(?), ref: 0010C336
Part of subcall function 0010C253: InternetCloseHandle.WININET(00000000), ref: 0010C341

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 5eb332dd2cd723f5a5430339ef65159e868dbea9295e3f47a7ccc956ee41f2ac
Instruction ID: b24d994695d1cdf0c088c72dffcb8feb861beb13cfcef79852725dff3aff49e3
Opcode Fuzzy Hash: 5eb332dd2cd723f5a5430339ef65159e868dbea9295e3f47a7ccc956ee41f2ac
Instruction Fuzzy Hash: 2C318E71600601FFDB259FE5DD44A6ABBF9FF18300B04861DFA9682A50DB70E8659FE0

Function 000F25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000F3A57
Part of subcall function 000F3A3D: GetCurrentThreadId.KERNEL32 ref: 000F3A5E
Part of subcall function 000F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000F25B3), ref: 000F3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 000F25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000F25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 000F25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 000F25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000F2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 000F2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 000F260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000F2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 000F2627

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 699afed08d2b87bac6545a1c5c604c135a9644556e9936eceb7f363fb5fece8f
Instruction ID: 637c726e70e1bc74fd6dabb84516db82f3f4bc1f34ef8905d75f9b6ce77cd317
Opcode Fuzzy Hash: 699afed08d2b87bac6545a1c5c604c135a9644556e9936eceb7f363fb5fece8f
Instruction Fuzzy Hash: 9401D830390614BBFB2067699C8AFAD3F59DF4EB11F100001F314AE1D1C9F214959AAA

Function 000F1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,000F1449,?,?,00000000), ref: 000F180C
HeapAlloc.KERNEL32(00000000,?,000F1449,?,?,00000000), ref: 000F1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000F1449,?,?,00000000), ref: 000F1828
GetCurrentProcess.KERNEL32(?,00000000,?,000F1449,?,?,00000000), ref: 000F1830
DuplicateHandle.KERNEL32(00000000,?,000F1449,?,?,00000000), ref: 000F1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000F1449,?,?,00000000), ref: 000F1843
GetCurrentProcess.KERNEL32(000F1449,00000000,?,000F1449,?,?,00000000), ref: 000F184B
DuplicateHandle.KERNEL32(00000000,?,000F1449,?,?,00000000), ref: 000F184E
CreateThread.KERNEL32(00000000,00000000,000F1874,00000000,00000000,00000000), ref: 000F1868

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 19275c10cedfd0d3bc4cd972224eedf9a52fd0c2a8da2dc0e5483f18f66a000e
Instruction ID: b1ae5403b67bb2269907471d660cbb6d4134504d3e82b9c7c1d971ca458cae69
Opcode Fuzzy Hash: 19275c10cedfd0d3bc4cd972224eedf9a52fd0c2a8da2dc0e5483f18f66a000e
Instruction Fuzzy Hash: 8401BF75640308FFE720AB65DC4EF6B3B6CEB89B11F104411FB05DB591CA709865CB60

Function 0011A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 000FD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 000FD501
Part of subcall function 000FD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 000FD50F
Part of subcall function 000FD4DC: CloseHandle.KERNELBASE(00000000), ref: 000FD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0011A16D
GetLastError.KERNEL32 ref: 0011A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0011A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0011A268
GetLastError.KERNEL32(00000000), ref: 0011A273
CloseHandle.KERNEL32(00000000), ref: 0011A2C4

Strings

SeDebugPrivilege, xrefs: 0011A18F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 293f80cc0ea939998d5902ec736c895f0168ffb8c651fb7bb7eba5a6d4a7d541
Instruction ID: 52d415ca81cd54b6bcc0a3ea828ca248ec7423d6bc4f1a8c47252faf38ef736c
Opcode Fuzzy Hash: 293f80cc0ea939998d5902ec736c895f0168ffb8c651fb7bb7eba5a6d4a7d541
Instruction Fuzzy Hash: 1A61C331205241AFD724DF14C494FA9BBE1AF44318F5484ACE45A8BB93C772ED85CBD2

Function 00123886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00123925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0012393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00123954
_wcslen.LIBCMT ref: 00123999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001239C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001239F4

Strings

SysListView32, xrefs: 001238F7

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 8109812abb349c5c0b79069587ed4c740d4cf60639a55e5dc8e26c781b961ef8
Instruction ID: 0a88bc3f5b75e9f5b933eae8e175551ef4146547f32b4ea26e612cc61455fad9
Opcode Fuzzy Hash: 8109812abb349c5c0b79069587ed4c740d4cf60639a55e5dc8e26c781b961ef8
Instruction Fuzzy Hash: B941C671A00228BBDF219F64DC49BEE77A9EF08354F100526F954E7281D7759DA0CB90

Function 000FBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000FBCFD
IsMenu.USER32(00000000), ref: 000FBD1D
CreatePopupMenu.USER32 ref: 000FBD53
GetMenuItemCount.USER32(014B5770), ref: 000FBDA4
InsertMenuItemW.USER32(014B5770,?,00000001,00000030), ref: 000FBDCC

Strings

2, xrefs: 000FBD37
0, xrefs: 000FBCA8

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: fecbc98962ed7f3caab99bd39a0c0573d165f0b5a374346094c4d8372b3e30c5
Instruction ID: ab0559756e406f373b14a640f9fcc0fefee9e09aad95220771bf6d80f76f7dc4
Opcode Fuzzy Hash: fecbc98962ed7f3caab99bd39a0c0573d165f0b5a374346094c4d8372b3e30c5
Instruction Fuzzy Hash: D951AD70A0020DABDB20DFA8D884BBEBBF4AF45314F148219E611DBA91E770D941DF62

Function 000FC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000FC913

Strings

blank, xrefs: 000FC895
stop, xrefs: 000FC8E4
question, xrefs: 000FC8CC
info, xrefs: 000FC8B4
warning, xrefs: 000FC8FC

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 82bc0b72cecd913ae8db3c30f1d7313c46784a5a2474122f160c7200c375c1e3
Instruction ID: c23033dc28c06af86ef6ee2968718989a831cd0db796a0c01446c1da16561949
Opcode Fuzzy Hash: 82bc0b72cecd913ae8db3c30f1d7313c46784a5a2474122f160c7200c375c1e3
Instruction Fuzzy Hash: 8F11F63168930FBAFB109B549D83CFE77DCDF15355B50002AFA00A6583E7E19E0562A5

Function 000FDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000FDE42
gethostname.WSOCK32(?,00000100), ref: 000FDE5C
gethostbyname.WSOCK32(?), ref: 000FDE69
inet_ntoa.WSOCK32(?), ref: 000FDEAB
_strcat.LIBCMT ref: 000FDEB9
WSACleanup.WSOCK32 ref: 000FDEDE

Strings

0.0.0.0, xrefs: 000FDE87

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 9c1faa38430e2b65c3ca20dacd475f7fe5082e79180b50a41b9cd508f05027cd
Instruction ID: 30c3feca3ade71922ac2cd750381d2aa4002c3bdd23b1a56a9f735856b895c90
Opcode Fuzzy Hash: 9c1faa38430e2b65c3ca20dacd475f7fe5082e79180b50a41b9cd508f05027cd
Instruction Fuzzy Hash: D811E671904119BFCB30BB60DC4AEFF77ADDF11711F01016AF645AA492EF71DA819AA0

Function 00129F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

GetSystemMetrics.USER32(0000000F), ref: 00129FC7
GetSystemMetrics.USER32(0000000F), ref: 00129FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0012A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0012A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0012A263
ShowWindow.USER32(00000003,00000000), ref: 0012A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0012A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0012A2CA

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 8ba4278448f3889472ecb559efba202f22fae1eb41932a5da6feb6b1efcc225c
Instruction ID: e3e28bc1331fe8940fa251ba1758e82925e84e973575fc6d1d30de270ef0d171
Opcode Fuzzy Hash: 8ba4278448f3889472ecb559efba202f22fae1eb41932a5da6feb6b1efcc225c
Instruction Fuzzy Hash: 26B1CB31600225EFDF14CF68D9857AE7BB2FF44711F088069ED49AB299D731A9A0CB61

Function 000FED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000FED2A
_wcslen.LIBCMT ref: 000FED3B
_wcslen.LIBCMT ref: 000FED79
_wcslen.LIBCMT ref: 000FEDAF
_wcslen.LIBCMT ref: 000FEDDF
_wcslen.LIBCMT ref: 000FEDEF
_wcslen.LIBCMT ref: 000FEE2B
_wcslen.LIBCMT ref: 000FEE5A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 754d4af010cebd3c2408bbcdb0da8defbd1d6f6c25e724f3bc5fb819e95feba4
Instruction ID: f3bccd93995209d147a98fc863f0c469379a8767c0814b0e445d1e687aceee21
Opcode Fuzzy Hash: 754d4af010cebd3c2408bbcdb0da8defbd1d6f6c25e724f3bc5fb819e95feba4
Instruction Fuzzy Hash: 29419E65C10258B6DB11EBF4CC8AADFB7A8AF45710F508462E618E3523FB34E355C3A6

Function 000AF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000E682C,00000004,00000000,00000000), ref: 000AF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,000E682C,00000004,00000000,00000000), ref: 000EF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000E682C,00000004,00000000,00000000), ref: 000EF454

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0a2b5bf861108069ff6278e3d8ce1970be66b8dfc8080e064a874242592f7649
Instruction ID: fe0e8732632110654e1a9ee282a4c16a2251338e8e2c111dfae4ecb6c56ccc40
Opcode Fuzzy Hash: 0a2b5bf861108069ff6278e3d8ce1970be66b8dfc8080e064a874242592f7649
Instruction Fuzzy Hash: 75412831608682BEC7B99BF9C88877F7BD2AF57314F14443CE187A2961C672A9C1CB51

Function 00122D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00122D1B
GetDC.USER32(00000000), ref: 00122D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00122D2E
ReleaseDC.USER32(00000000,00000000), ref: 00122D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00122D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00122D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00125A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00122DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00122DE1

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: abdccd53d620a0922783579856e29ca601230c67c91b7a4045f7b07dfa2decc5
Instruction ID: 34c0f449b15d521adfdf76192f073ec95591a0f60e3edbf521612d6ea1a68ecb
Opcode Fuzzy Hash: abdccd53d620a0922783579856e29ca601230c67c91b7a4045f7b07dfa2decc5
Instruction Fuzzy Hash: CB317A76201224BFEB218F50DC8AFEB3BA9EF09715F044055FF089A291C6759CA1CBA4

Function 000F5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000F5637
_memcmp.LIBVCRUNTIME ref: 000F5659
_memcmp.LIBVCRUNTIME ref: 000F5671
_memcmp.LIBVCRUNTIME ref: 000F5684
_memcmp.LIBVCRUNTIME ref: 000F569E
_memcmp.LIBVCRUNTIME ref: 000F56B1
_memcmp.LIBVCRUNTIME ref: 000F56C9
_memcmp.LIBVCRUNTIME ref: 000F56E4

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 031a79f3f239574d5926c9f1895025078078c72c5ef3d9bd55f87bcd3a7a0ed9
Instruction ID: f161010d6450f4f4482c12d113e736946a2a69ae6cae64ded31e1ca4fadcaf2c
Opcode Fuzzy Hash: 031a79f3f239574d5926c9f1895025078078c72c5ef3d9bd55f87bcd3a7a0ed9
Instruction Fuzzy Hash: FD21C871644A1D77D6545510AD92FFA33DCAF10786F840034FF15DBD82F760EE2191A5

Function 00114FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0011502E, 00115383
Not an Object type, xrefs: 00115007

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 4d742e4c3ffb984377ff49e184a749973872067cdf27ddf1a9f9228b96a83d33
Instruction ID: 02d045346e2a65d933a1da3d2b8d8abb5aaf325ef79fa998c782bfe5ab9bd850
Opcode Fuzzy Hash: 4d742e4c3ffb984377ff49e184a749973872067cdf27ddf1a9f9228b96a83d33
Instruction Fuzzy Hash: 55D18275A0060AEFDB18CF98D881BEEB7B6BF88344F158079E915AB281D770DD85CB50

Function 000D1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 000D15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 000D1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000D16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 000D16FB

Part of subcall function 000C3820: RtlAllocateHeap.NTDLL(00000000,?,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6,?,00091129), ref: 000C3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000D1777
__freea.LIBCMT ref: 000D17A2
__freea.LIBCMT ref: 000D17AE

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f3dc857c3c70127c12d7acd2fe10142ae522caa81c8b250be6ae2257ae37e133
Instruction ID: 1f3adc17bc46e11d9d428d9d06294c4c9beaef88a3b29534aabbb9a77e3e389a
Opcode Fuzzy Hash: f3dc857c3c70127c12d7acd2fe10142ae522caa81c8b250be6ae2257ae37e133
Instruction Fuzzy Hash: 6191D271E04706BADB208E64D881AEE7BF5AF49310F18465AE905E7395DF39CD40CBB0

Function 00114523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00114648
VariantInit.OLEAUT32(?), ref: 00114749
VariantClear.OLEAUT32(?), ref: 00114753
VariantClear.OLEAUT32(?), ref: 001147B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0011472C
Null Object assignment in FOR..IN loop, xrefs: 001145D8, 00114706, 001147BE

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 7b11e19a78dfa3f362b2f1e97a2f5fafca0d2ccabeb70d0b20d19a5a8777d905
Instruction ID: c9893f4ea7150fd16aa1c4e0525b01ee706f687c0b158f9f027b41d82c2ed585
Opcode Fuzzy Hash: 7b11e19a78dfa3f362b2f1e97a2f5fafca0d2ccabeb70d0b20d19a5a8777d905
Instruction Fuzzy Hash: DC919271A00215AFDF28CFA4D844FEEBBB8EF46B14F108569F515AB281D7709985CFA0

Function 00101187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0010125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00101284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001012A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001012D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0010135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001013C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00101430

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: f8943215185bef11f675c52da4719d4c492d8facdaf667ca193786b24b0481af
Instruction ID: 6aeac29c212c151286c80ba21f0127c29ffd304f0e6275b6da52e3bee220268b
Opcode Fuzzy Hash: f8943215185bef11f675c52da4719d4c492d8facdaf667ca193786b24b0481af
Instruction Fuzzy Hash: 9F91C372A00209AFDB15DF94C884BFE77B5FF45315F214029E991EB2D1D7B8A941CB90

Function 000A948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c08d24dbba6eb2bd1d39f64ff917bc67db4913028331a6d38b149be1a275d6e3
Instruction ID: f2bcfcb8155b9912ea9656c677e311680e06bf50610848aeb6dd00d5c215383d
Opcode Fuzzy Hash: c08d24dbba6eb2bd1d39f64ff917bc67db4913028331a6d38b149be1a275d6e3
Instruction Fuzzy Hash: D3913671E00219EFCB54CFE9C885AEEBBB9FF49320F144159E515B7251D374AA82CBA0

Function 00113947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0011396B
CharUpperBuffW.USER32(?,?), ref: 00113A7A
_wcslen.LIBCMT ref: 00113A8A
VariantClear.OLEAUT32(?), ref: 00113C1F

Part of subcall function 00100CDF: VariantInit.OLEAUT32(00000000), ref: 00100D1F
Part of subcall function 00100CDF: VariantCopy.OLEAUT32(?,?), ref: 00100D28
Part of subcall function 00100CDF: VariantClear.OLEAUT32(?), ref: 00100D34

Strings

Incorrect Parameter format, xrefs: 001139A6, 00113BA1
AUTOIT.ERROR, xrefs: 00113A80, 00113A85

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 56a0670990dc1ca52d621df16fa1bfd9318ae4802197eb3ce624d118eb56f567
Instruction ID: ac214ad0ff2dac22e1f5c5c1190efad7196d7a2e314faab7a59a6bd902efc668
Opcode Fuzzy Hash: 56a0670990dc1ca52d621df16fa1bfd9318ae4802197eb3ce624d118eb56f567
Instruction Fuzzy Hash: 7E917D756083059FCB18DF24C4819AAB7E4FF89314F14882DF8999B352DB30EE45CB92

Function 00114BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 000F000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?,?,000F035E), ref: 000F002B
Part of subcall function 000F000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?), ref: 000F0046
Part of subcall function 000F000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?), ref: 000F0054
Part of subcall function 000F000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?), ref: 000F0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00114C51
_wcslen.LIBCMT ref: 00114D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00114DCF
CoTaskMemFree.OLE32(?), ref: 00114DDA

Strings

NULL Pointer assignment, xrefs: 00114E23, 00114E52

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 75e9ccf565f10b66f5b76cc96e0278247953e499804d165cdc2459be7df53b22
Instruction ID: b5e0c4456a021218aefc6004b4e1da011cfd86c7c4d75ae3d4b2680637b5a8fc
Opcode Fuzzy Hash: 75e9ccf565f10b66f5b76cc96e0278247953e499804d165cdc2459be7df53b22
Instruction Fuzzy Hash: AA913871D0021DAFDF14DFA4D891EEEB7B9BF08710F108169E915A7252EB349A85CFA0

Function 001220FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00122183
GetMenuItemCount.USER32(00000000), ref: 001221B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001221DD
_wcslen.LIBCMT ref: 00122213
GetMenuItemID.USER32(?,?), ref: 0012224D
GetSubMenu.USER32(?,?), ref: 0012225B

Part of subcall function 000F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000F3A57
Part of subcall function 000F3A3D: GetCurrentThreadId.KERNEL32 ref: 000F3A5E
Part of subcall function 000F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000F25B3), ref: 000F3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001222E3

