Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561766
MD5:	9f7cb01682d1fbe5fc35eb17e7900b4f
SHA1:	8d96d54298af510bdf3504fc2c26f5e66555186f
SHA256:	1033ce004d2c19d50ee1c486231f95dafe0da44ade7539504569a710fe28c12c
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7580 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9F7CB01682D1FBE5FC35EB17E7900B4F)

taskkill.exe (PID: 7596 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7696 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7760 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7824 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7892 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7952 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7984 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8000 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7316 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38740587-0ab5-4558-a083-ac020817d2ac} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b1106d310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7880 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4100 -parentBuildID 20230927232528 -prefsHandle 4060 -prefMapHandle 4076 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abdc506f-27bb-439e-bf29-d9789595e83a} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b11083610 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2916 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9efa6a00-eda8-4ed7-870f-68f089d89d22} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b225f3d10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7580	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00D2EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D2EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D2ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D2ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00D2EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00D1AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D49576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D49576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1693380066.0000000000D72000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2b488528-d
Source: file.exe, 00000000.00000000.1693380066.0000000000D72000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3023131b-c
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ba1663aa-3
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6f365bc1-e

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024CC8D5B637 NtQuerySystemInformation,		16_2_0000024CC8D5B637
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024CC8D7B972 NtQuerySystemInformation,		16_2_0000024CC8D7B972

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00D1D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D11201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D11201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00D1E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D22046	0_2_00D22046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB8060	0_2_00CB8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D18298	0_2_00D18298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEE4FF	0_2_00CEE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE676B	0_2_00CE676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D44873	0_2_00D44873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBCAF0	0_2_00CBCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDCAA0	0_2_00CDCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCCC39	0_2_00CCCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE6DD9	0_2_00CE6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB91C0	0_2_00CB91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCB119	0_2_00CCB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1394	0_2_00CD1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1706	0_2_00CD1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD781B	0_2_00CD781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD19B0	0_2_00CD19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC997D	0_2_00CC997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB7920	0_2_00CB7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD7A4A	0_2_00CD7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD7CA7	0_2_00CD7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1C77	0_2_00CD1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE9EEE	0_2_00CE9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D3BE44	0_2_00D3BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1F32	0_2_00CD1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024CC8D5B637	16_2_0000024CC8D5B637
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024CC8D7B972	16_2_0000024CC8D7B972
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024CC8D7C09C	16_2_0000024CC8D7C09C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000024CC8D7B9B2	16_2_0000024CC8D7B9B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CCF9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CD0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D237B5 GetLastError,FormatMessageW,

0_2_00D237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D110BF AdjustTokenPrivileges,CloseHandle,		0_2_00D110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00D116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00D251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00D1D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D2648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00D2648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00CB42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7900:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1894371963.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894063977.0000025B2A9E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915077947.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1894371963.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915077947.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1894371963.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915077947.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1894371963.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915077947.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1891755753.0000025B2CDB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1894371963.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915077947.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1894371963.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915077947.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1894371963.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915077947.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1894371963.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915077947.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1894371963.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915077947.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38740587-0ab5-4558-a083-ac020817d2ac} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b1106d310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4100 -parentBuildID 20230927232528 -prefsHandle 4060 -prefMapHandle 4076 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abdc506f-27bb-439e-bf29-d9789595e83a} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b11083610 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9efa6a00-eda8-4ed7-870f-68f089d89d22} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b225f3d10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38740587-0ab5-4558-a083-ac020817d2ac} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b1106d310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4100 -parentBuildID 20230927232528 -prefsHandle 4060 -prefMapHandle 4076 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abdc506f-27bb-439e-bf29-d9789595e83a} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b11083610 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9efa6a00-eda8-4ed7-870f-68f089d89d22} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b225f3d10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1860094960.0000025B1E76E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1860834112.0000025B1E797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1860094960.0000025B1E76E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdbUGP source: firefox.exe, 0000000D.00000003.1856813845.0000025B1E75C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1856206025.0000025B1E75B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1860834112.0000025B1E797000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000D.00000003.1856813845.0000025B1E75C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1856206025.0000025B1E75B000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CB42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD0A76 push ecx; ret		0_2_00CD0A89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB5C92 push 00000043h; iretd		0_2_00CB5C94

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00CCF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D41C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D41C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96575

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000024CC8D5B637 rdtsc

16_2_0000024CC8D5B637

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00D1DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D268EE FindFirstFileW,FindClose,	0_2_00D268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00D2698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D1D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00D1D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D29642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00D2979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00D29B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D25C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00D25C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CB42DE

Source: firefox.exe, 00000010.00000002.2956959020.0000024CC8DA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf!
Source: firefox.exe, 0000000F.00000002.2956697397.00000238B9800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: firefox.exe, 0000000F.00000002.2956697397.00000238B9800000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2949722814.0000024CC84AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2950446495.000001D47D6EA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2955723124.000001D47DA30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.2956959020.0000024CC8DA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: firefox.exe, 0000000F.00000002.2955346485.00000238B9714000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.2951567034.00000238B92EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^
Source: firefox.exe, 0000000F.00000002.2951567034.00000238B92EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 0000000F.00000002.2956697397.00000238B9800000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2956959020.0000024CC8DA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000024CC8D5B637 rdtsc

16_2_0000024CC8D5B637

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D2EAA2 BlockInput,

0_2_00D2EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CE2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CB42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00CD4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D10B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00D10B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CE2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CD083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD09D5 SetUnhandledExceptionFilter,	0_2_00CD09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CD0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00D11201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00CF2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1B226 SendInput,keybd_event,

0_2_00D1B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00D322DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00D10B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D11663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00D11663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD0698 cpuid

0_2_00CD0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D28195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00D28195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D0D27A GetUserNameW,

0_2_00D0D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CEBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00CEBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00CB42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7580, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7580, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D31204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00D31204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D31806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00D31806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	26%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
https://youtube.comU	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.65.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.17.78	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.leboncoin.fr/bound	firefox.exe, 0000000D.00000003.1780589636.0000025B21F66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.2951366567.000001D47D9D7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1891755753.0000025B2CDB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1880298282.0000025B2D707000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913717105.0000025B2CDB9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2951978282.00000238B95CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950836431.0000024CC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2956208532.000001D47DC05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1774976533.0000025B28E6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876907984.0000025B28E6A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 0000000F.00000002.2951978282.00000238B9572000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950836431.0000024CC8786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2951366567.000001D47D98F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1926043068.0000025B23742000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1780589636.0000025B21F66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1905635233.0000025B22BF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.comU	firefox.exe, 0000000D.00000003.1918883598.0000025B232D3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1932898463.0000025B22DA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919700780.0000025B22DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1737134626.0000025B20C00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737620746.0000025B1E840000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737844085.0000025B1E862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738027813.0000025B1E883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737384171.0000025B1E81F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1935209842.0000025B223C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1894371963.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915077947.0000025B2A996000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1801731659.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737134626.0000025B20C00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737620746.0000025B1E840000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737844085.0000025B1E862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738027813.0000025B1E883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737384171.0000025B1E81F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797535851.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871353055.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1800926163.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1868066575.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853693999.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792786583.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1799037776.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1799974052.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000D.00000003.1917778855.0000025B24374000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898128340.0000025B24374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/complete/searchcbe309e0-f638-4996-9dfc-ea5c19ef16e9cb8e7210-9f0b-48fa-8708-b9	firefox.exe, 0000000D.00000003.1780589636.0000025B21F66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1737134626.0000025B20C00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737620746.0000025B1E840000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737844085.0000025B1E862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737384171.0000025B1E81F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000D.00000003.1917123857.0000025B24D93000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1926043068.0000025B23742000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2951978282.00000238B95CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950836431.0000024CC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2956208532.000001D47DC05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1894651585.0000025B2A92D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ok.ru/	firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1927979809.0000025B225BF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2951978282.00000238B95CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950836431.0000024CC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2956208532.000001D47DC05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://www.youtube.com/	firefox.exe, 00000011.00000002.2951366567.000001D47D90C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1808391569.0000025B21895000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807729352.0000025B21892000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1918451638.0000025B236B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.2951366567.000001D47D9D7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1901690236.0000025B23199000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1810115323.0000025B2187A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807773027.0000025B2187A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1930098222.0000025B224C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1918451638.0000025B236B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1935209842.0000025B223C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		high