Part of subcall function 000FE97B: Sleep.KERNEL32 ref: 000FE9F3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 0ffd7b45ca619a0a166963f38256c01ea5a74ee77ff04a163d552fdc2080684e
Instruction ID: b18b4bd742690d447b5c6bc234cf166e282c65ed0398d4ec1f7841b1063c4111
Opcode Fuzzy Hash: 0ffd7b45ca619a0a166963f38256c01ea5a74ee77ff04a163d552fdc2080684e
Instruction Fuzzy Hash: 8871AE35E00215EFCB14DFA4D841AAEB7F1EF48310F118468E916EB352DB35EE528B90

Function 00127E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(014B54F0), ref: 00127F37
IsWindowEnabled.USER32(014B54F0), ref: 00127F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0012801E
SendMessageW.USER32(014B54F0,000000B0,?,?), ref: 00128051
IsDlgButtonChecked.USER32(?,?), ref: 00128089
GetWindowLongW.USER32(014B54F0,000000EC), ref: 001280AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001280C3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: aa703a069bdd8f533d66d3a02bb5db5bbbeb2a67d68aa799c80dfcc195c40bfb
Instruction ID: 32bb6f0d99f37964812cbcf0aa5834bc5f40186089ed0cf0f08bc3a96c9ac7fa
Opcode Fuzzy Hash: aa703a069bdd8f533d66d3a02bb5db5bbbeb2a67d68aa799c80dfcc195c40bfb
Instruction Fuzzy Hash: C971AD3460D224AFEB259F64ED84FEBBBB5EF09300F144059F955932E1CB31A865CB60

Function 000FAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 000FAEF9
GetKeyboardState.USER32(?), ref: 000FAF0E
SetKeyboardState.USER32(?), ref: 000FAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 000FAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 000FAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 000FAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000FB020

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f1a84329c2d91e090ad4c8cb4e3ee232423618363391f293ae014c7da9fb8559
Instruction ID: f4a10d7d75e3464fe86b47d02c3f47f41381846aaf04d96a7bdce9771cbffb86
Opcode Fuzzy Hash: f1a84329c2d91e090ad4c8cb4e3ee232423618363391f293ae014c7da9fb8559
Instruction Fuzzy Hash: 6A51C2E06047D93DFB768274CC45BBA7EE96B06304F088599E3D949CC3C798A8D8EB51

Function 000FACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000FAD19
GetKeyboardState.USER32(?), ref: 000FAD2E
SetKeyboardState.USER32(?), ref: 000FAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000FADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000FADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000FAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000FAE38

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 14aadf94da5d2340d5374f1e551627b122409314b3da0ff17d88ba8ea225da07
Instruction ID: 05bb47083885c82c705950eed93fe130df6e1837fb742abb44b53bfec3233ba8
Opcode Fuzzy Hash: 14aadf94da5d2340d5374f1e551627b122409314b3da0ff17d88ba8ea225da07
Instruction Fuzzy Hash: 0251C6E16447D93DFB364224CC55BBA7EE96B47300F088588E2DA46CC3D294EC98F752

Function 000C542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(000D3CD6,?,?,?,?,?,?,?,?,000C5BA3,?,?,000D3CD6,?,?), ref: 000C5470
__fassign.LIBCMT ref: 000C54EB
__fassign.LIBCMT ref: 000C5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,000D3CD6,00000005,00000000,00000000), ref: 000C552C
WriteFile.KERNEL32(?,000D3CD6,00000000,000C5BA3,00000000,?,?,?,?,?,?,?,?,?,000C5BA3,?), ref: 000C554B
WriteFile.KERNEL32(?,?,00000001,000C5BA3,00000000,?,?,?,?,?,?,?,?,?,000C5BA3,?), ref: 000C5584

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: fe890dff93926e298d4bb6e5208624e2eaad4b649a6975676face1319da57e8a
Instruction ID: 15fe75d4eac10b61be676c4ae8d11dec7e63de77544ed00a9c8577f36cb442fa
Opcode Fuzzy Hash: fe890dff93926e298d4bb6e5208624e2eaad4b649a6975676face1319da57e8a
Instruction Fuzzy Hash: 9151AD74A00A08AFDB20CFA8DC55FEEBBF9EB08301F14415EE555E7291D670AA81CB60

Function 000B2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 000B2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 000B2D53
_ValidateLocalCookies.LIBCMT ref: 000B2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 000B2E0C
_ValidateLocalCookies.LIBCMT ref: 000B2E61

Strings

csm, xrefs: 000B2DF6

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4d5ca3494c9255bc0e5bf3ddb639c58c9f6853a684877ea8a617054ba4e959eb
Instruction ID: 49fa50b2c9bee2d49302db1748009567c7ad53af9095e1257d9b5e0e9d499296
Opcode Fuzzy Hash: 4d5ca3494c9255bc0e5bf3ddb639c58c9f6853a684877ea8a617054ba4e959eb
Instruction Fuzzy Hash: 89419E34A00209ABCF10DF68C895ADEBBF5FF44324F148165E814AB392DB31EA45CBD1

Function 001110B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0011304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0011307A
Part of subcall function 0011304E: _wcslen.LIBCMT ref: 0011309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00111112
WSAGetLastError.WSOCK32 ref: 00111121
WSAGetLastError.WSOCK32 ref: 001111C9
closesocket.WSOCK32(00000000), ref: 001111F9

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d4940ae2b82fe01735e9d285a30b7d8cd248c4356eda7d69b16072fa1a3e4847
Instruction ID: dd5fee9db1b0f1598bac439d51a2fc596729eb8e6c7089c47f1dec4605456533
Opcode Fuzzy Hash: d4940ae2b82fe01735e9d285a30b7d8cd248c4356eda7d69b16072fa1a3e4847
Instruction Fuzzy Hash: CB41C331600604BFDB249F24C884BE9F7EAEF45324F148069FE199B292D770AD81CBE1

Function 000FCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000FCF22,?), ref: 000FDDFD

Part of subcall function 000FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000FCF22,?), ref: 000FDE16

lstrcmpiW.KERNEL32(?,?), ref: 000FCF45
MoveFileW.KERNEL32(?,?), ref: 000FCF7F
_wcslen.LIBCMT ref: 000FD005
_wcslen.LIBCMT ref: 000FD01B
SHFileOperationW.SHELL32(?), ref: 000FD061

Strings

\*.*, xrefs: 000FCFF3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 765fb3c1038fd660d7eaf738db7101804c46187b2bcc7e0ad9015360c6b21587
Instruction ID: 68a8920a628d525ec876efcae5292b65d431fd6cc8b5fbdfc098605fde78de6d
Opcode Fuzzy Hash: 765fb3c1038fd660d7eaf738db7101804c46187b2bcc7e0ad9015360c6b21587
Instruction Fuzzy Hash: 4741587190521C5EDF52EBA4C982EEDB7F9AF04340F0000E6E605EB552EA34A748DB50

Function 00122DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00122E1C
GetWindowLongW.USER32(?,000000F0), ref: 00122E4F
GetWindowLongW.USER32(?,000000F0), ref: 00122E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00122EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00122EE0
GetWindowLongW.USER32(?,000000F0), ref: 00122EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00122F0B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 0f835f5c3595f64bc339d76a79676e67c428fab85ebda46c338d6346a3defa8e
Instruction ID: 5c2a12c5fb68dc0b1ed8a9e56f62498fd7fbcbfae51c1eed9baad33aa4002721
Opcode Fuzzy Hash: 0f835f5c3595f64bc339d76a79676e67c428fab85ebda46c338d6346a3defa8e
Instruction Fuzzy Hash: D2310530604160BFDB21CF58EC84FA937E1EB5A714F1A4164FA108F6B1CBB1A8A1EF41

Function 000F7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000F7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000F778F
SysAllocString.OLEAUT32(00000000), ref: 000F7792
SysAllocString.OLEAUT32(?), ref: 000F77B0
SysFreeString.OLEAUT32(?), ref: 000F77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 000F77DE
SysAllocString.OLEAUT32(?), ref: 000F77EC

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 192f922f943fe0f7136022d332e1ad7833d87c9c8df092dc82fea80811c419e4
Instruction ID: fef6f605da6c863d2720253fb1242eb616f0667789e6f0ffa5f319f9ad8b5ca1
Opcode Fuzzy Hash: 192f922f943fe0f7136022d332e1ad7833d87c9c8df092dc82fea80811c419e4
Instruction Fuzzy Hash: A5219176608219BFDB20EFA8CC84CBF73ECEB093647108025FA08DB551D6709C419BA1

Function 000F77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000F7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000F7868
SysAllocString.OLEAUT32(00000000), ref: 000F786B
SysAllocString.OLEAUT32 ref: 000F788C
SysFreeString.OLEAUT32 ref: 000F7895
StringFromGUID2.OLE32(?,?,00000028), ref: 000F78AF
SysAllocString.OLEAUT32(?), ref: 000F78BD

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6dd87d1cb3ca158a0695542e9e912f4cfe6c51c9c570108041857855ff466883
Instruction ID: c35ce00781265d042a14bad2921f49d82e1438f09693245ae39dd49a438b5785
Opcode Fuzzy Hash: 6dd87d1cb3ca158a0695542e9e912f4cfe6c51c9c570108041857855ff466883
Instruction Fuzzy Hash: 23215331604108BF9B20ABA8DC89DBA77ECEB097607108125FA15CB5A1DA70DC42DB65

Function 001004D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001004F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0010052E

Strings

nul, xrefs: 00100567

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ec8ea10f9077a7f20944b8d2b0f1ead8d9275ec98fd9fcc3b6d64e320c64cea9
Instruction ID: 2b0196cbb58ffb03b0db5920f989fc67ebb2d740ab7294231c2e9a6eb7f4e492
Opcode Fuzzy Hash: ec8ea10f9077a7f20944b8d2b0f1ead8d9275ec98fd9fcc3b6d64e320c64cea9
Instruction Fuzzy Hash: 5E216871500305EFDB219F29DC04B9A7BB4BF49724F204A29E9E1D62E0D7B09991CF60

Function 001005A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001005C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00100601

Strings

nul, xrefs: 00100639

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5c4bf17cdf28ceeaeae622f9888247d33c1871bacca939434d273438409c3541
Instruction ID: d23f1abc1ce5774489f147b5f3e1c82301d9f021fb3994ec6a03f3b6f127c7bf
Opcode Fuzzy Hash: 5c4bf17cdf28ceeaeae622f9888247d33c1871bacca939434d273438409c3541
Instruction Fuzzy Hash: DF219F35500305EFDB219F689C04B9A77A5BF99720F200A19E9E1E72E0EBB199A1CB50

Function 001240AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0009600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0009604C
Part of subcall function 0009600E: GetStockObject.GDI32(00000011), ref: 00096060
Part of subcall function 0009600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0009606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00124112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0012411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0012412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00124139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00124145

Strings

Msctls_Progress32, xrefs: 001240E3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7fc653021258a1b79d98621c751df051fa07aa27ce356aa875791a221ab41af5
Instruction ID: 5dd37ae20296e67c9d236caf4992dd2fa5c022d11af8905ea0cfc68175382e94
Opcode Fuzzy Hash: 7fc653021258a1b79d98621c751df051fa07aa27ce356aa875791a221ab41af5
Instruction Fuzzy Hash: 9C1190B2140229BFEF219F64DC86EE77F5DEF08798F014110FA18A6190CB729C61DBA4

Function 000CD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000CD7A3: _free.LIBCMT ref: 000CD7CC

_free.LIBCMT ref: 000CD82D

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

_free.LIBCMT ref: 000CD838
_free.LIBCMT ref: 000CD843
_free.LIBCMT ref: 000CD897
_free.LIBCMT ref: 000CD8A2
_free.LIBCMT ref: 000CD8AD
_free.LIBCMT ref: 000CD8B8

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 03236a53786841b20c6452c9a145a4531de6130129b934e6ece6c1f57ec6fb64
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 90111971944B04AADA21BFB0CC47FCF7BDCEF04700F40592EB29DA6893EA75B5059660

Function 000FDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000FDA74
LoadStringW.USER32(00000000), ref: 000FDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000FDA91
LoadStringW.USER32(00000000), ref: 000FDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000FDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000FDAB9

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f5cd76f764b17b7d361887b5a8d2f2038312af89f6e9bdabe47ba555921b97c2
Instruction ID: c8295a2cc5de04ac4292d4720a2a936aad93603c5151434781cba078c3efebee
Opcode Fuzzy Hash: f5cd76f764b17b7d361887b5a8d2f2038312af89f6e9bdabe47ba555921b97c2
Instruction Fuzzy Hash: 530162F6500208BFE7609BA0DD89EFB336CEB08301F400492B706E2541E6749E958FB5

Function 0010096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(014AD020,014AD020), ref: 0010097B
EnterCriticalSection.KERNEL32(014AD000,00000000), ref: 0010098D
TerminateThread.KERNEL32(?,000001F6), ref: 0010099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001009A9
CloseHandle.KERNEL32(?), ref: 001009B8
InterlockedExchange.KERNEL32(014AD020,000001F6), ref: 001009C8
LeaveCriticalSection.KERNEL32(014AD000), ref: 001009CF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f6cb0139aa479f862ce321fe2c96fc118221e092791e97eef132b17ca5320d42
Instruction ID: 985a115e6e2867c325f1a5d54396a7ee190a6578b8441c46d82b34c9b58a752b
Opcode Fuzzy Hash: f6cb0139aa479f862ce321fe2c96fc118221e092791e97eef132b17ca5320d42
Instruction Fuzzy Hash: FFF0CD31442912FFD7665B94EE89BDA7A25BF05706F501015F20150CA5CB7594B6CFD0

Function 00095D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00095D30
GetWindowRect.USER32(?,?), ref: 00095D71
ScreenToClient.USER32(?,?), ref: 00095D99
GetClientRect.USER32(?,?), ref: 00095ED7
GetWindowRect.USER32(?,?), ref: 00095EF8

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 3864faecb7543fdd8103970bbf3b54b1a84b04348e3cdb7806bae81d50644378
Instruction ID: 4f66837654b692094f797af698868b71cbd185c8ba1b45c67f10672fe1588695
Opcode Fuzzy Hash: 3864faecb7543fdd8103970bbf3b54b1a84b04348e3cdb7806bae81d50644378
Instruction Fuzzy Hash: 0AB15C35A0074ADBDF24CFAAC8406EEB7F1FF58311F14841AE8A9D7250DB34AA51EB54

Function 000C01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 000C00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C00D6
__allrem.LIBCMT ref: 000C00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C010B
__allrem.LIBCMT ref: 000C0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000C0140

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: e6054d5bde61777a6e2e7cc33407a301042d1cb0a3d75c9b5df719e6e18c14b2
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: AA819072A00B06ABE7249F68CC42FEEB3E9AF41764F25453EF551D7682E771D9008750

Function 00111D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00113149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0011101C,00000000,?,?,00000000), ref: 00113195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00111DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00111DE1
WSAGetLastError.WSOCK32 ref: 00111DF2
inet_ntoa.WSOCK32(?), ref: 00111E8C
htons.WSOCK32(?,?,?,?,?), ref: 00111EDB
_strlen.LIBCMT ref: 00111F35

Part of subcall function 000F39E8: _strlen.LIBCMT ref: 000F39F2

Part of subcall function 00096D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,000ACF58,?,?,?), ref: 00096DBA
Part of subcall function 00096D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,000ACF58,?,?,?), ref: 00096DED

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: fbc990f1750b5c8b068d4223a96c6d177d8ca63a0281785593455986422df2bc
Instruction ID: 93ba0e8eafdd417ed968d15950baaa83ff2784c3fc668565746f69d7a35c25b5
Opcode Fuzzy Hash: fbc990f1750b5c8b068d4223a96c6d177d8ca63a0281785593455986422df2bc
Instruction Fuzzy Hash: B1A10331104301AFC728DF64C885FAABBE5AF85318F54895CF5565B2A3CB31ED86CB92

Function 000C61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000B82D9,000B82D9,?,?,?,000C644F,00000001,00000001,8BE85006), ref: 000C6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000C644F,00000001,00000001,8BE85006,?,?,?), ref: 000C62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000C63D8
__freea.LIBCMT ref: 000C63E5

Part of subcall function 000C3820: RtlAllocateHeap.NTDLL(00000000,?,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6,?,00091129), ref: 000C3852

__freea.LIBCMT ref: 000C63EE
__freea.LIBCMT ref: 000C6413

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 955bef1b4deec11152612dca3e2a5524ad60b95444842bac054d6c71737136f8
Instruction ID: bb24015a18b0f5ecd06ff866f4325b2d866c32ea40a64b1d6d08498b1c67c818
Opcode Fuzzy Hash: 955bef1b4deec11152612dca3e2a5524ad60b95444842bac054d6c71737136f8
Instruction Fuzzy Hash: 0751CD72A00256ABEB358FA4CC81FAF7BA9EB44750B14462DF905D6182EB36DD40C6A0

Function 0011BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 0011C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011B6AE,?,?), ref: 0011C9B5
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011C9F1
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA68
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0011BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0011BD25
RegCloseKey.ADVAPI32(00000000), ref: 0011BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0011BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0011BDF3
RegCloseKey.ADVAPI32(?), ref: 0011BDFF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: b4f6e1e9060bb3756cc8ecf662bf21137ae293cd32640a8566dd65c0946adc08
Instruction ID: c45fe2e3be79ad1112a2508645883b609188bf84a0d240de7f23982bca24430f
Opcode Fuzzy Hash: b4f6e1e9060bb3756cc8ecf662bf21137ae293cd32640a8566dd65c0946adc08
Instruction Fuzzy Hash: 61818F30208241AFDB18DF64C8C5EAABBE5FF84308F14856CF5554B2A2DB31ED85DB92