https://spocs.getpocket.com/	firefox.exe, 00000011.00000002.2951366567.000001D47D913000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1903376931.0000025B22C6A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1915734384.0000025B293BB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1807773027.0000025B2187A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1916519978.0000025B2904F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1747113259.0000025B210F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930098222.0000025B224C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1855863630.0000025B228FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1800203871.0000025B2287D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911946418.0000025B227B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750061161.0000025B210CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776390559.0000025B28EF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1750061161.0000025B210DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923436189.0000025B224BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867224832.0000025B28EF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849650264.0000025B210B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1777902343.0000025B237E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851383084.0000025B224CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877864320.0000025B2485D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1862000656.0000025B2483C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931889008.0000025B237E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901237950.0000025B23934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1747951468.0000025B210CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1872131339.0000025B22879000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1855094289.0000025B224E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1917778855.0000025B24374000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898128340.0000025B24374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1917778855.0000025B24374000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898128340.0000025B24374000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900185637.0000025B239CA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false		high
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1893261710.0000025B2ABCE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914733764.0000025B2ABCE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931005859.0000025B2ABD7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1891755753.0000025B2CD1F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1891755753.0000025B2CD1F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1915734384.0000025B293BB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1774976533.0000025B28E6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876907984.0000025B28E6A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1896341377.0000025B2902D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1780589636.0000025B21F66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1743024201.0000025B2092B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740724462.0000025B2090D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1744195652.0000025B20933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740147098.0000025B20933000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1807773027.0000025B2187A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1906101187.0000025B22BA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1935952067.0000025B22BA3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1917778855.0000025B24374000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898128340.0000025B24374000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1808391569.0000025B21895000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1811203111.0000025B2175F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807773027.0000025B2187A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807729352.0000025B21892000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1743024201.0000025B2092B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740724462.0000025B2090D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1744195652.0000025B20933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740147098.0000025B20933000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1918451638.0000025B236B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2951978282.00000238B95CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950836431.0000024CC87E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2956208532.000001D47DC05000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1897756274.0000025B28F86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1777312614.0000025B28FDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1780589636.0000025B21F66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1913717105.0000025B2CDB9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1737384171.0000025B1E81F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1901690236.0000025B2315B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000000D.00000003.1801731659.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737134626.0000025B20C00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737620746.0000025B1E840000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737844085.0000025B1E862000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738027813.0000025B1E883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737384171.0000025B1E81F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1797535851.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871353055.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1800926163.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1868066575.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853693999.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792786583.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1799037776.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1799974052.0000025B228A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.1926043068.0000025B23742000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2951372055.00000238B9270000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2955574616.0000024CC8CC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2955878363.000001D47DB30000.00000002.10000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561766
Start date and time:	2024-11-24 08:44:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.27.142.243, 34.209.229.249, 52.32.237.164, 172.217.17.78, 23.200.86.251, 23.200.87.12, 172.217.17.42
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:46:02	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.169.18.113
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.45.208.26
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.198.223.71
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.0.68.156
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.151.93.64

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_134e9a86-2d53-441a-900e-4da9908ea9ec.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181697517040544
Encrypted:	false
SSDEEP:	192:BRkjMXWQDcbhbVbTbfbRbObtbyEl7nkrdJA6WnSrDtTUd/SkDrc:XkY/cNhnzFSJErYBnSrDhUd/y
MD5:	4573E77F4BE9D19795E674D3AE4C5BF1
SHA1:	3F851BFB1390C49E2D445F044F2E2D3714B18C00
SHA-256:	4ADD50F5FA94F79BE7A7BAA5EFAD9267E60EA8C7B6FC578BC0A74C72FCAE2036
SHA-512:	55332BC3C3DFA7A90E83236BB0AEEEB87B7A645464FB8141E79E455F3D479C07B9405ABF64D8EA0D25B599E9E1DB0919057B315B509880CDE241CD0BE5172436
Malicious:	false
Preview:	{"type":"uninstall","id":"134e9a86-2d53-441a-900e-4da9908ea9ec","creationDate":"2024-11-24T09:14:07.207Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_134e9a86-2d53-441a-900e-4da9908ea9ec.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.181697517040544
Encrypted:	false
SSDEEP:	192:BRkjMXWQDcbhbVbTbfbRbObtbyEl7nkrdJA6WnSrDtTUd/SkDrc:XkY/cNhnzFSJErYBnSrDhUd/y
MD5:	4573E77F4BE9D19795E674D3AE4C5BF1
SHA1:	3F851BFB1390C49E2D445F044F2E2D3714B18C00
SHA-256:	4ADD50F5FA94F79BE7A7BAA5EFAD9267E60EA8C7B6FC578BC0A74C72FCAE2036
SHA-512:	55332BC3C3DFA7A90E83236BB0AEEEB87B7A645464FB8141E79E455F3D479C07B9405ABF64D8EA0D25B599E9E1DB0919057B315B509880CDE241CD0BE5172436
Malicious:	false
Preview:	{"type":"uninstall","id":"134e9a86-2d53-441a-900e-4da9908ea9ec","creationDate":"2024-11-24T09:14:07.207Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925604584102442
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNdiG:8S+OfJQPUFpOdwNIOdYVjvYcXaNLLv8P
MD5:	9969051871D92FA45B3645255853E19A
SHA1:	FB49E8481F2655CC70D44F251813FD18A4A73FA4
SHA-256:	7C8793610957FB7E3D71DDEC82A9D1CA25CE1690B829C02B7DB786FE3C79A5CB
SHA-512:	A797253BC2C7E1CE362EE931BD0F0A023B2EDFAE177CC6218B58F0F83B3525FBAFCB54F48001B986AC5A47781D299F67183A1505C21B0DBD5D7BAE851B2739C9
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925604584102442
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNdiG:8S+OfJQPUFpOdwNIOdYVjvYcXaNLLv8P
MD5:	9969051871D92FA45B3645255853E19A
SHA1:	FB49E8481F2655CC70D44F251813FD18A4A73FA4
SHA-256:	7C8793610957FB7E3D71DDEC82A9D1CA25CE1690B829C02B7DB786FE3C79A5CB
SHA-512:	A797253BC2C7E1CE362EE931BD0F0A023B2EDFAE177CC6218B58F0F83B3525FBAFCB54F48001B986AC5A47781D299F67183A1505C21B0DBD5D7BAE851B2739C9
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07331351347327941
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	F82B6D6E34F0F6C35244AC882B99BA1A
SHA1:	8D823A8AD303241A81C212E14D42E5550F98DBAA
SHA-256:	2BCC13F8764834729DE9036C2E1B25BBAD6E3101F443BEF21F34F5FFCBB310C6
SHA-512:	283C13D2E42B2DE000F4023046D9DA71CDA25823C067490354A9CAEE0C32DE12D72E71EA3C49770D608F3CBB987869871ED28685F5DD786D158769FA1760ACE3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFqYPFeK/PO3Hl1lstFqYPFeK/PO38/J89//alEl:GtWtoYPhQF1WtoYPhQ8/J89XuM
MD5:	02920EB0E2D61DD1C70611FE1BA5E213
SHA1:	5AE2DF3D41491647A980319F5EC7F991E1DB765F
SHA-256:	53E9A3B37CC37DE7BBE4E55BFA134A56946A6465C2B64EEEBEB577F819A86672
SHA-512:	7A9147F695B8CE5E38BAD70219EE14B9B881BA1574588F1472AE763BBA6E4E1FB9A0BF7B1FD577C31397FD838CAB2E50F7DD3723BCD3F737CC83A2985FF4F067
Malicious:	false
Preview:	..-.....................=."e....N4..8-.......-.....................=."e....N4..8-.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.04010304634033313
Encrypted:	false
SSDEEP:	3:Ol1kdeEdttofhUrqfCH4w5llll8rEXsxdwhml8XW3R2:KWdsU2cXll8dMhm93w
MD5:	04D01B5D8C23FAD2B393D4B9D8F56D0B
SHA1:	D5F9F1BF17FC18F4D83AEE999A0ACBC2E7D2D707
SHA-256:	80D458231BFF1B62E52C7CC8726C11E2B77A8D29038286107E1A3DDBA2B84D0C
SHA-512:	52C0342FE31F73A460BCE65FA2118EAA8D7A489D9C53E2016D6E08F021D433B5BFC8E100968161D48B666ECD270A56EFDF62B14961103621DA3804BF3D6B3D16
Malicious:	false
Preview:	7....-...........N4..8#...D3..........N4..8e".=...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494011465110751
Encrypted:	false
SSDEEP:	192:6naRtLYbBp6khj4qyaaX76KCeNji5RfGNBw8d9Sl:/eOqFhK+cwi0
MD5:	086E063E55799BE7F8D5EDE1879A0B18
SHA1:	BC3EB6284E9A3A29CB48140CD333B571B0B06586
SHA-256:	282148F6A70DF9DF55E2AC9B5E940CF1FC4741B72885369520F36D81094690DE
SHA-512:	F45ED48B0F0D22B568580EF296D0A3636E6833D744E9B3B5E737AF9A99E47C8AF66F9BA3D40DF225D03E55FAC0F1140D9841D7EC3AF171957BF569D798F41CCC
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732439617);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732439617);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732439617);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173243