Function 000EF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 000EF7B9
SysAllocString.OLEAUT32(00000001), ref: 000EF860
VariantCopy.OLEAUT32(000EFA64,00000000), ref: 000EF889
VariantClear.OLEAUT32(000EFA64), ref: 000EF8AD
VariantCopy.OLEAUT32(000EFA64,00000000), ref: 000EF8B1
VariantClear.OLEAUT32(?), ref: 000EF8BB

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 77d91c7faa39091bce7bf5013da43d225b31dea344d617187b36946701bdf52e
Instruction ID: 6a1f2aaf6a921681c305fc60ae03398844f5dc75a76da4545e6233616e8c5274
Opcode Fuzzy Hash: 77d91c7faa39091bce7bf5013da43d225b31dea344d617187b36946701bdf52e
Instruction Fuzzy Hash: F851C531600392BEDF24AB66D895B7DB3E9EF45310B249466E905FF293DB708C40C796

Function 0010910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00097620: _wcslen.LIBCMT ref: 00097625

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001094E5
_wcslen.LIBCMT ref: 00109506
_wcslen.LIBCMT ref: 0010952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00109585

Strings

X, xrefs: 00109412

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 81414b2db63607f541bd4cbee4d48dca1c7c565ed41c8d720c5e25363def8885
Instruction ID: 663ea00391ecbb933f65bc4e934089463de9ee562c1d41def1f80b59f381be35
Opcode Fuzzy Hash: 81414b2db63607f541bd4cbee4d48dca1c7c565ed41c8d720c5e25363def8885
Instruction Fuzzy Hash: B4E19E71608340DFCB24DF25C891AAAB7E0BF85314F05896DF8999B2A3DB71DD05CB92

Function 000A920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

BeginPaint.USER32(?,?,?), ref: 000A9241
GetWindowRect.USER32(?,?), ref: 000A92A5
ScreenToClient.USER32(?,?), ref: 000A92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000A92D3
EndPaint.USER32(?,?,?,?,?), ref: 000A9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000E71EA

Part of subcall function 000A9339: BeginPath.GDI32(00000000), ref: 000A9357

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 558d9de46130ae3e4604116892f86eec205704f59066727106c523e30e762f54
Instruction ID: 875456c554ba5b573e32ed65fca415b088c1a731ab035fd5e3a1540ea3f5738a
Opcode Fuzzy Hash: 558d9de46130ae3e4604116892f86eec205704f59066727106c523e30e762f54
Instruction Fuzzy Hash: 5141D031204300AFDB21DF65CC85FBA7BF8EF46324F140669FA54972A2C7719885DBA1

Function 001007EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0010080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00100847
EnterCriticalSection.KERNEL32(?), ref: 00100863
LeaveCriticalSection.KERNEL32(?), ref: 001008DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001008F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00100921

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 2231ccbadf854b201b6f05fd9525ffaf0dc332eb2d23b4eecfaf0f93220c49a2
Instruction ID: 930bb66e2114f602cc4ac3b8d769f9f16aa61286454a8795d7dcd875dd494b6e
Opcode Fuzzy Hash: 2231ccbadf854b201b6f05fd9525ffaf0dc332eb2d23b4eecfaf0f93220c49a2
Instruction Fuzzy Hash: A6415B71900205EFDF15DF94DC85AAA77B8FF08310F1480A5ED049A29BDB70EE65DBA4

Function 001281DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,000EF3AB,00000000,?,?,00000000,?,000E682C,00000004,00000000,00000000), ref: 0012824C
EnableWindow.USER32(?,00000000), ref: 00128272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001282D1
ShowWindow.USER32(?,00000004), ref: 001282E5
EnableWindow.USER32(?,00000001), ref: 0012830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0012832F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 09c76e80a05fe264c01f1a629352aa81fbf5105540b4cbc2db58661588745801
Instruction ID: 8fd2f1d2dd65d6d317a3c1e143997887727c7a8e8cf5e5a336e9e5fb3bc55c23
Opcode Fuzzy Hash: 09c76e80a05fe264c01f1a629352aa81fbf5105540b4cbc2db58661588745801
Instruction Fuzzy Hash: 9F41C530602654EFDB25CF14EC99BE47BF1FB0A714F184169E5084B662CB71A8A1CF50

Function 000F4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 000F4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000F4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000F4CEA
_wcslen.LIBCMT ref: 000F4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000F4D10
_wcsstr.LIBVCRUNTIME ref: 000F4D1A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: b2d43f41eb72df041b0241f7401c581d85a26415676f7b5e2cce98053930d14e
Instruction ID: b56f1d33f151e65e4761cd36fd74c2bdb57b6d07fe830cb313ec2741e688fe5d
Opcode Fuzzy Hash: b2d43f41eb72df041b0241f7401c581d85a26415676f7b5e2cce98053930d14e
Instruction Fuzzy Hash: 8A213B312042047BEB659B79EC49EBF7BDCDF45750F104039FE05CA592DA71CC41A2A0

Function 0010581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00093AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00093A97,?,?,00092E7F,?,?,?,00000000), ref: 00093AC2

_wcslen.LIBCMT ref: 0010587B
CoInitialize.OLE32(00000000), ref: 00105995
CoCreateInstance.OLE32(0012FCF8,00000000,00000001,0012FB68,?), ref: 001059AE
CoUninitialize.OLE32 ref: 001059CC

Strings

.lnk, xrefs: 00105876, 001058C1, 00105985

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 4893dae119eecd5d7c1c97d79b1d94efed3bc6e21dbfda0af3d4b974b3e6ef98
Instruction ID: 3a1b2c90606a4a311ac4b875123fcd0172f8037b120cba35a0391fa22c080425
Opcode Fuzzy Hash: 4893dae119eecd5d7c1c97d79b1d94efed3bc6e21dbfda0af3d4b974b3e6ef98
Instruction Fuzzy Hash: 48D15271608601DFCB14DF24C480A6BBBE6EF89714F15885DF8899B2A2DB71EC45CF92

Function 000F175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000F0FCA
Part of subcall function 000F0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000F0FD6
Part of subcall function 000F0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000F0FE5
Part of subcall function 000F0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000F0FEC
Part of subcall function 000F0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000F1002

GetLengthSid.ADVAPI32(?,00000000,000F1335), ref: 000F17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000F17BA
HeapAlloc.KERNEL32(00000000), ref: 000F17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 000F17DA
GetProcessHeap.KERNEL32(00000000,00000000,000F1335), ref: 000F17EE
HeapFree.KERNEL32(00000000), ref: 000F17F5

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: bc99ffbb2cc2baaf178b21f2bee962e03879db24d1b9ec0c8ddd460a07d2791c
Instruction ID: 2c2060287fd0f77a43b7a037639ffa412b381c3e422afab672d996edb11f52c6
Opcode Fuzzy Hash: bc99ffbb2cc2baaf178b21f2bee962e03879db24d1b9ec0c8ddd460a07d2791c
Instruction Fuzzy Hash: D1119A31904209FBDB24AFA4CC4ABFF7BB9EB41355F104058F64597610C735A995EBA0

Function 000F14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000F14FF
OpenProcessToken.ADVAPI32(00000000), ref: 000F1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000F1515
CloseHandle.KERNEL32(00000004), ref: 000F1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000F154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 000F1563

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: dcb2dc248bf4f8e3d0221decd5c6ba1d8d2d23dda138d878e1531fbc7818e2cf
Instruction ID: 0a63f0b8d7e536ea2784de0d3eb1a43cc9ae7e32be480c06602064490a2098d7
Opcode Fuzzy Hash: dcb2dc248bf4f8e3d0221decd5c6ba1d8d2d23dda138d878e1531fbc7818e2cf
Instruction Fuzzy Hash: EC11177250024DFFDB218F98DD49BEE7BA9FF48744F144015FA05A2460C3759EA1ABA0

Function 000B3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000B3379,000B2FE5), ref: 000B3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000B339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000B33B7
SetLastError.KERNEL32(00000000,?,000B3379,000B2FE5), ref: 000B3409

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 53e208281ab658473ae97e889bbbbde6a88916a8d55659503ef817f8b9fb2a11
Instruction ID: 44f7d1526a1a1b47df1f0e81ed4d51334bf9586af260b027b9b7fa6eb8fcb7f2
Opcode Fuzzy Hash: 53e208281ab658473ae97e889bbbbde6a88916a8d55659503ef817f8b9fb2a11
Instruction Fuzzy Hash: 42014733608311FEA6282B74BC86AEB2BD4EB0577A7304229F510852F2EF115E4291C4

Function 000C2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000C5686,000D3CD6,?,00000000,?,000C5B6A,?,?,?,?,?,000BE6D1,?,00158A48), ref: 000C2D78
_free.LIBCMT ref: 000C2DAB
_free.LIBCMT ref: 000C2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,000BE6D1,?,00158A48,00000010,00094F4A,?,?,00000000,000D3CD6), ref: 000C2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,000BE6D1,?,00158A48,00000010,00094F4A,?,?,00000000,000D3CD6), ref: 000C2DEC
_abort.LIBCMT ref: 000C2DF2

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b5e31c73bcdde84d21aa1d62fc3aef8649a5bf02513e21125faccc22f5098e65
Instruction ID: 70e7b6118d9b8572c1c0a34ca71d74d013a3b85ccf7c33624e02995639d47761
Opcode Fuzzy Hash: b5e31c73bcdde84d21aa1d62fc3aef8649a5bf02513e21125faccc22f5098e65
Instruction Fuzzy Hash: 57F0C831505B00BBC6627734BC06F9F2699BFD17A1F25451CF92596DD3EF348C4251A0

Function 00128A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000A9693
Part of subcall function 000A9639: SelectObject.GDI32(?,00000000), ref: 000A96A2
Part of subcall function 000A9639: BeginPath.GDI32(?), ref: 000A96B9
Part of subcall function 000A9639: SelectObject.GDI32(?,00000000), ref: 000A96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00128A4E
LineTo.GDI32(?,00000003,00000000), ref: 00128A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00128A70
LineTo.GDI32(?,00000000,00000003), ref: 00128A80
EndPath.GDI32(?), ref: 00128A90
StrokePath.GDI32(?), ref: 00128AA0

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: feb4ebc0b5f0537a1a3afb072472076a086b690dc03972c3e6f0561a7cb5a4e9
Instruction ID: 95d02c2ca1d5bfc7a5725ee6aca119b92c52dfd33868a31d6b5ea4fd93aab156
Opcode Fuzzy Hash: feb4ebc0b5f0537a1a3afb072472076a086b690dc03972c3e6f0561a7cb5a4e9
Instruction Fuzzy Hash: 4A11C976000119FFEF129F94DC88EAA7F6DEB08354F048012FA199A5A1C771ADA5DFA0

Function 000F51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000F5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 000F5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000F5230
ReleaseDC.USER32(00000000,00000000), ref: 000F5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 000F524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 000F5261

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ac71e9bddd22038fb161b5f9a38c6c060e1a837bea3282278f8b24d5055509f8
Instruction ID: 77a7964ecbde4b4c0b7a42cad44d506563b0ac1d0c177649c212f3aec55c3eae
Opcode Fuzzy Hash: ac71e9bddd22038fb161b5f9a38c6c060e1a837bea3282278f8b24d5055509f8
Instruction Fuzzy Hash: 3E018B75E00708BBEB209BA69C49A5EBFB8EF48752F044165FB04AB681D6709811CBA0

Function 00091BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00091BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00091BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00091C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00091C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00091C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00091C22

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9d820f72c2547e1e75c3b1a750db94e5b6205a176f245c1c4082fae783148a31
Instruction ID: 47e8be1f42e5db17e9ecf9a95dc881bb62a2246d74a6aea90c76132aaa9e0ca2
Opcode Fuzzy Hash: 9d820f72c2547e1e75c3b1a750db94e5b6205a176f245c1c4082fae783148a31
Instruction Fuzzy Hash: 0D016CB09027597DE3008F5A8C85B56FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 000FEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000FEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000FEB46
GetWindowThreadProcessId.USER32(?,?), ref: 000FEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000FEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000FEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000FEB75

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 521e5b1733e42717eae6709eed2abbca23d34353ebeaf9892104b3d372248c50
Instruction ID: ac7c3b4c6e9ad62bf2131b954f93c03af4d7c1560520cbb79d099c9822d6ba34
Opcode Fuzzy Hash: 521e5b1733e42717eae6709eed2abbca23d34353ebeaf9892104b3d372248c50
Instruction Fuzzy Hash: 2BF01772240558BBE6315B629C0EEEF3A7CEBCAB11F000158F701D1591A7A05A628AF5

Function 000E7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 000E7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 000E7469
GetWindowDC.USER32(?), ref: 000E7475
GetPixel.GDI32(00000000,?,?), ref: 000E7484
ReleaseDC.USER32(?,00000000), ref: 000E7496
GetSysColor.USER32(00000005), ref: 000E74B0

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 24e0f8637e3a553ebc276eb11a2f475be340bafbbaec0801bb1851b2cd6f3338
Instruction ID: 6472dc7189c83c374d86ee5310d0b2a68b7a6d36a46a2f383c1144858898a1c8
Opcode Fuzzy Hash: 24e0f8637e3a553ebc276eb11a2f475be340bafbbaec0801bb1851b2cd6f3338
Instruction Fuzzy Hash: 75014B31500215FFDB715FA4DC09BEEBBB6FF04321F550164FA1AA25A1CB315EA2AB90

Function 000F1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000F187F
UnloadUserProfile.USERENV(?,?), ref: 000F188B
CloseHandle.KERNEL32(?), ref: 000F1894
CloseHandle.KERNEL32(?), ref: 000F189C
GetProcessHeap.KERNEL32(00000000,?), ref: 000F18A5
HeapFree.KERNEL32(00000000), ref: 000F18AC

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: bbc0820bf4cce6b4916601d458fa63c6231b2b6fe455fbc943c766bf3aad5a5e
Instruction ID: 82ce7966512578e7306218fcbef81ea9883028190c2cf8d8620e10d5f77dcd93
Opcode Fuzzy Hash: bbc0820bf4cce6b4916601d458fa63c6231b2b6fe455fbc943c766bf3aad5a5e
Instruction Fuzzy Hash: 8EE0C236004501FFDA115BA1ED0D90ABB29FF49B22B208620F32581874CB3294B2DB90

Function 000FC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00097620: _wcslen.LIBCMT ref: 00097625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000FC6EE
_wcslen.LIBCMT ref: 000FC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000FC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000FC7CA

Strings

0, xrefs: 000FC6AF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c325762942bd51eb7da48c86f58884e9b4d736c3b507ba064dae75c6841722d0
Instruction ID: f37dcd0b6be2c00803f8fd3360f621a07834b650c1b5995be6575372a852a7bd
Opcode Fuzzy Hash: c325762942bd51eb7da48c86f58884e9b4d736c3b507ba064dae75c6841722d0
Instruction Fuzzy Hash: BE51F37160830D9BE754AF28CA46EBF77E4AF45314F04092DFA91D3991DB70D904EB52

Function 0011AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0011AEA3

Part of subcall function 00097620: _wcslen.LIBCMT ref: 00097625

GetProcessId.KERNEL32(00000000), ref: 0011AF38
CloseHandle.KERNEL32(00000000), ref: 0011AF67

Strings

<, xrefs: 0011AE6B
@, xrefs: 0011AE72

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 3edca893db3675eeb472740983fcd803f9f1236d5a8859933fddc7e411b61334
Instruction ID: d4c3140bdaf7cde5f1b9cd0b4f68bef3ad0cc8f7893f9893e8805836b9e78420
Opcode Fuzzy Hash: 3edca893db3675eeb472740983fcd803f9f1236d5a8859933fddc7e411b61334
Instruction Fuzzy Hash: 20714771A05615DFCF18DFA4C494A9EBBF0AF08310F4484A9E81AAB392C774ED85CB91

Function 000F719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000F7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000F723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000F724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000F72CF

Strings

DllGetClassObject, xrefs: 000F7242

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 4905d85e0e7406471b55ab95532a23580a0ac69ad3ceee20118fe19538517fbc
Instruction ID: 8459f02ea3a8f3a56c88289a535b2a5e605672c4ed4e9ae4e641528eea859e93
Opcode Fuzzy Hash: 4905d85e0e7406471b55ab95532a23580a0ac69ad3ceee20118fe19538517fbc
Instruction Fuzzy Hash: EE41C271604208EFDB65CF54C884AAA7BF9EF44310F1080ADBE099F60AD7B1DD45DBA1

Function 00123D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00123E35
IsMenu.USER32(?), ref: 00123E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00123E92
DrawMenuBar.USER32 ref: 00123EA5

Strings

0, xrefs: 00123D89

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 8625b0ce45e4c1c6761ce6a77ad0b694d996462e69ab859d1476f50715eb2fc8
Instruction ID: 29b15e587085456145e086d495148e8a1d23839b8c1bfbb7110c737038669b90
Opcode Fuzzy Hash: 8625b0ce45e4c1c6761ce6a77ad0b694d996462e69ab859d1476f50715eb2fc8
Instruction Fuzzy Hash: AB418A75A00219AFDB10DF50E880AEABBB5FF48354F054029E921A7250D334EE69CF90

Function 000F1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000F1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000F1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 000F1EA9