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494011465110751
Encrypted:	false
SSDEEP:	192:6naRtLYbBp6khj4qyaaX76KCeNji5RfGNBw8d9Sl:/eOqFhK+cwi0
MD5:	086E063E55799BE7F8D5EDE1879A0B18
SHA1:	BC3EB6284E9A3A29CB48140CD333B571B0B06586
SHA-256:	282148F6A70DF9DF55E2AC9B5E940CF1FC4741B72885369520F36D81094690DE
SHA-512:	F45ED48B0F0D22B568580EF296D0A3636E6833D744E9B3B5E737AF9A99E47C8AF66F9BA3D40DF225D03E55FAC0F1140D9841D7EC3AF171957BF569D798F41CCC
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732439617);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732439617);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732439617);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173243

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.332009304833404
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSrlLXnIgo/pnxQwRlszT5sKt0Q3eHVQj6TyamhujJlOsIomNVr0aDO:GUpOxelInR6L3eHTy4JlIquR4
MD5:	869F918D67953553CE488599F88D4D09
SHA1:	B6AD6356ACDB6EF8610D8A5DECCD4DC09801689F
SHA-256:	5E2BEFC42DBD00D118822150CF64497A3C2A693AE1BF339259627AC268C45592
SHA-512:	63DCEB41BF7CA2499E5C3F3CF753C862F11033D764B6316A6762F72399B0913EC75AB256F345598EBD55657DE3536EFA7407C535ACC810E80ADF9309149C8B4B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{07ce89b1-c367-4c12-8059-514d883b1564}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732439622345,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`587093...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....593992,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.332009304833404
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSrlLXnIgo/pnxQwRlszT5sKt0Q3eHVQj6TyamhujJlOsIomNVr0aDO:GUpOxelInR6L3eHTy4JlIquR4
MD5:	869F918D67953553CE488599F88D4D09
SHA1:	B6AD6356ACDB6EF8610D8A5DECCD4DC09801689F
SHA-256:	5E2BEFC42DBD00D118822150CF64497A3C2A693AE1BF339259627AC268C45592
SHA-512:	63DCEB41BF7CA2499E5C3F3CF753C862F11033D764B6316A6762F72399B0913EC75AB256F345598EBD55657DE3536EFA7407C535ACC810E80ADF9309149C8B4B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{07ce89b1-c367-4c12-8059-514d883b1564}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732439622345,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`587093...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....593992,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.332009304833404
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSrlLXnIgo/pnxQwRlszT5sKt0Q3eHVQj6TyamhujJlOsIomNVr0aDO:GUpOxelInR6L3eHTy4JlIquR4
MD5:	869F918D67953553CE488599F88D4D09
SHA1:	B6AD6356ACDB6EF8610D8A5DECCD4DC09801689F
SHA-256:	5E2BEFC42DBD00D118822150CF64497A3C2A693AE1BF339259627AC268C45592
SHA-512:	63DCEB41BF7CA2499E5C3F3CF753C862F11033D764B6316A6762F72399B0913EC75AB256F345598EBD55657DE3536EFA7407C535ACC810E80ADF9309149C8B4B
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{07ce89b1-c367-4c12-8059-514d883b1564}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732439622345,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`587093...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....593992,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033509390734338
Encrypted:	false
SSDEEP:	48:YrSAYD6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycDyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	D28E869F7008071257ABBD9E19091B6D
SHA1:	4A53B341BF30849703C5FA668A778D29FD32CF25
SHA-256:	36BB40AC74088BC29299EC08D5EA676EC8E7F410C34DD918EF06A4D6AC2379A4
SHA-512:	61741DBF335151E8CDCFDBB2AAECDC52275A4BBCAEFDE5351A5CF0330A5A061C672BFCF3B7D4DCF9E0F81CFA08A8FEAF88CCCEBCBB3FFAE28DAF222884E231C9
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T09:13:22.472Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033509390734338
Encrypted:	false
SSDEEP:	48:YrSAYD6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycDyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	D28E869F7008071257ABBD9E19091B6D
SHA1:	4A53B341BF30849703C5FA668A778D29FD32CF25
SHA-256:	36BB40AC74088BC29299EC08D5EA676EC8E7F410C34DD918EF06A4D6AC2379A4
SHA-512:	61741DBF335151E8CDCFDBB2AAECDC52275A4BBCAEFDE5351A5CF0330A5A061C672BFCF3B7D4DCF9E0F81CFA08A8FEAF88CCCEBCBB3FFAE28DAF222884E231C9
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T09:13:22.472Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.590208732855975
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	921'600 bytes
MD5:	9f7cb01682d1fbe5fc35eb17e7900b4f
SHA1:	8d96d54298af510bdf3504fc2c26f5e66555186f
SHA256:	1033ce004d2c19d50ee1c486231f95dafe0da44ade7539504569a710fe28c12c
SHA512:	f5b5cf4c2b1ccb1a169a24c52ee6676770c80e71d1e615b7096260ec94ef8fcce4314720a13dad3c509c58cca7121e616d92bf044dda1816a90f3a6dc93ca0ab
SSDEEP:	12288:zqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaxTA:zqDEvCTbMWu7rQYlBQcBiT6rprG8aFA
TLSH:	3E159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6742D2B4 [Sun Nov 24 07:16:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F17E4BE86C3h
jmp 00007F17E4BE7FCFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F17E4BE81ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F17E4BE817Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F17E4BEAD6Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F17E4BEADB8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F17E4BEADA1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa5d4	0xa600	8a0d0e2ff0ce0151591b30bc35bdb1fc	False	0.3619399472891566	data	5.568143343877404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x189a	data			1.001746586217847
RT_GROUP_ICON	0xde054	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde0cc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde0e0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde0f4	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde108	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde1e4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:45:57.527991056 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:45:57.528124094 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 08:45:57.528815985 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:45:57.535202980 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:45:57.535238028 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 08:45:58.807964087 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 08:45:58.815337896 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 08:45:58.815624952 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:45:58.823973894 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:45:58.824011087 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 08:45:58.824105978 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:45:58.824697018 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 08:45:58.826975107 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:45:59.627127886 CET	49738	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:45:59.627414942 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:45:59.627470016 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 08:45:59.627969980 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:45:59.629662037 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:45:59.629689932 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 08:45:59.686467886 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:45:59.686531067 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 08:45:59.691747904 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:45:59.696116924 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:45:59.696141005 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 08:45:59.747993946 CET	80	49738	34.107.221.82	192.168.2.4