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

Strings

ComboBox, xrefs: 000F1DF0
ListBox, xrefs: 000F1E25

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 3b5ff1dca0ecf9814430103403bc415aa9c1411ca24163bbc5cb52798aa9be14
Instruction ID: e12ce2df0fbacac9467de0fb10826031f09558226ef7ebdbda4c41b039908b7a
Opcode Fuzzy Hash: 3b5ff1dca0ecf9814430103403bc415aa9c1411ca24163bbc5cb52798aa9be14
Instruction Fuzzy Hash: 5E216871A00108FEDF24ABA4DC46CFFB7B9DF42360B10411DFA21A76E2DB34490AE660

Function 0011C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0011C9F1
_wcslen.LIBCMT ref: 0011CA68
_wcslen.LIBCMT ref: 0011CA9E
_wcslen.LIBCMT ref: 0011CAF9
_wcslen.LIBCMT ref: 0011CB2F
_wcslen.LIBCMT ref: 0011CB7F

Strings

HKLM, xrefs: 0011CA98, 0011CA9D
HKEY_LOCAL_MACHINE, xrefs: 0011CA62, 0011CA67

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 67f180cb5de77cbd94db110a1e82b3402dc122caf66fbb6f7e717abda5d4041d
Instruction ID: 5e89310ccd08f1a024bc79f58ed55a735a431b96af012c8c448adbfc3d9023cc
Opcode Fuzzy Hash: 67f180cb5de77cbd94db110a1e82b3402dc122caf66fbb6f7e717abda5d4041d
Instruction Fuzzy Hash: 9D31F533A8016A8BCB2ADE6CA9411FF33915FA1750B554039EC55AB285FB71CEC4D3E0

Function 00122F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00122F8D
LoadLibraryW.KERNEL32(?), ref: 00122F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00122FA9
DestroyWindow.USER32(?), ref: 00122FB1

Strings

SysAnimate32, xrefs: 00122F68

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: e0111936579a6813e3a926c21deaee12512143ab0c502acf0234a07d5bcab6ca
Instruction ID: 1ae0d7b775fcec6ff7bd979be1d92c492114dbfa311dc30a4354f99e94d9ec86
Opcode Fuzzy Hash: e0111936579a6813e3a926c21deaee12512143ab0c502acf0234a07d5bcab6ca
Instruction Fuzzy Hash: 6E219A72200225BBEB208F64ED80EBF77B9EB59364F100618FA50D6190D771DCA197A0

Function 000B4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000B4D1E,000C28E9,?,000B4CBE,000C28E9,001588B8,0000000C,000B4E15,000C28E9,00000002), ref: 000B4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000B4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,000B4D1E,000C28E9,?,000B4CBE,000C28E9,001588B8,0000000C,000B4E15,000C28E9,00000002,00000000), ref: 000B4DC3

Strings

CorExitProcess, xrefs: 000B4D98
mscoree.dll, xrefs: 000B4D86

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d6cb95859cf4970abd892618b341012917e12c07686631c74335afeeeadd5434
Instruction ID: 84402c989fc4839b0988781e253f080d039d202860b9995d25bd985e7510ac52
Opcode Fuzzy Hash: d6cb95859cf4970abd892618b341012917e12c07686631c74335afeeeadd5434
Instruction Fuzzy Hash: 1FF04F35A40208FBDB619F94DC49BEEBBF5EF48752F0040A8F905A26A1CB305A91CAD1

Function 000ED3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000ED3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000ED3BF
FreeLibrary.KERNEL32(00000000), ref: 000ED3E5

Strings

GetSystemWow64DirectoryW, xrefs: 000ED3B9
X64, xrefs: 000ED2A8

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: c414deea639308044d2ea65f51ee5521b0d0dcca4a41e66304f81acf7338c6df
Instruction ID: 13c06ef67e106f7ce17dd659007e088a10eec4b43a849238e3edf0a4db0025ea
Opcode Fuzzy Hash: c414deea639308044d2ea65f51ee5521b0d0dcca4a41e66304f81acf7338c6df
Instruction Fuzzy Hash: 22F0AB31805AA1EFD3B113228C689AD7760FF22702F58805FFB02F6011DB20CEA0C6D2

Function 00094E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00094EDD,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00094EAE
FreeLibrary.KERNEL32(00000000,?,?,00094EDD,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00094EA8
kernel32.dll, xrefs: 00094E94

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 970bba944d40467eca0b217b3be2d1756b94d25a97e9af9769300452c74a2db6
Instruction ID: e618beb22a682a845fea08e8132b8c39f90af3d0fdb0c0782196933da4c7d263
Opcode Fuzzy Hash: 970bba944d40467eca0b217b3be2d1756b94d25a97e9af9769300452c74a2db6
Instruction Fuzzy Hash: 2CE0CD35A01532EBD67117257C19F5F65D4AF81FA37050115FE01D3100DB60CD6394E0

Function 00094E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000D3CDE,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00094E74
FreeLibrary.KERNEL32(00000000,?,?,000D3CDE,?,00161418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00094E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00094E6E
kernel32.dll, xrefs: 00094E5B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 53c6ce8a46e806441d71830703eab359eaee9171e4b2e1f5e2b54b52d26298f9
Instruction ID: a035fac9c50c4858b7f6951973a4f79b8e188a4fc65126326825d9a2304a9003
Opcode Fuzzy Hash: 53c6ce8a46e806441d71830703eab359eaee9171e4b2e1f5e2b54b52d26298f9
Instruction Fuzzy Hash: 3DD0C232912A31E78A321B247C09DCF2A58AF85B513050110BE00A2210CF20CD63D5D0

Function 00102947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00102C05
DeleteFileW.KERNEL32(?), ref: 00102C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00102C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00102CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00102CC0

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 2988188831b3f62961d0905895d03f354044591da05853184877005715ab8d55
Instruction ID: 6c38ef77f5648c1fdc9a747e663c71e3a4d771e7e0f060a7440554c9ea7bf60e
Opcode Fuzzy Hash: 2988188831b3f62961d0905895d03f354044591da05853184877005715ab8d55
Instruction Fuzzy Hash: 62B13071D00119ABDF25DBA4CC89EDEB77DEF49350F1040A6FA09E7192EB709A448F61

Function 0011A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0011A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0011A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0011A468
CloseHandle.KERNEL32(?), ref: 0011A63D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 2bbc42d404d093c13eceded38997a8e686d47e27f28c86ee88bbe0f6f5f0ba82
Instruction ID: 1687be1aa3f540e14a14ba5a69b301dbf376130bb565d470794074fc4d31a928
Opcode Fuzzy Hash: 2bbc42d404d093c13eceded38997a8e686d47e27f28c86ee88bbe0f6f5f0ba82
Instruction Fuzzy Hash: 70A1C371604301AFE724DF24C886F6ABBE1AF84714F54882DF55A9B292D7B0EC41CB92

Function 000FE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000FDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000FCF22,?), ref: 000FDDFD

Part of subcall function 000FDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000FCF22,?), ref: 000FDE16

Part of subcall function 000FE199: GetFileAttributesW.KERNEL32(?,000FCF95), ref: 000FE19A

lstrcmpiW.KERNEL32(?,?), ref: 000FE473
MoveFileW.KERNEL32(?,?), ref: 000FE4AC
_wcslen.LIBCMT ref: 000FE5EB
_wcslen.LIBCMT ref: 000FE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 000FE650

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: fe8dd0bd1d56f5fc30e5ddfd2c574af97da3337a1a62ebd79545a668963c2c29
Instruction ID: bfa29e4af9d4df72448f99852d0ec7a74bfd2ac49b4008951f7cd4b927895e06
Opcode Fuzzy Hash: fe8dd0bd1d56f5fc30e5ddfd2c574af97da3337a1a62ebd79545a668963c2c29
Instruction Fuzzy Hash: 825173B24087895BC764EB94DC819EFB3DCAF84340F00491EF689D3552EF74A688D766

Function 0011B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 0011C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0011B6AE,?,?), ref: 0011C9B5
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011C9F1
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA68
Part of subcall function 0011C998: _wcslen.LIBCMT ref: 0011CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0011BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0011BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0011BB63
RegCloseKey.ADVAPI32(?,?), ref: 0011BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0011BBB3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 8f30f1ba1887381d6b6479c61b5672ac5e4f968b363fe28c81834c6ee9b8fb35
Instruction ID: 66118f3a3403e4f15aef1d44b125380a617ea889596f9aeed7fd0e9669a9a03b
Opcode Fuzzy Hash: 8f30f1ba1887381d6b6479c61b5672ac5e4f968b363fe28c81834c6ee9b8fb35
Instruction Fuzzy Hash: 51615C7120C241AFD718DF14C491EAABBE5BF84308F54856CF4994B2A2DB31ED85DB92

Function 000F8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000F8BCD
VariantClear.OLEAUT32 ref: 000F8C3E
VariantClear.OLEAUT32 ref: 000F8C9D
VariantClear.OLEAUT32(?), ref: 000F8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000F8D3B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 3e1c66dee04a4e9868c1137af64107003f0c9866e8e32c3bcae17863e2f8693b
Instruction ID: c1e5106236ec55d3e70bf21af998fd2b5b5019bc10cd1bb1354b0fe67116f66e
Opcode Fuzzy Hash: 3e1c66dee04a4e9868c1137af64107003f0c9866e8e32c3bcae17863e2f8693b
Instruction Fuzzy Hash: 1C5159B5A00619EFCB14CF68C894AEAB7F8FF89310F158559EA15DB354E730E911CB90

Function 00108AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00108BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00108BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00108C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00108C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00108C5F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: b7fd4d4ea1791b06756d2e81af03e3514f4c92cf426b0143dc1501cb72003d50
Instruction ID: 2fd0711bcd5ba23d7aa42a98d2f94ace5fb0db4e86d6598ded08a784089bc5c0
Opcode Fuzzy Hash: b7fd4d4ea1791b06756d2e81af03e3514f4c92cf426b0143dc1501cb72003d50
Instruction Fuzzy Hash: ED515735A04615EFDF11DF64C880AAEBBF1BF49314F088058E849AB3A2DB71ED51DB90

Function 00118EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00118F40
GetProcAddress.KERNEL32(00000000,?), ref: 00118FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00118FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00119032
FreeLibrary.KERNEL32(00000000), ref: 00119052

Part of subcall function 000AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00101043,?,753CE610), ref: 000AF6E6
Part of subcall function 000AF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000EFA64,00000000,00000000,?,?,00101043,?,753CE610,?,000EFA64), ref: 000AF70D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 7a1dda7417d923f60596081ff5e7ca511b6e7ab1322d9a40d558e8b144b901c3
Instruction ID: 61bfc043ffaf4600907a260c34c07ec9c8516327946110f32c56ab657f8d90b3
Opcode Fuzzy Hash: 7a1dda7417d923f60596081ff5e7ca511b6e7ab1322d9a40d558e8b144b901c3
Instruction Fuzzy Hash: 7E514935A04205DFCB19DF58C4949EDBBF1FF49324B0580A8E81A9B762DB31ED86CB91

Function 00126B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00126C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00126C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00126C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0010AB79,00000000,00000000), ref: 00126C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00126CC7

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: f2ce41a829253bd93eaf1c911f1a53c799e36f48675996e5155956428513d05d
Instruction ID: 82ca13e958da3d38de5861b030ca46e4eab9b506ea40e4dbfa2b24f2fed48844
Opcode Fuzzy Hash: f2ce41a829253bd93eaf1c911f1a53c799e36f48675996e5155956428513d05d
Instruction Fuzzy Hash: DE41D635604124BFD728EF28DC54FA97BA5EB09360F150268F999A72E0C371ED71DA90

Function 000C2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000C20C3
_free.LIBCMT ref: 000C20E3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 945db331c96be23f8f708c7f921929bbe4e7d506b3ecff66826555319a741db8
Instruction ID: ccabfec59ff9987d512744abda87f6a84260a0295604899ad194c1da77e802b8
Opcode Fuzzy Hash: 945db331c96be23f8f708c7f921929bbe4e7d506b3ecff66826555319a741db8
Instruction Fuzzy Hash: 8E41A136A002009FCB24DFB8C981F9DB7E5EF99314F25456DEA15EB792DA31AD01CB80

Function 000A912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000A9141
ScreenToClient.USER32(00000000,?), ref: 000A915E
GetAsyncKeyState.USER32(00000001), ref: 000A9183
GetAsyncKeyState.USER32(00000002), ref: 000A919D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 5890c9907c2a8a7d663b149224064cf5480859182eaed56ad3310d92201362e6
Instruction ID: 5f0a1ec545ef5b162b688468e6b9884cd370bb3e09686cc43f882a264f8aca04
Opcode Fuzzy Hash: 5890c9907c2a8a7d663b149224064cf5480859182eaed56ad3310d92201362e6
Instruction Fuzzy Hash: F4414F31A0865AFFDF159FA9C844BEEB7B4FF46320F208255E429A7290C7346950DB91

Function 00103874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001038CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00103922
TranslateMessage.USER32(?), ref: 0010394B
DispatchMessageW.USER32(?), ref: 00103955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00103966

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e138f225e82a453f6f57071d36ed6bab664b57d455eac40b163e6cbd9d6d368d
Instruction ID: 19504d969fe9c29eb7ade399d6b0013ffba69b3c8eee19b3533689437fe40d74
Opcode Fuzzy Hash: e138f225e82a453f6f57071d36ed6bab664b57d455eac40b163e6cbd9d6d368d
Instruction Fuzzy Hash: 8C31A270904345AEEB39CB749C49BB637ACAB15308F08456EE4F2825E0E3F49AC5CB61

Function 0010CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0010C21E,00000000), ref: 0010CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0010CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0010C21E,00000000), ref: 0010CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0010C21E,00000000), ref: 0010CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0010C21E,00000000), ref: 0010CFF2

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: e1f726f7ff1d315dd3a9b9740967938d24afedafa9de77493b8be36bc90f5389
Instruction ID: 3f768fa2e6d512f494bd012c6cd3d951b589c87efb8c4e277aaf27c0c1eb596c
Opcode Fuzzy Hash: e1f726f7ff1d315dd3a9b9740967938d24afedafa9de77493b8be36bc90f5389
Instruction Fuzzy Hash: F3314971600206EFDB24DFA5C884AAEBBFAEB14354B10452EF556D2181DB70AE41DFA1

Function 000F1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000F1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 000F19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 000F19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 000F19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 000F19E2

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: eb107c04c5b795bf03ab9163c1bb31b6b74f2dc940c6efd1a4622d157f698a1d
Instruction ID: 6bd1b2e1fd12b401301eb233d8d4e1143ad178cbf595a6a248188c49ab606857
Opcode Fuzzy Hash: eb107c04c5b795bf03ab9163c1bb31b6b74f2dc940c6efd1a4622d157f698a1d
Instruction Fuzzy Hash: 4031E071A0421DEFCB14CFA8CD99AEE3BB5EB44314F004229FA21A72D1C3B09954EBD0

Function 00125706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00125745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0012579D
_wcslen.LIBCMT ref: 001257AF
_wcslen.LIBCMT ref: 001257BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00125816

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: faebf8cef9452e7a13daf649dc33bda79cb90445e4544c8cdefbe8e120583a42
Instruction ID: e8d8b4ae2262ba7df50ff84b9a9a7919a1844eab0faa1ea62152bd4d43114776
Opcode Fuzzy Hash: faebf8cef9452e7a13daf649dc33bda79cb90445e4544c8cdefbe8e120583a42
Instruction Fuzzy Hash: AC21A731904628EADB209FA0ECC4AEDB7B9FF04724F108116E919DB181E77089D5CF50

Function 00110930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00110951
GetForegroundWindow.USER32 ref: 00110968
GetDC.USER32(00000000), ref: 001109A4
GetPixel.GDI32(00000000,?,00000003), ref: 001109B0
ReleaseDC.USER32(00000000,00000003), ref: 001109E8

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f58f66e3c28f021ee877ff00e47fc254fd2d14624e4d3e13ccbf6ac2d860a437
Instruction ID: 0b9e85b6aac2e01d9987a5d46102c316accd11c2d07e81eb0549c2f9600ac514
Opcode Fuzzy Hash: f58f66e3c28f021ee877ff00e47fc254fd2d14624e4d3e13ccbf6ac2d860a437
Instruction Fuzzy Hash: 4421A135A00204AFD714EF65DC94AAEBBF5EF48700F008038E94AD7762CB70AC84CB90

Function 000CCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000CCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000CCDE9

Part of subcall function 000C3820: RtlAllocateHeap.NTDLL(00000000,?,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6,?,00091129), ref: 000C3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000CCE0F
_free.LIBCMT ref: 000CCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000CCE31

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f973ab12c5129355dadc07de85741a730145cf2608c7bc27804fe2102203d4b4
Instruction ID: d16bfc1c8379b3d3e6659c99eb99b996bfaf16c0de7fe7c8879a0e1ce54971ef
Opcode Fuzzy Hash: f973ab12c5129355dadc07de85741a730145cf2608c7bc27804fe2102203d4b4
Instruction Fuzzy Hash: 180184726016157F333157BAAC89E7F69ADEFC7BA1315012DFA09C7201EA718D1281F0

Function 000A9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000A9693
SelectObject.GDI32(?,00000000), ref: 000A96A2
BeginPath.GDI32(?), ref: 000A96B9
SelectObject.GDI32(?,00000000), ref: 000A96E2