Nov 24, 2024 08:45:59.748080969 CET	49738	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:45:59.748312950 CET	49738	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:45:59.867806911 CET	80	49738	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:00.278886080 CET	49741	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:00.278945923 CET	443	49741	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:00.279853106 CET	49741	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:00.281472921 CET	49741	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:00.281483889 CET	443	49741	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:00.427651882 CET	49742	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:00.427680969 CET	443	49742	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:00.428108931 CET	49742	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:00.428253889 CET	49742	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:00.428260088 CET	443	49742	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:00.467995882 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:00.468024969 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:00.468161106 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:00.469590902 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:00.469599962 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:00.733232021 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 08:46:00.733289003 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 08:46:00.733505964 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 08:46:00.733628035 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 08:46:00.733639956 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 08:46:00.879973888 CET	80	49738	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:00.934962034 CET	49738	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:01.326435089 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 08:46:01.327030897 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 08:46:01.328089952 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:46:01.328130007 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 08:46:01.333810091 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:46:01.333842039 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 08:46:01.333913088 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:46:01.334068060 CET	443	49739	142.250.181.78	192.168.2.4
Nov 24, 2024 08:46:01.334577084 CET	49739	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:46:01.438024044 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:01.480952024 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 08:46:01.481040001 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:46:01.481798887 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 08:46:01.481982946 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:46:01.494967937 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:46:01.494995117 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 08:46:01.495071888 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:46:01.495227098 CET	443	49740	142.250.181.78	192.168.2.4
Nov 24, 2024 08:46:01.495388985 CET	49740	443	192.168.2.4	142.250.181.78
Nov 24, 2024 08:46:01.557784081 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:01.566843987 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:01.568536043 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:01.602368116 CET	443	49741	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:01.607709885 CET	49741	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:01.646164894 CET	49741	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:01.646200895 CET	443	49741	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:01.646321058 CET	49741	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:01.646466017 CET	443	49741	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:01.646811008 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:01.646867037 CET	443	49747	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:01.647907972 CET	49741	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:01.647964001 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:01.649635077 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:01.649651051 CET	443	49747	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:01.688227892 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:01.689568043 CET	443	49742	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:01.699327946 CET	443	49742	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:01.708636999 CET	49742	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:01.737586975 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:01.747328043 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:01.748943090 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:01.749665022 CET	49742	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:01.749679089 CET	443	49742	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:01.749984026 CET	443	49742	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:01.809511900 CET	49742	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:01.832916975 CET	49742	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:01.833033085 CET	49742	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:01.833445072 CET	443	49742	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:01.835273027 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:01.835284948 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:01.835495949 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:01.836035967 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:01.836041927 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:01.849927902 CET	49742	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:01.994488001 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 08:46:01.994638920 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 08:46:01.998066902 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 08:46:01.998083115 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 08:46:01.998356104 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 08:46:02.000797033 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 08:46:02.000905991 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 08:46:02.001000881 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 08:46:02.001758099 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 08:46:02.039338112 CET	443	49743	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:02.039427042 CET	49743	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:02.282525063 CET	49738	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:02.403580904 CET	80	49738	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:02.403644085 CET	49738	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:02.556762934 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:02.556801081 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:02.559587955 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:02.561083078 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:02.561093092 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:02.570297956 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:02.652071953 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:02.657933950 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:02.689920902 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:02.701448917 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:02.701991081 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:02.778299093 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:02.778362989 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:02.821502924 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:02.914577961 CET	443	49747	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:02.914649963 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:02.920383930 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:02.920403957 CET	443	49747	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:02.920485973 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:02.920562029 CET	443	49747	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:02.920608997 CET	49747	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:03.472543955 CET	49752	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:03.472575903 CET	443	49752	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:03.476602077 CET	49752	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:03.478157043 CET	49752	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:03.478164911 CET	443	49752	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:03.598927975 CET	49753	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:03.598946095 CET	443	49753	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:03.599220991 CET	49753	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:03.600738049 CET	49753	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:03.600747108 CET	443	49753	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:03.627013922 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:03.627062082 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:03.632371902 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:03.632565975 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:03.632584095 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:03.642580986 CET	49755	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:03.642611980 CET	443	49755	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:03.650762081 CET	49755	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:03.652652025 CET	49755	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:03.652664900 CET	443	49755	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:03.825012922 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:03.825081110 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:03.829680920 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:03.829689980 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:03.829813957 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:03.829840899 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:03.830220938 CET	49756	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:03.830259085 CET	443	49756	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:03.831417084 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:03.831459045 CET	49756	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:03.832891941 CET	49756	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:03.832901001 CET	443	49756	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:03.835129023 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:03.886538982 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:04.701071978 CET	443	49752	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:04.703908920 CET	49752	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:04.709476948 CET	49752	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:04.709486008 CET	443	49752	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:04.709577084 CET	49752	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:04.709892988 CET	443	49752	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:04.709928989 CET	49752	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:04.860774994 CET	443	49753	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:04.860996008 CET	49753	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:04.865788937 CET	49753	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:04.865797997 CET	443	49753	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:04.865889072 CET	49753	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:04.866023064 CET	443	49753	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:04.866121054 CET	49753	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:04.911755085 CET	443	49755	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:04.911772966 CET	443	49755	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:04.911839962 CET	49755	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:04.916122913 CET	49755	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:04.916141033 CET	443	49755	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:04.916203976 CET	49755	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:04.916342020 CET	443	49755	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:04.916697025 CET	49755	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:04.937083006 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:04.937153101 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:04.940279961 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:04.940301895 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:04.940551043 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:04.942929983 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:04.943016052 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:04.943104982 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:04.943150997 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:05.096349955 CET	443	49756	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:05.096448898 CET	49756	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:05.101938963 CET	49756	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:05.101988077 CET	443	49756	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:05.102049112 CET	49756	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:05.102193117 CET	443	49756	34.117.188.166	192.168.2.4
Nov 24, 2024 08:46:05.102329969 CET	49756	443	192.168.2.4	34.117.188.166
Nov 24, 2024 08:46:06.954482079 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:06.995721102 CET	49757	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:06.995759964 CET	443	49757	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:06.995892048 CET	49758	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:06.995939970 CET	443	49758	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:06.996082067 CET	49757	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:06.996248007 CET	49758	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:06.996310949 CET	49757	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:06.996320009 CET	443	49757	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:06.996388912 CET	49758	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:06.996398926 CET	443	49758	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:07.074038982 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:07.095570087 CET	49759	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:07.095623016 CET	443	49759	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:07.096889019 CET	49759	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:07.098789930 CET	49759	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:07.098803043 CET	443	49759	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:07.099860907 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:07.219690084 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:07.220030069 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:07.220030069 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:07.278085947 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:07.328690052 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:07.340796947 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:08.211069107 CET	443	49757	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:08.211138964 CET	49757	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.245066881 CET	49757	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.245099068 CET	443	49757	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:08.245404005 CET	443	49757	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:08.277333975 CET	49757	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.277523041 CET	49757	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.277554035 CET	443	49757	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:08.277609110 CET	49757	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.306747913 CET	443	49758	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:08.306821108 CET	49758	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.309672117 CET	49758	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.309693098 CET	443	49758	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:08.310015917 CET	443	49758	