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3c4106e61bd9417f4ee0acd1122420216b1bdac7453ad633690aa3dce2e2831c
Instruction ID: 87be839a3ec485bb3608cf814fd522ecd610187b238fbc053875b54cb3ca2eb7
Opcode Fuzzy Hash: 3c4106e61bd9417f4ee0acd1122420216b1bdac7453ad633690aa3dce2e2831c
Instruction Fuzzy Hash: 91216D74902315FBEB219FA4DC157AD3BA9BF01319F180216F410A65A0D3B059D1CFD4

Function 000F5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000F5726
_memcmp.LIBVCRUNTIME ref: 000F5744
_memcmp.LIBVCRUNTIME ref: 000F5757
_memcmp.LIBVCRUNTIME ref: 000F576F
_memcmp.LIBVCRUNTIME ref: 000F5787

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 155ffc8f5d8b01a7835a941a13907008d8cca97ada7d8e88d757d29031d77501
Instruction ID: d3d46055664271357f12f038975b7109f44d7236199d0b4db5c4511f5eff210a
Opcode Fuzzy Hash: 155ffc8f5d8b01a7835a941a13907008d8cca97ada7d8e88d757d29031d77501
Instruction Fuzzy Hash: CD01F572249B1DBBD2586111BD82FFB73DC9B20796F400034FF059AA42F760EE21A2A0

Function 000C2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000BF2DE,000C3863,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6), ref: 000C2DFD
_free.LIBCMT ref: 000C2E32
_free.LIBCMT ref: 000C2E59
SetLastError.KERNEL32(00000000,00091129), ref: 000C2E66
SetLastError.KERNEL32(00000000,00091129), ref: 000C2E6F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e78cafdff314229563ae7a3e1a150d7db422ff8c6f3145a5ea3218e45708d10a
Instruction ID: d6e76c0df76588f3d497156403a2deb9f5738aa7c0be7552905ae5ad8820bbc6
Opcode Fuzzy Hash: e78cafdff314229563ae7a3e1a150d7db422ff8c6f3145a5ea3218e45708d10a
Instruction Fuzzy Hash: CF012D36105B007BC62267746C85F6F159DFBD1371721442CF411B39D3EF308C514060

Function 000F000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?,?,000F035E), ref: 000F002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?), ref: 000F0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?), ref: 000F0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?), ref: 000F0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000EFF41,80070057,?,?), ref: 000F0070

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0024c5e009336b832021f193a91d67efa3f22a079937e781af08f3a2787ede1e
Instruction ID: 0529060b8e94bf5f0ceee66f0fc8029a4c35f0be6c7401e5c618cd9da7d8f4ca
Opcode Fuzzy Hash: 0024c5e009336b832021f193a91d67efa3f22a079937e781af08f3a2787ede1e
Instruction Fuzzy Hash: 16018F72600208BFDB204F68DC04FBE7AEDEF44751F148128FA05D2611DB71DD91ABA0

Function 000FE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 000FE997
QueryPerformanceFrequency.KERNEL32(?), ref: 000FE9A5
Sleep.KERNEL32(00000000), ref: 000FE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 000FE9B7
Sleep.KERNEL32 ref: 000FE9F3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 72f3789d91259ddc04d46b468cd9aaa3fe6657abb58cce94e419d4fc2c851a89
Instruction ID: 5fc5ef979da63fdf06462a3fc61d348f0dfe2532e0664705934f7b711b06c607
Opcode Fuzzy Hash: 72f3789d91259ddc04d46b468cd9aaa3fe6657abb58cce94e419d4fc2c851a89
Instruction Fuzzy Hash: 21016D31C0566DEBCF509FE4DC496EDBB78FF09700F000556E602B2661DB7095A5D7A1

Function 000F10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000F1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000F0B9B,?,?,?), ref: 000F1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000F114D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 11337356f8e5b3e699a73d2a3bb71bcfe7ffc612c1afe035ec56c5d19f6caba1
Instruction ID: 394b937991fd754ed26a36efd816695bdadd35927da596c6c2957895b6a86648
Opcode Fuzzy Hash: 11337356f8e5b3e699a73d2a3bb71bcfe7ffc612c1afe035ec56c5d19f6caba1
Instruction Fuzzy Hash: 75016D79100205FFDB214F64DC49AAA3BAEFF85360B140414FB41C3350DB31DC519AA0

Function 000F0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000F0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000F0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000F0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000F0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000F1002

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c7bab5bee8b045f8b80a0e35eccaabe3b404fe24404bf44af7ce3d94e07d9576
Instruction ID: ee9189c07d0173e4aaefc3f79665e1a1bc0ea065bb617945fa8cf1cd1fa8e2f9
Opcode Fuzzy Hash: c7bab5bee8b045f8b80a0e35eccaabe3b404fe24404bf44af7ce3d94e07d9576
Instruction Fuzzy Hash: 9BF04F3A100305FBD7214FA49C4AF9A3BADEF89761F204414FB45C7651CA70DCA18AA0

Function 000F1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000F102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000F1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000F104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F1062

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2c64c9ea896c3cd7b1b291dfccfbac7c6f9dcdc08a0c4637b68fa950fa9a4379
Instruction ID: 4f108ae43e611e3d253e1386c70de3324618bcc1dbf04694762018105d890000
Opcode Fuzzy Hash: 2c64c9ea896c3cd7b1b291dfccfbac7c6f9dcdc08a0c4637b68fa950fa9a4379
Instruction Fuzzy Hash: 3FF04939200305FBDB215FA4EC49FAA3BADEF89761F200424FB45C7650CA70D8A18AA0

Function 0010030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 00100324
CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 00100331
CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 0010033E
CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 0010034B
CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 00100358
CloseHandle.KERNEL32(?,?,?,?,0010017D,?,001032FC,?,00000001,000D2592,?), ref: 00100365

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b859dc998f64fb16abb0328746413cd7b2db2fe321f79e3d390c691227a4a768
Instruction ID: c235b986d09d2462e2af4d8183b50f01779bd806841439c1e0c2126e1f62962c
Opcode Fuzzy Hash: b859dc998f64fb16abb0328746413cd7b2db2fe321f79e3d390c691227a4a768
Instruction Fuzzy Hash: F401EA72800B019FCB32AF66D880902FBF9BF643163158A3FD19252970C3B1A998CF80

Function 000CD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000CD752

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

_free.LIBCMT ref: 000CD764
_free.LIBCMT ref: 000CD776
_free.LIBCMT ref: 000CD788
_free.LIBCMT ref: 000CD79A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 62b9260028607f2a79dc1fa325afac038af5d2bdb36a92f5d02e5d15df412bab
Instruction ID: 4827e22c7c8009c201d48cae855bebe9745d4c8f7d6ad8a0548621cc06921cfe
Opcode Fuzzy Hash: 62b9260028607f2a79dc1fa325afac038af5d2bdb36a92f5d02e5d15df412bab
Instruction Fuzzy Hash: CFF04F32548304AB8661EB64F9C5E5E77DDFB04311795091EF058EB902D730FC8086A0

Function 000F5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 000F5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 000F5C6F
MessageBeep.USER32(00000000), ref: 000F5C87
KillTimer.USER32(?,0000040A), ref: 000F5CA3
EndDialog.USER32(?,00000001), ref: 000F5CBD

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1708dea7c324c1c323fe9f23dce32c158871d4267183b64ec2915fc03bc2b587
Instruction ID: ff4808eb8326240525b83281abcb76b7d56f0df71649aa288f730c9c30f430aa
Opcode Fuzzy Hash: 1708dea7c324c1c323fe9f23dce32c158871d4267183b64ec2915fc03bc2b587
Instruction Fuzzy Hash: 15016D30500B08AFEB305B10DD4EFAA77B8BF00B06F000559A783A19E1DBF4A9999AD0

Function 000C22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000C22BE

Part of subcall function 000C29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000), ref: 000C29DE
Part of subcall function 000C29C8: GetLastError.KERNEL32(00000000,?,000CD7D1,00000000,00000000,00000000,00000000,?,000CD7F8,00000000,00000007,00000000,?,000CDBF5,00000000,00000000), ref: 000C29F0

_free.LIBCMT ref: 000C22D0
_free.LIBCMT ref: 000C22E3
_free.LIBCMT ref: 000C22F4
_free.LIBCMT ref: 000C2305

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5ac39c0a0dff8c0fb0cd5f05012f6c29dadc4b35c88531bd246fd86b57b814e4
Instruction ID: a4d60a4d07c920aed162f457abf3e81c7fb3c695531a17460e0ed2144c33a112
Opcode Fuzzy Hash: 5ac39c0a0dff8c0fb0cd5f05012f6c29dadc4b35c88531bd246fd86b57b814e4
Instruction Fuzzy Hash: C9F0DA75841220AF8613AF58BC11E8D3BA5F718B61715054EF410D6EB2CBB10991EFE4

Function 000A95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000A95D4
StrokeAndFillPath.GDI32(?,?,000E71F7,00000000,?,?,?), ref: 000A95F0
SelectObject.GDI32(?,00000000), ref: 000A9603
DeleteObject.GDI32 ref: 000A9616
StrokePath.GDI32(?), ref: 000A9631

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f0d1e980f26161e73dddcbaf6dca1f4dcb31add23defb2e701fa8f6b6ee8cb85
Instruction ID: 5fd50b0e90635200f05440ed12c87e61831aa7fcde4de0550881ce25869146e1
Opcode Fuzzy Hash: f0d1e980f26161e73dddcbaf6dca1f4dcb31add23defb2e701fa8f6b6ee8cb85
Instruction Fuzzy Hash: 36F03C34505704FBEB265FA5ED1D7A83BA5EB02326F088214F525558F0C7B089E2DFA4

Function 000C0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 000C10F9
__freea.LIBCMT ref: 000C1117

Part of subcall function 000C1537: _free.LIBCMT ref: 000C154F

Strings

am/pm, xrefs: 000C117A
a/p, xrefs: 000C11DE

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: f85f660c3d7a0e28eaabe1624d69417212268e050b0ac49a315d277c5fdc3f81
Instruction ID: 3a6aa41ef3ba39e6506938a7ba3ecd2f4c80643da581f4af22373037e1b61af2
Opcode Fuzzy Hash: f85f660c3d7a0e28eaabe1624d69417212268e050b0ac49a315d277c5fdc3f81
Instruction Fuzzy Hash: E0D10F75900286DACB649F68C845FFEB7F1EF07304F28415EE901AB692D3759E81CB91

Function 00117B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 000B0242: EnterCriticalSection.KERNEL32(0016070C,00161884,?,?,000A198B,00162518,?,?,?,000912F9,00000000), ref: 000B024D
Part of subcall function 000B0242: LeaveCriticalSection.KERNEL32(0016070C,?,000A198B,00162518,?,?,?,000912F9,00000000), ref: 000B028A

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000B00A3: __onexit.LIBCMT ref: 000B00A9

__Init_thread_footer.LIBCMT ref: 00117BFB

Part of subcall function 000B01F8: EnterCriticalSection.KERNEL32(0016070C,?,?,000A8747,00162514), ref: 000B0202
Part of subcall function 000B01F8: LeaveCriticalSection.KERNEL32(0016070C,?,000A8747,00162514), ref: 000B0235

Strings

G, xrefs: 00117C7F
5, xrefs: 00117C78
Variable must be of type 'Object'., xrefs: 00117C3A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: a98ecf55e7f67d2e48b983c5950396de0cfafd79ccdad9c7b0db46ee9081399d
Instruction ID: 4f70a9892ce76a35d6f0c1cfbba0b5461d874cf922fe40ffaa79932428289343
Opcode Fuzzy Hash: a98ecf55e7f67d2e48b983c5950396de0cfafd79ccdad9c7b0db46ee9081399d
Instruction Fuzzy Hash: 52917D74A04209EFCF18EF94D8919EDB7B2BF45300F148069F816AB392DB71AE85DB51

Function 000C5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 000C5BA8, 000C5C6C

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-2356230762
Opcode ID: d02cd48ad482eabfe616ef7135b3b8ef217ea7d3d9a516cf0251c052a1181d9e
Instruction ID: 2e173160f400acfd42580e64374749a4a0dcf03fe962ee9202ec71a8381a9ec6
Opcode Fuzzy Hash: d02cd48ad482eabfe616ef7135b3b8ef217ea7d3d9a516cf0251c052a1181d9e
Instruction Fuzzy Hash: 5051BF79900A0AAFCB219FA4CD85FEEBFB8EF05312F14015DF405A7292D771A9819B61

Function 000F2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000FB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000F21D0,?,?,00000034,00000800,?,00000034), ref: 000FB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000F2760

Part of subcall function 000FB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000F21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 000FB3F8

Part of subcall function 000FB32A: GetWindowThreadProcessId.USER32(?,?), ref: 000FB355
Part of subcall function 000FB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000F2194,00000034,?,?,00001004,00000000,00000000), ref: 000FB365
Part of subcall function 000FB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000F2194,00000034,?,?,00001004,00000000,00000000), ref: 000FB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000F27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000F281A

Strings

@, xrefs: 000F2832

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c716aebed541fca4bdaa55e3926d56a865e52c018b139459f65333acd1ff9134
Instruction ID: 75e079e9ee9d1e2a9b1969c8beee2e6ceb2aeb0b65af57f4153af65be906e3f9
Opcode Fuzzy Hash: c716aebed541fca4bdaa55e3926d56a865e52c018b139459f65333acd1ff9134
Instruction Fuzzy Hash: F3413B7290021CBFDB10DBA4CD42AEEBBB8AF09700F004099FA55B7581DB706E85DFA1

Function 000C172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 000C1769
_free.LIBCMT ref: 000C1834
_free.LIBCMT ref: 000C183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 000C1760, 000C1767, 000C1796, 000C17CE

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: aa9af2f5018901064823605f84f3e5d92c440df2df032839f925c07a933ecd9d
Instruction ID: abf3ff9c3512ce71204cc19eda08ed9a8d641b741e42c62b9bf6cbdccd57b1ca
Opcode Fuzzy Hash: aa9af2f5018901064823605f84f3e5d92c440df2df032839f925c07a933ecd9d
Instruction Fuzzy Hash: 01314175A44218BFDB21DF999C85EDEBBFCEB86710B64416EE404D7212DAB08A44CB90

Function 000FC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 000FC306
DeleteMenu.USER32(?,00000007,00000000), ref: 000FC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00161990,014B5770), ref: 000FC395

Strings

0, xrefs: 000FC2DF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: f3ba62c2a076c8d6d6e400d56eb9633117d9e6cc388322bfd3bb2fdbab8443e6
Instruction ID: e3e594957e45a6cc9328be00b59162977098bdc5c63bebae6f3a4b9452f7e758
Opcode Fuzzy Hash: f3ba62c2a076c8d6d6e400d56eb9633117d9e6cc388322bfd3bb2fdbab8443e6
Instruction Fuzzy Hash: 1941D2712043099FE720DF25D946F7ABBE4AF85350F00861DFAA5976D2D730EA04DB52

Function 00124416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0012CC08,00000000,?,?,?,?), ref: 001244AA
GetWindowLongW.USER32 ref: 001244C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001244D7

Strings

SysTreeView32, xrefs: 0012447C

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3fa4d08f87d4f22c1b1ea31cf0b3f41d2baa90d65fb0291fa23eb324e4478b8b
Instruction ID: e75181627a0aeec6c11d4239901f0ed4049a6076e0a7e8b0d700d51ff06d1f44
Opcode Fuzzy Hash: 3fa4d08f87d4f22c1b1ea31cf0b3f41d2baa90d65fb0291fa23eb324e4478b8b
Instruction Fuzzy Hash: 90319A31200265AFDB209F78EC45BEA7BA9EB09324F204315F975A21E1D770ECA19B90

Function 0011304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0011335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00113077,?,?), ref: 00113378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0011307A
_wcslen.LIBCMT ref: 0011309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00113106

Strings

255.255.255.255, xrefs: 00113095, 0011309A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 6a5878cbe408bdb1b476f5c1c6ea35d68492208972db0e704c8db36f3817f3ac
Instruction ID: 450d4f66c9673e1a7d1aa433ed15af421ed9cfc1c9da3df3526daaefa5c245dc
Opcode Fuzzy Hash: 6a5878cbe408bdb1b476f5c1c6ea35d68492208972db0e704c8db36f3817f3ac
Instruction Fuzzy Hash: AB310735200201DFCB28CF28C485EEA77E0EF18314F2580A9E9258B396CB31EF81C760

Function 00123EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00123F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00123F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00123F78

Strings

SysMonthCal32, xrefs: 00123F0B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: b5dea50ff4d016601ed39a12cd102d4e92c6247f434fa5070a0120b29aea425b
Instruction ID: a0af91cce3d64766573eef89a7f3de42fa775c15ad88ff8ab6179d9583d32e71
Opcode Fuzzy Hash: b5dea50ff4d016601ed39a12cd102d4e92c6247f434fa5070a0120b29aea425b
Instruction Fuzzy Hash: EC218D32600229BBDF258F50EC46FEA3B79EB48714F110214FA156B1D0D7B5A9A59B90

Function 00124653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00124705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00124713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0012471A

Strings

msctls_updown32, xrefs: 00124684

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: de1b45dec5a11636833ab933b965c7cc459b0d1551ee8d3dced7dc5aa00341fd
Instruction ID: ce6cb25e896320b5274cf21927bd90758b09955ce126e1f1189c20cb4900e924
Opcode Fuzzy Hash: de1b45dec5a11636833ab933b965c7cc459b0d1551ee8d3dced7dc5aa00341fd
Instruction Fuzzy Hash: 1A213EB5600219AFDB11DF64ECC1DAB37ADEB5A398B040059FA149B391CB71EC61DA60