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:08.362798929 CET	49758	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.365524054 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:08.366291046 CET	49758	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.366394043 CET	49758	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.366513014 CET	443	49758	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:08.366549969 CET	49758	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.369913101 CET	443	49759	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:08.369982958 CET	49759	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.384624004 CET	49759	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.384650946 CET	443	49759	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:08.384742022 CET	49759	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.384866953 CET	443	49759	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:08.384964943 CET	49759	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:08.416328907 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:11.090008974 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:11.092773914 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:11.209831953 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:11.213176966 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:11.327694893 CET	49763	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:11.327753067 CET	443	49763	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:11.329617023 CET	49763	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:11.414155960 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:11.417180061 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:11.455820084 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:11.471388102 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:12.932485104 CET	49763	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:12.932514906 CET	443	49763	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:13.187649012 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:13.307595015 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:13.326455116 CET	49766	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:13.326472998 CET	443	49766	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:13.326880932 CET	49766	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:13.328481913 CET	49766	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:13.328493118 CET	443	49766	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:13.520859957 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:13.561964035 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:14.200305939 CET	443	49763	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:14.202176094 CET	49763	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:14.388641119 CET	49763	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:14.388679981 CET	443	49763	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:14.388734102 CET	49763	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:14.388911009 CET	443	49763	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:14.395646095 CET	49763	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:14.587239027 CET	443	49766	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:14.595205069 CET	49766	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:14.599875927 CET	49766	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:14.599901915 CET	443	49766	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:14.599961996 CET	49766	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:14.600035906 CET	443	49766	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:14.600121975 CET	49766	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:14.800879002 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:14.920625925 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:15.124468088 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:15.166790962 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:15.297785044 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:15.417867899 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:15.622155905 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:15.668275118 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:24.820924997 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:24.821047068 CET	443	49769	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:24.821964979 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:24.823584080 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:24.823640108 CET	443	49769	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:25.128674030 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:25.248421907 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:25.630275011 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:25.749881983 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:25.825258970 CET	49770	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:25.825368881 CET	443	49770	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:25.829281092 CET	49770	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:25.829570055 CET	49770	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:25.829612017 CET	443	49770	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:25.850398064 CET	49771	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:25.850477934 CET	443	49771	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:25.850758076 CET	49771	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:25.850909948 CET	49771	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:25.850941896 CET	443	49771	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:25.959853888 CET	49772	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:46:25.959923983 CET	443	49772	35.190.72.216	192.168.2.4
Nov 24, 2024 08:46:25.960284948 CET	49772	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:46:25.961827993 CET	49772	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:46:25.961848021 CET	443	49772	35.190.72.216	192.168.2.4
Nov 24, 2024 08:46:26.014702082 CET	49773	443	192.168.2.4	151.101.65.91
Nov 24, 2024 08:46:26.014754057 CET	443	49773	151.101.65.91	192.168.2.4
Nov 24, 2024 08:46:26.015746117 CET	49773	443	192.168.2.4	151.101.65.91
Nov 24, 2024 08:46:26.016021013 CET	49773	443	192.168.2.4	151.101.65.91
Nov 24, 2024 08:46:26.016038895 CET	443	49773	151.101.65.91	192.168.2.4
Nov 24, 2024 08:46:26.091713905 CET	443	49769	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:26.100583076 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:26.104643106 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:26.104671955 CET	443	49769	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:26.104751110 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:26.104872942 CET	443	49769	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:26.108767986 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:26.116144896 CET	49769	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:26.116988897 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 08:46:26.117062092 CET	443	49774	35.201.103.21	192.168.2.4
Nov 24, 2024 08:46:26.131763935 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 08:46:26.133888960 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 08:46:26.133910894 CET	443	49774	35.201.103.21	192.168.2.4
Nov 24, 2024 08:46:26.229176998 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:26.434144974 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:26.437334061 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:26.475841045 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:26.556932926 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:26.761456013 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:26.807969093 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:27.110476971 CET	443	49771	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:27.110619068 CET	49771	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:27.