Function 000F95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000F961D

Strings

#OnAutoItStartRegister, xrefs: 000F95F3
#notrayicon, xrefs: 000F95B7
#requireadmin, xrefs: 000F95D9

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 209759f0c505a3e0636f591e587fff1ce1104425b5b1144802a0660f4b4c6f85
Instruction ID: 9907c4985dea8696b70a6570bdfd58d244c6593e5fb0cb3459a2512876597a31
Opcode Fuzzy Hash: 209759f0c505a3e0636f591e587fff1ce1104425b5b1144802a0660f4b4c6f85
Instruction Fuzzy Hash: ED215B3210462966C731AB24DC02FFB73DC9F51700F14402AFB49D7442EBA1DD52E395

Function 001237B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00123840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00123850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00123876

Strings

Listbox, xrefs: 0012380F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: e31538b94ca29b075bf62fedd425749589dd9c26bef1b3e5be651587e55bfb70
Instruction ID: f34163707f76ecfa6954176875b003fa71ab9965a095ae7e1ed8f5de5863c3ba
Opcode Fuzzy Hash: e31538b94ca29b075bf62fedd425749589dd9c26bef1b3e5be651587e55bfb70
Instruction Fuzzy Hash: 54219F72610228BBEF218F54EC85FBB376EEF89750F118124FA149B190C775DC628BA0

Function 001049F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00104A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00104A5C
SetErrorMode.KERNEL32(00000000,?,?,0012CC08), ref: 00104AD0

Strings

%lu, xrefs: 00104A6F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4f8b9647256eeb35d0d3ac6f15d65f742651f3dddbf77c1f6a42df59a3c88441
Instruction ID: 23d71cdac1b3df7067838a973b75038cc7ad2d4e152a890871f266a77d281e6a
Opcode Fuzzy Hash: 4f8b9647256eeb35d0d3ac6f15d65f742651f3dddbf77c1f6a42df59a3c88441
Instruction Fuzzy Hash: 91313075A00109EFDB10DF58C885EAE77F8EF05304F1480A9E909DB252DB71ED45CBA1

Function 001241EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0012424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00124264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00124271

Strings

msctls_trackbar32, xrefs: 00124226

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a9c2a84fa1cab67828e4b56c67d2d36aae8b52a65d3814fc4328437754323c97
Instruction ID: f14afbe25d95585a6fb5a83fd076376dbeb3e82f56c53e66789c3c0c894ccbe0
Opcode Fuzzy Hash: a9c2a84fa1cab67828e4b56c67d2d36aae8b52a65d3814fc4328437754323c97
Instruction Fuzzy Hash: 5B11E331240218BFEF205E29EC06FAB3BACEF95B54F010114FA55E6090D3B1D8619B20

Function 000F2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00096B57: _wcslen.LIBCMT ref: 00096B6A

Part of subcall function 000F2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000F2DC5
Part of subcall function 000F2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 000F2DD6
Part of subcall function 000F2DA7: GetCurrentThreadId.KERNEL32 ref: 000F2DDD
Part of subcall function 000F2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000F2DE4

GetFocus.USER32 ref: 000F2F78

Part of subcall function 000F2DEE: GetParent.USER32(00000000), ref: 000F2DF9

GetClassNameW.USER32(?,?,00000100), ref: 000F2FC3
EnumChildWindows.USER32(?,000F303B), ref: 000F2FEB

Strings

%s%d, xrefs: 000F2FFF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 348fa898b417d2effc1f734bd16dc69862bbd7e12626c96219954a4a579e566a
Instruction ID: ca55ce0b29ea09fac51debbb96e3eb2463bcf13de93e6f035790786eb7d452bc
Opcode Fuzzy Hash: 348fa898b417d2effc1f734bd16dc69862bbd7e12626c96219954a4a579e566a
Instruction Fuzzy Hash: E311AF71600209ABCF547F608C95EFE37AAAF84314F044075BA099B693EF71994AAB60

Function 00125882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001258C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001258EE
DrawMenuBar.USER32(?), ref: 001258FD

Strings

0, xrefs: 0012588F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 61b6f0723c49f3c1912c504d07e2806d3a4b0e3dcb433f3f9ecadc7d37c633c4
Instruction ID: f0a6b3ccf11eb566d4e7a8e6f970e444d34d0536502f1ce51f8f6dc873a29810
Opcode Fuzzy Hash: 61b6f0723c49f3c1912c504d07e2806d3a4b0e3dcb433f3f9ecadc7d37c633c4
Instruction Fuzzy Hash: F0016D31600228EFDB219F51EC84BAEBBB5FF45364F108099E949D6151DB308AE5DF61

Function 000F007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5662de671194bb698aee989b35d6ab3f9656c7d51ac96cf296963d15afd230
Instruction ID: f88c1021be53ba6f84d94439761e2601cf578528e181beaa605d04a80618e487
Opcode Fuzzy Hash: 9c5662de671194bb698aee989b35d6ab3f9656c7d51ac96cf296963d15afd230
Instruction Fuzzy Hash: 6DC13C75A0021AEFDB14CFA4C894ABEB7B9FF48704F108598E605EB652D731EE41DB90

Function 000C3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000C3F0B
__alldvrm.LIBCMT ref: 000C410C
__alldvrm.LIBCMT ref: 000C412E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: b2a65c86d541d7b55751fec93b3f1e45cf058d7c340f44a1c1311abecfc137d4
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: B3A15871E103869FDB25CF18C8A1FEEBBE5FF65350F28456DE9859B282C6348982C750

Function 0011342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00113459
CoUninitialize.OLE32 ref: 00113463
VariantInit.OLEAUT32(?), ref: 0011346E
VariantClear.OLEAUT32(?), ref: 0011371B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 7d17d186ee958fb3eb07e42f30eebc3cce0c547d409136b6f1bf1723e1ebcaa8
Instruction ID: e49198945e8d6dadd2aec7642ccde3476550bdef24da562a6b8c1d0be0964d25
Opcode Fuzzy Hash: 7d17d186ee958fb3eb07e42f30eebc3cce0c547d409136b6f1bf1723e1ebcaa8
Instruction Fuzzy Hash: 9EA17F756087009FCB04DF24C485AAAB7E5FF88710F05886DF99A9B362DB70EE41DB91

Function 000F0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0012FC08,?), ref: 000F05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0012FC08,?), ref: 000F0608
CLSIDFromProgID.OLE32(?,?,00000000,0012CC40,000000FF,?,00000000,00000800,00000000,?,0012FC08,?), ref: 000F062D
_memcmp.LIBVCRUNTIME ref: 000F064E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: fa243671c7c9a170b2298395686ae4a177eb30950bf1a9827c0301b8b47c6a22
Instruction ID: 7a1bea70c0aec4164e75ce4f9c83d94192bce4068e7913eddf788b65ab69490e
Opcode Fuzzy Hash: fa243671c7c9a170b2298395686ae4a177eb30950bf1a9827c0301b8b47c6a22
Instruction Fuzzy Hash: C2811971A00109EFCB04DF94C988EEEB7B9FF89315F204558E606EB251DB71AE06DB60

Function 0011A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0011A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0011A6BA

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Process32NextW.KERNEL32(00000000,?), ref: 0011A79C
CloseHandle.KERNEL32(00000000), ref: 0011A7AB

Part of subcall function 000ACE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,000D3303,?), ref: 000ACE8A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 3ee3fdea6d248b4de999630aae08ba2bf0387b432fae0cdc92020892ecbdc930
Instruction ID: ee7085bd360dac1f68cc769b7772144f0a770243bd84aa50751883effc30b94e
Opcode Fuzzy Hash: 3ee3fdea6d248b4de999630aae08ba2bf0387b432fae0cdc92020892ecbdc930
Instruction Fuzzy Hash: D8516D71508301AFD714EF24C886AAFBBE8FF89754F40492DF58997252EB31D944CB92

Function 000D1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000D14C0

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e5bf84334c9f9a01c2d9552f81699d5b381cb15226ce93230be527d2a4e463af
Instruction ID: 85fa3abdee4cb41201ec1ac6e849515d6bf9156fb9cd0cd88a4645d87c991ca2
Opcode Fuzzy Hash: e5bf84334c9f9a01c2d9552f81699d5b381cb15226ce93230be527d2a4e463af
Instruction Fuzzy Hash: 76411435A00701BBDB256BB99C46BFE3AE4EF41330F14022BF41897393EE74894196B2

Function 00126278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001262E2
ScreenToClient.USER32(?,?), ref: 00126315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00126382

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8861135840f28e4239dd98298522ae04167c6af6b1e49064806cfa4920297cc4
Instruction ID: ec4f4abc94f5dba5a3776f0608c90b955a6e2da2e82becd0cd7db7647c451cf9
Opcode Fuzzy Hash: 8861135840f28e4239dd98298522ae04167c6af6b1e49064806cfa4920297cc4
Instruction Fuzzy Hash: A7513A74A00219EFCF24DF68E880AAE7BB5FF55364F108159F9599B290D730EDA1CB90

Function 00111AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00111AFD
WSAGetLastError.WSOCK32 ref: 00111B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00111B8A
WSAGetLastError.WSOCK32 ref: 00111B94

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 5d2d556cc19ed0e1688285d44ec625ed99bd456662c81bd11d3d5897d3c96d41
Instruction ID: ebf9031e8e2136bc14247f9e501884e599cad6eb82fc7a3cbd27454e989d1bc3
Opcode Fuzzy Hash: 5d2d556cc19ed0e1688285d44ec625ed99bd456662c81bd11d3d5897d3c96d41
Instruction Fuzzy Hash: FC41D6756002006FEB24AF24C886FA977E5AB44718F54C458FA1A9F7D3D772ED81CB90

Function 000CB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fab9eea8337e9f504232340ac61c0f9af7483f7ffd96904521124a142818b5d
Instruction ID: bc46c8bf6d4b8d8eeb0b0fa86c546c5161289a49cdbda61703d69d9b9d3e0970
Opcode Fuzzy Hash: 9fab9eea8337e9f504232340ac61c0f9af7483f7ffd96904521124a142818b5d
Instruction Fuzzy Hash: 6541B075A44704AFD7289F78CC42FAEBBE9EB88710F10462EF551DB682D77199018790

Function 001056D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00105783
GetLastError.KERNEL32(?,00000000), ref: 001057A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001057CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001057FA

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 965f60ce8bd6b0b8c8b573c25a385db7ebd0a5ea563d7f2029278175a8beb585
Instruction ID: b06de9aebdc0868029414f420cff20a17e97f971c492c52dab41fa1396acc358
Opcode Fuzzy Hash: 965f60ce8bd6b0b8c8b573c25a385db7ebd0a5ea563d7f2029278175a8beb585
Instruction Fuzzy Hash: 7E412B3A604A10DFCF11DF15C544A5EBBE2AF89320B59C488E94AAB362CB70FD41DF91

Function 000CD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,000B6D71,00000000,00000000,000B82D9,?,000B82D9,?,00000001,000B6D71,8BE85006,00000001,000B82D9,000B82D9), ref: 000CD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000CD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 000CD9AB
__freea.LIBCMT ref: 000CD9B4

Part of subcall function 000C3820: RtlAllocateHeap.NTDLL(00000000,?,00161444,?,000AFDF5,?,?,0009A976,00000010,00161440,000913FC,?,000913C6,?,00091129), ref: 000C3852

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0f67eda2ec011a34957b68148bac11acaf31673e5eedbac359bf8f6322e6124d
Instruction ID: 2bbde1a3658f5a916e0c10d23d00ef0added5810cf1dce365d365d01624432d2
Opcode Fuzzy Hash: 0f67eda2ec011a34957b68148bac11acaf31673e5eedbac359bf8f6322e6124d
Instruction Fuzzy Hash: 7731AD72A1020AABDB25DF64DC81EEF7BA5EB41710B05426EFC04D6291EB35CD55CBA0

Function 001252C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00125352
GetWindowLongW.USER32(?,000000F0), ref: 00125375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00125382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001253A8

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 268d984706394f03af7aca4bc2a6d0a16a6936a2be6f3675906075a9bbbe96ab
Instruction ID: 8e3f10ece4775297e303ad620bf9f2a4a38913d539825f74e6d8e8c453a90f95
Opcode Fuzzy Hash: 268d984706394f03af7aca4bc2a6d0a16a6936a2be6f3675906075a9bbbe96ab
Instruction Fuzzy Hash: DE31C234A55A28FFEB34DA14EC86BE83767BB053D0F586101FA11962E1C7B09DA0DB81

Function 000FAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 000FABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 000FAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 000FAC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 000FACC6

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d27b7490ee1cb0b8e93288dc0b765984e97ab97cf357f9a704fe871706e86cca
Instruction ID: bcf0342c27e298cf723ae191ae21d749fd723076f0e08aa01fdba0a100fd35c3
Opcode Fuzzy Hash: d27b7490ee1cb0b8e93288dc0b765984e97ab97cf357f9a704fe871706e86cca
Instruction Fuzzy Hash: 383108B0B0071C6FEF35CB658C147FE7BF5AB4A310F04421AE68952AD1C3758995A7D2

Function 00127674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0012769A
GetWindowRect.USER32(?,?), ref: 00127710
PtInRect.USER32(?,?,00128B89), ref: 00127720
MessageBeep.USER32(00000000), ref: 0012778C

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e6a0b237c8cd860a2b41743d7327b03a1e1e601b5f0c48d4ee12edd2fa303ee6
Instruction ID: a9d4165d817d58307bd569e459467dbeeed12734cb57acfa3cf4a9d55b82d9e9
Opcode Fuzzy Hash: e6a0b237c8cd860a2b41743d7327b03a1e1e601b5f0c48d4ee12edd2fa303ee6
Instruction Fuzzy Hash: F741C034605265EFCB11CF58E898EAA77F4FF48304F1941A8E914DB2A1C370E992CF90

Function 001216DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001216EB

Part of subcall function 000F3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000F3A57
Part of subcall function 000F3A3D: GetCurrentThreadId.KERNEL32 ref: 000F3A5E
Part of subcall function 000F3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000F25B3), ref: 000F3A65

GetCaretPos.USER32(?), ref: 001216FF
ClientToScreen.USER32(00000000,?), ref: 0012174C
GetForegroundWindow.USER32 ref: 00121752

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 18e0d5762042027dee02a3de1fa503adc3a6a5d9683f15d896be4ee60509d920
Instruction ID: cab981279ffe90e6bb9d5e19bf2838e6419d0fee41212b24c6473123485cba39
Opcode Fuzzy Hash: 18e0d5762042027dee02a3de1fa503adc3a6a5d9683f15d896be4ee60509d920
Instruction Fuzzy Hash: F7315272D00149AFDB10EFAAC881CEEB7F9EF98304B508069E515E7612E731DE45CBA1

Function 000FDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00097620: _wcslen.LIBCMT ref: 00097625

_wcslen.LIBCMT ref: 000FDFCB
_wcslen.LIBCMT ref: 000FDFE2
_wcslen.LIBCMT ref: 000FE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 000FE018

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: d9db8522d8946541d5697729d63d735818946401bb3bea7b0c4634871cfeac37
Instruction ID: ae0d2772ad9be72ce12da15892b5d457deba46b41327623ef1073f51a0ab071d
Opcode Fuzzy Hash: d9db8522d8946541d5697729d63d735818946401bb3bea7b0c4634871cfeac37
Instruction Fuzzy Hash: B121A175900218AFCB21DFA8D981BFEB7F8EF45750F144065EA05BB282D6709E41DBA1

Function 00128FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

GetCursorPos.USER32(?), ref: 00129001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000E7711,?,?,?,?,?), ref: 00129016
GetCursorPos.USER32(?), ref: 0012905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000E7711,?,?,?), ref: 00129094

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: dc019fae272fbc2397bac4948ae9e8837ea90126302bf7e3ffacc7a23e6975db
Instruction ID: 41a63346b400a9f7a8eed84782de80a611802ddffd6d1df1bfd200ea263ea402
Opcode Fuzzy Hash: dc019fae272fbc2397bac4948ae9e8837ea90126302bf7e3ffacc7a23e6975db
Instruction Fuzzy Hash: C121AE35600028FFDB258F98DC58EFA7BB9FF8A350F044169F9058B261C37599A1DBA0

Function 000FD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0012CB68), ref: 000FD2FB
GetLastError.KERNEL32 ref: 000FD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 000FD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0012CB68), ref: 000FD376

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 6d0271e048f70105b7bebdc02a22bd8e354b341eb8473498b8e986e705c70606
Instruction ID: 5628965b16595f8ab31bde5276b2e5cb02d1ec3e49d553ca7c431c202648b033
Opcode Fuzzy Hash: 6d0271e048f70105b7bebdc02a22bd8e354b341eb8473498b8e986e705c70606
Instruction Fuzzy Hash: 9A21D3705082059F8710DF28C8818BE77E5EF55364F104A1EF699C32A2DB30DA46EB93

Function 000F1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000F102A
Part of subcall function 000F1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000F1036
Part of subcall function 000F1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F1045
Part of subcall function 000F1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000F104C
Part of subcall function 000F1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000F1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000F15BE
_memcmp.LIBVCRUNTIME ref: 000F15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000F1617
HeapFree.KERNEL32(00000000), ref: 000F161E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 910b1be4f3fcaea2efbadf02721f81bb4112e1bd6d61089888a5c942de47560c
Instruction ID: a1ed43eb136fa675f9d774de370a6d742d9184a5d3819a1074f0d71b3dc3c76f
Opcode Fuzzy Hash: 910b1be4f3fcaea2efbadf02721f81bb4112e1bd6d61089888a5c942de47560c
Instruction Fuzzy Hash: 32215531E00108EBDB14DFA4C949BEEB7F8EF84744F084459E641AB641E771AA45EBA0

Function 00122782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0012280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00122824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00122832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00122840

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 3d97cc13431162ce0c76bf198e6b92060c1a09bc1a67a19ca51b2150baef62a4
Instruction ID: b56eb253e6b0033c3168fa80990a1b5313f119fb4a85a8c700ab8712550ed86c
Opcode Fuzzy Hash: 3d97cc13431162ce0c76bf198e6b92060c1a09bc1a67a19ca51b2150baef62a4
Instruction Fuzzy Hash: 1E21E031208520BFD7149B24D844FAE7B95AF55324F148258F4268BAA2CB71EC92CBD0

Function 000F78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000F8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,000F790A,?,000000FF,?,000F8754,00000000,?,0000001C,?,?), ref: 000F8D8C
Part of subcall function 000F8D7D: lstrcpyW.KERNEL32(00000000,?,?,000F790A,?,000000FF,?,000F8754,00000000,?,0000001C,?,?,00000000), ref: 000F8DB2
Part of subcall function 000F8D7D: lstrcmpiW.KERNEL32(00000000,?,000F790A,?,000000FF,?,000F8754,00000000,?,0000001C,?,?), ref: 000F8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,000F8754,00000000,?,0000001C,?,?,00000000), ref: 000F7923
lstrcpyW.KERNEL32(00000000,?,?,000F8754,00000000,?,0000001C,?,?,00000000), ref: 000F7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,000F8754,00000000,?,0000001C,?,?,00000000), ref: 000F7984

Strings

cdecl, xrefs: 000F797B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: aab55f1852ada98d76396f3f633bc34f3ceb60e39217765b415b81d6521b1ab8
Instruction ID: 39ea7ca46f9c13a657909956a5b880e735e551214330a57cba4fdee69511abbd
Opcode Fuzzy Hash: aab55f1852ada98d76396f3f633bc34f3ceb60e39217765b415b81d6521b1ab8
Instruction Fuzzy Hash: D311293A204306ABDB259F34CC45DBE77E5FF45350B40402AFA06C76A5EF719811D792

Function 00127CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00127D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00127D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00127D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0010B7AD,00000000), ref: 00127D6B

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 36e20816feb22fab825260bcec16785306c87c3d5328c5e9b5b2842fec5e626a
Instruction ID: ad83e6b7b671569fa59f3f1e855ae970db683792c86b0f4f73b370e72450c0f2
Opcode Fuzzy Hash: 36e20816feb22fab825260bcec16785306c87c3d5328c5e9b5b2842fec5e626a
Instruction Fuzzy Hash: 3611AF31605669AFCB149F68EC04AAB3BA5AF45360B154728F939D72F0E73099B1CB90

Function 00125660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001256BB
_wcslen.LIBCMT ref: 001256CD
_wcslen.LIBCMT ref: 001256D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00125816

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 691733b78424ef4015a1842d82b637ba568d81e1b24ca9acb340a2ff46111903
Instruction ID: 585fcf730dcafca71a38be7ed7da972285fa99ff205c476e7a377235820b1cce
Opcode Fuzzy Hash: 691733b78424ef4015a1842d82b637ba568d81e1b24ca9acb340a2ff46111903
Instruction Fuzzy Hash: 4F110871A00628A6DF20EF65ECC5AFE77BDEF10764F504026F915D6182E770CAA0CB60

Function 000C1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dccaebe2c3f4435e1837916b8ff2d2abb4038353fb479368fad4d5f68c30ba2
Instruction ID: 6c6857060e2ca7e11d317049f7a21f2350958dafb9cd20678de7ce0d76089b1e
Opcode Fuzzy Hash: 4dccaebe2c3f4435e1837916b8ff2d2abb4038353fb479368fad4d5f68c30ba2
Instruction Fuzzy Hash: 210162B2205A167EF66117787CC1FAF669DDF423B8B35032DF522511D7DB708C5051A0

Function 000F1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000F1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000F1A8A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 33fda1b57745d4b520067054133c99f4d4ca5de03df48db92ee2c8206aa6c01d
Instruction ID: 510dac901c79ddefa9de43f7a4a9e7b6531234bb71c4dea4fabdfaf0d261aae9
Opcode Fuzzy Hash: 33fda1b57745d4b520067054133c99f4d4ca5de03df48db92ee2c8206aa6c01d
Instruction Fuzzy Hash: B511093AD01219FFEB11DBA5CD85FEDBBB8EB08750F200091EA04B7290D6716E51EB94

Function 000FE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000FE1FD
MessageBoxW.USER32(?,?,?,?), ref: 000FE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000FE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000FE24D

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 0888c464601bf823d65aeefcfb5af3c84d9d8d2caef36aa163ff1a3e9d3851b7
Instruction ID: 358878f1f18c8e4e762d87baccc1c5a318fa612b51fb63dd52a3c8e5f8d0e304
Opcode Fuzzy Hash: 0888c464601bf823d65aeefcfb5af3c84d9d8d2caef36aa163ff1a3e9d3851b7
Instruction Fuzzy Hash: AB112B76904258BFD7119FA8DC05AAF7FADBB45320F144615FA15D3B91E2B0CD5087A0

Function 000BD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,000BCFF9,00000000,00000004,00000000), ref: 000BD218
GetLastError.KERNEL32 ref: 000BD224
__dosmaperr.LIBCMT ref: 000BD22B
ResumeThread.KERNEL32(00000000), ref: 000BD249

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 0249ae8ae48876ca66a4fe88cd416cf4565bbcf5efe02156a06bae41a6f20297
Instruction ID: e1c31d1f43a98d9b89a493530ca5c463949a6c7387f7835792f1ff4e590885bb
Opcode Fuzzy Hash: 0249ae8ae48876ca66a4fe88cd416cf4565bbcf5efe02156a06bae41a6f20297
Instruction Fuzzy Hash: 5E01F936805205BFDB215BA5DC05BEEBB69EF91330F10021AFA25961D1EB71C951C7E0

Function 00129EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 000A9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000A9BB2

GetClientRect.USER32(?,?), ref: 00129F31
GetCursorPos.USER32(?), ref: 00129F3B
ScreenToClient.USER32(?,?), ref: 00129F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00129F7A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: faed22ed1cf508b99226e458e71f462e9517ba926d7624b46245c3427ad37b88
Instruction ID: 82baaaa7ae3195b3d7e3c93b613a5545d9e701e518d8bae5fa2cc8496cb2057b
Opcode Fuzzy Hash: faed22ed1cf508b99226e458e71f462e9517ba926d7624b46245c3427ad37b88
Instruction Fuzzy Hash: 26113632A0012ABBDB50DFA8E9859EE7BB9FF05311F000455F911E3550D330BAA2CBE1

Function 0009600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0009604C
GetStockObject.GDI32(00000011), ref: 00096060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0009606A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a0e5322c1f8f2254ec1e152731a6b49177eedf32691a94012c96951b28fc1373
Instruction ID: 9f3314b37d118d0ab8035dabda6e5770688300b7373788f01754e4a92e31bc4d
Opcode Fuzzy Hash: a0e5322c1f8f2254ec1e152731a6b49177eedf32691a94012c96951b28fc1373
Instruction Fuzzy Hash: 7D116172501508BFEF224F949C94EEFBBA9EF58394F040115FA1452110D732ACA0EBA0

Function 000B3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 000B3B56

Part of subcall function 000B3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 000B3AD2
Part of subcall function 000B3AA3: ___AdjustPointer.LIBCMT ref: 000B3AED

_UnwindNestedFrames.LIBCMT ref: 000B3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 000B3B7C
CallCatchBlock.LIBVCRUNTIME ref: 000B3BA4

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d6d1156f3a775e8025591253470a43454d76ec7e351c56e24fdf0b54d1e85eee
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: C4012932100148BBDF126E95CC42EEB7BA9EF58754F144014FE4866122C732E961EBA0

Function 000C3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000913C6,00000000,00000000,?,000C301A,000913C6,00000000,00000000,00000000,?,000C328B,00000006,FlsSetValue), ref: 000C30A5
GetLastError.KERNEL32(?,000C301A,000913C6,00000000,00000000,00000000,?,000C328B,00000006,FlsSetValue,00132290,FlsSetValue,00000000,00000364,?,000C2E46), ref: 000C30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000C301A,000913C6,00000000,00000000,00000000,?,000C328B,00000006,FlsSetValue,00132290,FlsSetValue,00000000), ref: 000C30BF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: fa8588abd01b8016a019c7305b474331de239f11f0eb4813e12536e2e33e184e
Instruction ID: 4f423b663bf0760acf22e63d969284e63d915131d3d8af48a9653a40ab5ce1d7
Opcode Fuzzy Hash: fa8588abd01b8016a019c7305b474331de239f11f0eb4813e12536e2e33e184e
Instruction Fuzzy Hash: 0D01D833321622ABC7314B78AC54F6F7798AF05761B308628FA06D3140C721D955C6D0

Function 000F7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 000F747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000F7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000F74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000F74CA

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: aee418093e424045ff5d704508eaed3041532e19ab427f81aea31720dbdc0963
Instruction ID: 4fc8d82b19645a1194b27edfe7e65e4f308d936b41ac12c4af509c9da0a6acac
Opcode Fuzzy Hash: aee418093e424045ff5d704508eaed3041532e19ab427f81aea31720dbdc0963
Instruction Fuzzy Hash: 7611A1B1205319ABE7309F14EC09BA67BFCEB00B00F108569E71AD7991D770F944EB92

Function 000FB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000FACD3,?,00008000), ref: 000FB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000FACD3,?,00008000), ref: 000FB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000FACD3,?,00008000), ref: 000FB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000FACD3,?,00008000), ref: 000FB126

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 4a91fe222e44f19d3c62d08c725aee49a32b6e7391805c3a8f1587fe17e80266
Instruction ID: c0bcb4d07f2efb3244d43a866edf35d9a7cfa6016fe84173dc122f013a932db5
Opcode Fuzzy Hash: 4a91fe222e44f19d3c62d08c725aee49a32b6e7391805c3a8f1587fe17e80266
Instruction Fuzzy Hash: E7116D31C01A2CEBCF14AFE4E9A96FEBB78FF49711F504085DA41B2581CB3096A19F91

Function 00127E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00127E33
ScreenToClient.USER32(?,?), ref: 00127E4B
ScreenToClient.USER32(?,?), ref: 00127E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00127E8A

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2f49ed89dc4ed66793042ce4c8384d8df985486e4a6bf0f6bd5ad2134e4d7ab4
Instruction ID: 68e1f145146dabea5a229ca157f5894fcfbcf30b29f137017d16a5316862e196
Opcode Fuzzy Hash: 2f49ed89dc4ed66793042ce4c8384d8df985486e4a6bf0f6bd5ad2134e4d7ab4
Instruction Fuzzy Hash: 0F1163B9D0024AAFDB51CF98D8849EEBBF5FF08310F104056E911E2610D734AAA5CF90

Function 000F2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000F2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 000F2DD6
GetCurrentThreadId.KERNEL32 ref: 000F2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000F2DE4

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b2aa7a5aed03f9b7f90fdf4a0ea80cef99d07e6d54bc97a5693a2398daf92df7
Instruction ID: a655dfa2b99d84c136a324934a3d8930b2cd5904069196c6e832b11aa6c151ea
Opcode Fuzzy Hash: b2aa7a5aed03f9b7f90fdf4a0ea80cef99d07e6d54bc97a5693a2398daf92df7
Instruction Fuzzy Hash: 7FE06D71101628BBE7341B629C0EEFF7E6CEB42BA1F400115B305D59809AA48882D6F0

Function 00128863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000A9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000A9693
Part of subcall function 000A9639: SelectObject.GDI32(?,00000000), ref: 000A96A2
Part of subcall function 000A9639: BeginPath.GDI32(?), ref: 000A96B9
Part of subcall function 000A9639: SelectObject.GDI32(?,00000000), ref: 000A96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00128887
LineTo.GDI32(?,?,?), ref: 00128894
EndPath.GDI32(?), ref: 001288A4
StrokePath.GDI32(?), ref: 001288B2

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 72e7337c2eac0fbacf0faebe52e014df29e6045f7bd849ab979e30bb1a8d248c
Instruction ID: 9e9ce1d8c53af0c95d784ca9b7e12094273c32d773cfd696973fb3c08352ba63
Opcode Fuzzy Hash: 72e7337c2eac0fbacf0faebe52e014df29e6045f7bd849ab979e30bb1a8d248c
Instruction Fuzzy Hash: ABF05E3A042668FAEB225F94AC0AFCE3F59AF06310F048000FB11654E2C7B555B2CFE9

Function 000A98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000A98CC
SetTextColor.GDI32(?,?), ref: 000A98D6
SetBkMode.GDI32(?,00000001), ref: 000A98E9
GetStockObject.GDI32(00000005), ref: 000A98F1

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 53478d1482a7d94e7f4beae833b2a4d3012e1d15dca596084eb87e32627ad269
Instruction ID: 491bb186d0bc5fa518e3fd7d4125272191d817e02c2269f22b08a78eeca8529a
Opcode Fuzzy Hash: 53478d1482a7d94e7f4beae833b2a4d3012e1d15dca596084eb87e32627ad269
Instruction Fuzzy Hash: 2DE06531244680FEDB315B75AC09BDD3F51AB52336F048219F7F9544E1C3B146A19B51

Function 000F162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000F1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,000F11D9), ref: 000F163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000F11D9), ref: 000F1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,000F11D9), ref: 000F164F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5b27a5695104aa1986db06bfae94ac5d84d9a8451c57c343e8eccad2d1bf84a2
Instruction ID: 2ec8606cd0b4479ee429ba4b94b92d26f8609258825ad7358c16ee3c5ed6ecee
Opcode Fuzzy Hash: 5b27a5695104aa1986db06bfae94ac5d84d9a8451c57c343e8eccad2d1bf84a2
Instruction Fuzzy Hash: C6E08635601211FBD7701FA0AD0DB9B3BBDAF54791F184808F345CA480D6344492C7D8

Function 000ED858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000ED858
GetDC.USER32(00000000), ref: 000ED862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000ED882
ReleaseDC.USER32(?), ref: 000ED8A3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4c3be2a4e8ced59f6318a0dd1d77895fab187e3450a215cb3c586a8c7ccb85c1
Instruction ID: 7433ab4e1b1a3ff3052e9c66a890802ebaeee70ceb8cd801aca8a38deed78af7
Opcode Fuzzy Hash: 4c3be2a4e8ced59f6318a0dd1d77895fab187e3450a215cb3c586a8c7ccb85c1
Instruction Fuzzy Hash: 89E01AB5C00204EFCF619FA0D908A6DBBB1FB08710F20801AF90AE7750CB384992AF80

Function 000ED86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000ED86C
GetDC.USER32(00000000), ref: 000ED876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000ED882
ReleaseDC.USER32(?), ref: 000ED8A3

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b7a6af2b3265a8b2dbdd05b5b6ec3e8090938ccbaba6e707215a5f8c199fef97
Instruction ID: db1d947df7aaf8b19b94c28309f9fb81cf35519e72e5cd78bcefadc2fdf3ea50
Opcode Fuzzy Hash: b7a6af2b3265a8b2dbdd05b5b6ec3e8090938ccbaba6e707215a5f8c199fef97
Instruction Fuzzy Hash: 32E09A75C00204EFCF619FA0D808A6DBBB5FB08711B148459FA4AE7750D7385952AF94

Function 00104D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00097620: _wcslen.LIBCMT ref: 00097625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00104ED4

Strings

LPT, xrefs: 00104DFB
*, xrefs: 00104E10

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 980d5bf8bafc5e17c2d394d997de6dd2be89aa6ed6d5883295f325906af60f73
Instruction ID: 19c04d631226634b7d947f8d9b94b94d0e57c2c1db607b726536bb7b3c213666
Opcode Fuzzy Hash: 980d5bf8bafc5e17c2d394d997de6dd2be89aa6ed6d5883295f325906af60f73
Instruction Fuzzy Hash: 449181B5A042059FCB14DF58C4C4EAABBF1BF44304F198099E94A9F3A2C7B5ED85CB90

Function 000BE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000BE30D

Strings

pow, xrefs: 000BE2E5, 000BE302

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 33589ac143b7f072c9628b5ba6c1e03db8b9bade58ea657f033fb112a52a2980
Instruction ID: 0bfd997245219281c92d4a47a491e383e542d948977f379c13b146c06cc94b6d
Opcode Fuzzy Hash: 33589ac143b7f072c9628b5ba6c1e03db8b9bade58ea657f033fb112a52a2980
Instruction Fuzzy Hash: 3E516D61A0C24296CB657724CD45BFD3BF8EF50B40F34896CE0DA822E9DB348CD59E86

Function 000AE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 000AE1B1

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 803521a8f9c1ab40d1834b17aa9033e26e377c39413a29c9f71c38d4f6562a3c
Instruction ID: b41c179173ec4d53bdc3952fd77161715dc4c36ae853388393aff95ac93f4e31
Opcode Fuzzy Hash: 803521a8f9c1ab40d1834b17aa9033e26e377c39413a29c9f71c38d4f6562a3c
Instruction Fuzzy Hash: 595100355082CADFDF65DF69C481AFE7BE4EF66310F244059E891AB2D1DA309D42CBA0

Function 000AF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 000AF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 000AF2BB

Strings

@, xrefs: 000AF2AF

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 43cba4004997a498f243735381951c6d6541a0becd483e86ea2a805fbd6d389d
Instruction ID: 2c427467357c4f4c850d691000da97c43007c9b6b979b2dbadbcb47bfcfa34de
Opcode Fuzzy Hash: 43cba4004997a498f243735381951c6d6541a0becd483e86ea2a805fbd6d389d
Instruction Fuzzy Hash: 5F515972418744ABE720AF10DC86BAFBBF8FB85300F81485CF1D9411A6EB718569CB67

Function 00115745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001157E0
_wcslen.LIBCMT ref: 001157EC

Strings

CALLARGARRAY, xrefs: 001157E6, 001157EB

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b023d65f0a2072a42c7f72e03457ce60e1c755e2a19c211bcb5f9e37fc5dc617
Instruction ID: c134a61c162cdbcf9c5b6cc067f65ed1b809a640a0df513d16b7e603aeb34760
Opcode Fuzzy Hash: b023d65f0a2072a42c7f72e03457ce60e1c755e2a19c211bcb5f9e37fc5dc617
Instruction Fuzzy Hash: 76418071A00509DFCB18DFA9C8819FEBBB6FF99324F104169E515A7292E7309D81CB90

Function 0010D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0010D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0010D13A

Strings

|, xrefs: 0010D10B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a2de67461d055f02676a6aaac8e53f6b73a16ef2ce4a49cb283d25dd600e85d0
Instruction ID: 98e33f44ab0bbf48d8b2dc22f9542d9f8b94441d3080b3bd9ee06b1efdca4cf5
Opcode Fuzzy Hash: a2de67461d055f02676a6aaac8e53f6b73a16ef2ce4a49cb283d25dd600e85d0
Instruction Fuzzy Hash: E9313B71D00209ABCF15EFA4DC85AEEBFB9FF04340F000059F815A6262EB71AA56DB60

Function 0012356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00123621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0012365C

Strings

static, xrefs: 001235BC

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c501213d253b5bb5adda1f5305ac2fca2f370cc65a0728127bdd3db1fab726c0
Instruction ID: 0b6c8792f38eba87969731ddf919eaaf8b85fd5cf9b757c51f271b9d23ee9f7b
Opcode Fuzzy Hash: c501213d253b5bb5adda1f5305ac2fca2f370cc65a0728127bdd3db1fab726c0
Instruction Fuzzy Hash: 01318171110614AEDB249F64DC40FFB73ADFF48710F108619F96597280DB35ADA1D760

Function 00124537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0012461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00124634

Strings

', xrefs: 0012458E

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 30c759f935299457ed15c1d16b26b9b539b9ce43aca174aa4e1be65e2bad207e
Instruction ID: cebf6b92dc11f904334524f8a0429e1d7421f15be990ec73bd1bfac5c9468999
Opcode Fuzzy Hash: 30c759f935299457ed15c1d16b26b9b539b9ce43aca174aa4e1be65e2bad207e
Instruction Fuzzy Hash: 70314A74A00319AFDF14CFA9D980BDA7BB5FF09300F14406AE904AB381D770A951CF90

Function 001231EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0012327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00123287

Strings

Combobox, xrefs: 00123249

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 89d81c37a03c48b104850109d5c0dc8e0b923a3e59fbd7d779fbd1812ba8b31b
Instruction ID: c77f9181e9268942ec488857b39056399f2a1f4c57992804eb1d6b31b3971c90
Opcode Fuzzy Hash: 89d81c37a03c48b104850109d5c0dc8e0b923a3e59fbd7d779fbd1812ba8b31b
Instruction Fuzzy Hash: 5811E271300218BFEF219F54EC81EFB3B6AEB943A4F100124F928A7290D7359D619760

Function 00123710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0009600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0009604C
Part of subcall function 0009600E: GetStockObject.GDI32(00000011), ref: 00096060
Part of subcall function 0009600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0009606A

GetWindowRect.USER32(00000000,?), ref: 0012377A
GetSysColor.USER32(00000012), ref: 00123794

Strings

static, xrefs: 00123757

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5fe81861b110524945d61560e614649717b07aa8d50c12287a1d253d86685a17
Instruction ID: ed23a715c40e822f9414348b02a3fd82e11a9ad8162217c13a9d806820c43e51
Opcode Fuzzy Hash: 5fe81861b110524945d61560e614649717b07aa8d50c12287a1d253d86685a17
Instruction Fuzzy Hash: AF1129B261021AAFDF11DFA8DC45AEE7BB8FB08354F004514FA65E2250E775E8619B90

Function 0010CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0010CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0010CDA6

Strings

<local>, xrefs: 0010CD66

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1ff661c8bcfce0e7434782f2cdc67b3a90fc458601d23bd04a0e7395d7c9633c
Instruction ID: ae87e74233521e4474785400d6d507ef5b70df70b3d5a09ce9e33a1c84317a91
Opcode Fuzzy Hash: 1ff661c8bcfce0e7434782f2cdc67b3a90fc458601d23bd04a0e7395d7c9633c
Instruction Fuzzy Hash: 7E11C671215631BAD7384BA68C45EE7BE6CEF127A4F004336B189830C0D7B09845DBF0

Function 00123429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001234AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001234BA

Strings

edit, xrefs: 0012348F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: eb13f4fe132eeb190242212a6d90f7d63affe355b964303702965fa1295e95f4
Instruction ID: 2bf33bb5370ae32e0a43407bcc882996899171bab1330aa338f1bec86c294e70
Opcode Fuzzy Hash: eb13f4fe132eeb190242212a6d90f7d63affe355b964303702965fa1295e95f4
Instruction Fuzzy Hash: 7A11BF71100168AFEF226E64EC44AEB376AEB04374F504364FA70931D0C779DCA1AB60

Function 000F6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

CharUpperBuffW.USER32(?,?,?), ref: 000F6CB6
_wcslen.LIBCMT ref: 000F6CC2

Strings

STOP, xrefs: 000F6CBC, 000F6CC1

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 1f18127ccbbdc0509ced56ec0f0240f2c4cfe27f7f7fcf790d862b90893a4382
Instruction ID: 93719aa46b1f164e6b30e6beb85dd0197d9de47051073b1b1851c6fed280310b
Opcode Fuzzy Hash: 1f18127ccbbdc0509ced56ec0f0240f2c4cfe27f7f7fcf790d862b90893a4382
Instruction Fuzzy Hash: 19012B32A0052A9BCB209FBDDC408FF33F5EB61710B000538E9A297595EB33D900E690

Function 000F1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000F1D4C

Strings

ComboBox, xrefs: 000F1CEB
ListBox, xrefs: 000F1D16

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9addb16302a94197e7fa42b280923d0f525872d02b9bb699a461e9ca1dfbad0b
Instruction ID: 7c1ede9a9e0b256a785625d112a0a0e89d2d34dfed4134c0338e0a9becba34f3
Opcode Fuzzy Hash: 9addb16302a94197e7fa42b280923d0f525872d02b9bb699a461e9ca1dfbad0b
Instruction Fuzzy Hash: AC01B57160121CEBCF14EBA4CC558FE73B9EB46350B04051EA932676D2EA315908A760

Function 000F1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 000F1C46

Strings

ComboBox, xrefs: 000F1BE5
ListBox, xrefs: 000F1C10

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 699313aaf6434d49488d7787f64d79e540a7403e669df31e3d5b29eb7062e6ca
Instruction ID: 8a74477d27b526edd2793836ee557125e064002de26dc9cad1b857a3f9c6b6f0
Opcode Fuzzy Hash: 699313aaf6434d49488d7787f64d79e540a7403e669df31e3d5b29eb7062e6ca
Instruction Fuzzy Hash: 8301A77568110CA6CF14EB94CD669FF77E99B11340F14001DAA1677682EA24AE0CE7F1

Function 000F1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 000F1CC8

Strings

ComboBox, xrefs: 000F1C69
ListBox, xrefs: 000F1C94

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b89613fb9a773a785b0bb5f8a8be17831b7a7189b9ffed11f13c765c52fd6348
Instruction ID: 9dc1500fceb7367e03d7a22a016f588cc4b3204708d6947817c4c62ceecae655
Opcode Fuzzy Hash: b89613fb9a773a785b0bb5f8a8be17831b7a7189b9ffed11f13c765c52fd6348
Instruction Fuzzy Hash: E201D6B1A8011CA7CF14EBA5CE12AFF77E89B11340F540029B91277682EA219F08E6F1

Function 000F1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00099CB3: _wcslen.LIBCMT ref: 00099CBD

Part of subcall function 000F3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000F3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 000F1DD3

Strings

ComboBox, xrefs: 000F1D75
ListBox, xrefs: 000F1DA0

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 576ed00cbed53368d75c401ac38af1e4375c9959c1db537f538e31e920b19449
Instruction ID: 878ad7941e5e4be986fc17df9439e6ff4bdd51caf0ee12b0be7fbc92654e4e63
Opcode Fuzzy Hash: 576ed00cbed53368d75c401ac38af1e4375c9959c1db537f538e31e920b19449
Instruction Fuzzy Hash: F9F0A471A4121CA6DF14EBA9CC66AFF77B8AB01350F440919B932676C2DA645908A2A0

Function 0011747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00117493
_wcslen.LIBCMT ref: 001174B9

Strings

3, 3, 16, 1, xrefs: 00117483

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: dfa1818866577a364936cf3f393b511e43c421a4280c2feb12359dcbb4a12eac
Instruction ID: adfcb8286393765da6d7af28297ee2086cd5f070e89a1153178dea0387973081
Opcode Fuzzy Hash: dfa1818866577a364936cf3f393b511e43c421a4280c2feb12359dcbb4a12eac
Instruction Fuzzy Hash: F7E02B022042201093351279ACC19FF5699DFC97A0714183BF981C23E7EB948ED193A0

Function 000F0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000F0B23

Strings

AutoIt, xrefs: 000F0B17
Error allocating memory., xrefs: 000F0B1C

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: b07fbd149f90acee313894b8c42e9296093c8b065cdc3fe91f9d199803c031b6
Instruction ID: bd8dd0ed2b5d322334ad29e0bcac6d00f2264418f4eeb4389ffd6474b589c907
Opcode Fuzzy Hash: b07fbd149f90acee313894b8c42e9296093c8b065cdc3fe91f9d199803c031b6
Instruction Fuzzy Hash: C2E0D83124431876D22037D47C03FDD7AC58F05B55F100426FB58554C38BE265B056E9

Function 000B0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 000AF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000B0D71,?,?,?,0009100A), ref: 000AF7CE

IsDebuggerPresent.KERNEL32(?,?,?,0009100A), ref: 000B0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0009100A), ref: 000B0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000B0D7F

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 24a0bd51470b5e7b46cb03ce69fb5eb89b105766feda41fbbdd96337febe7971
Instruction ID: 67af0f6c4154541bf800a82741a35d9d7076102b8c1a55d8002cdac009874da0
Opcode Fuzzy Hash: 24a0bd51470b5e7b46cb03ce69fb5eb89b105766feda41fbbdd96337febe7971
Instruction Fuzzy Hash: 4BE06D742003118BD3709FB8E8083967BF0AF00740F01892DE482C6A92DBB5E4858BD1

Function 00103017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0010302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00103044

Strings

aut, xrefs: 00103038

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 173a2cba7bbeb1dfc6aa617b47030161c8dfc35e9136572d66705a5584ccd304
Instruction ID: 3e9742c23611ce5345877e1a4c87fd9506b3c2b81765a77f17c3cc24da474426
Opcode Fuzzy Hash: 173a2cba7bbeb1dfc6aa617b47030161c8dfc35e9136572d66705a5584ccd304
Instruction Fuzzy Hash: 1FD05E72500328B7DA30A7A4AC0EFCB7A7CDB04751F4002A1BB55E7091DEB09985CAD0

Function 000ED21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000ED220

Strings

X64, xrefs: 000ED2A8
%.3d, xrefs: 000ED22B

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 9ad7737afa28376447b12d2fad47bba5b31375bc5687a48f9812196f9896266b
Instruction ID: 5f1fdd7798af5dc16502fa10ba7a354e82cf34c8ba34359bd2e394027fddf5d9
Opcode Fuzzy Hash: 9ad7737afa28376447b12d2fad47bba5b31375bc5687a48f9812196f9896266b
Instruction Fuzzy Hash: E2D01261808149EDCBB096E1DC459FDB37CFB29341F508457FA17B1040D724C5486761

Function 00122322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0012232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0012233F

Part of subcall function 000FE97B: Sleep.KERNEL32 ref: 000FE9F3

Strings

Shell_TrayWnd, xrefs: 00122325

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2ea31e385e2bb8278bd9f0357433f64552aed1335eaf467fe9bcf0bf9b019c11
Instruction ID: c4e45dfffe9910327c0e2f149d6a32500a7a243c53067914638a5aa3c1b2142a
Opcode Fuzzy Hash: 2ea31e385e2bb8278bd9f0357433f64552aed1335eaf467fe9bcf0bf9b019c11
Instruction Fuzzy Hash: 9BD02232394300F7E274B730DC0FFCE7A049B00B00F004A027705AA1E0C9F0A842CA90

Function 00122356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0012236C
PostMessageW.USER32(00000000), ref: 00122373

Part of subcall function 000FE97B: Sleep.KERNEL32 ref: 000FE9F3

Strings

Shell_TrayWnd, xrefs: 00122365

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 412a1b8ab7edf428c864f2ae51fd1aa117ad5494399ba585bc5b49dfd123d5f5
Instruction ID: 214861ce607670cc7bab3b11a6360e6029f77429ead790856de82ddd73724cdd
Opcode Fuzzy Hash: 412a1b8ab7edf428c864f2ae51fd1aa117ad5494399ba585bc5b49dfd123d5f5
Instruction Fuzzy Hash: A3D0A932380300BAE274A730DC0FFCA76049B04B00F004A027701AA1E0C9F0A8428A94

Function 000CBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 000CBE93
GetLastError.KERNEL32 ref: 000CBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000CBEFC

Memory Dump Source

Source File: 00000000.00000002.1748075623.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.1748048547.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.000000000012C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748161450.0000000000152000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748222634.000000000015C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1748248538.0000000000164000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 303c11dc3271a84c454fc777e0d8f45414651b029f9f14888a86dab44b760d45
Instruction ID: 96e04242155d3f6cb7ee35f177fbf0fd54427f47671adf0f9d11d4715ae622a5
Opcode Fuzzy Hash: 303c11dc3271a84c454fc777e0d8f45414651b029f9f14888a86dab44b760d45
Instruction Fuzzy Hash: AD41BF34604216ABDB318FA4CC46FBE7BE5AF41720F14416DF9599B2A2DB308D02CB60

Analysis Process: firefox.exePID: 7804, Parent PID: 7868COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000242720371F2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000024272037257

Strings

#, xrefs: 00000242720355C5
>, xrefs: 000002427203805C
A, xrefs: 000002427203724F
z, xrefs: 0000024272038836
>, xrefs: 000002427203B2FF
>, xrefs: 00000242720372B9
z, xrefs: 000002427203728B
#, xrefs: 0000024272038331
#, xrefs: 0000024272037282
4, xrefs: 000002427203B2D9

Memory Dump Source

Source File: 00000010.00000002.3552682801.0000024272035000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000024272035000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_24272035000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: 4791d340b90b83b9e582c1117ab7709437205e4863388a97698239cfbe9a5427
Instruction ID: eeaa7543508764ad9798816f9c7df77083f49e3b97a639670f2c30ad45295034
Opcode Fuzzy Hash: 4791d340b90b83b9e582c1117ab7709437205e4863388a97698239cfbe9a5427
Instruction Fuzzy Hash: F1A30831618A4D8BDB2DDF19CC856A9B3E5FB94300F54422EE84BC7256DF34EA068BD1

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive

Source: firefox.exe, 0000000D.00000003.1791741584.0000024D05576000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1826348472.0000024D7F817000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1885044617.0000024D7F826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878833092.0000024D7F826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1904071736.0000024D0CB78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888322620.0000024D0CB78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1885508321.0000024D0EDEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894574426.0000024D0EDEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828228719.0000024D0EDEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1832029893.0000024D0AFA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828825472.0000024D0ECD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830460267.0000024D0C434000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1832029893.0000024D0AFA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828825472.0000024D0ECD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830460267.0000024D0C434000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1901941626.0000024D046DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904071736.0000024D0CB78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906924314.0000024D046DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1885508321.0000024D0EDEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894574426.0000024D0EDEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828228719.0000024D0EDEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1832029893.0000024D0AFA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828825472.0000024D0ECD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830460267.0000024D0C434000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1832029893.0000024D0AFA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828825472.0000024D0ECD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1830460267.0000024D0C434000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3549479899.0000024271A0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3550094378.000002078A80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3549479899.0000024271A0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3550094378.000002078A80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3549479899.0000024271A0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3550094378.000002078A80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1888192325.0000024D0CBE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901941626.0000024D046DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1904071736.0000024D0CB78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1885508321.0000024D0EDEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894574426.0000024D0EDEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828228719.0000024D0EDEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1888192325.0000024D0CBE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914212641.0000024D0CBF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1901941626.0000024D046DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906924314.0000024D046DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841842968.0000024D046DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: file.exe	Virustotal: Detection: 32%			Perma Link
Source: file.exe	ReversingLabs: Detection: 28%

Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50055 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50056 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50057 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_06bcc6ba-0eed-4f41-9fa2-71ddb700b597.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_06bcc6ba-0eed-4f41-9fa2-71ddb700b597.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9WYF47P3HQA1VRBF374S.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AKWC79HN4QQ0U56C9U99.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre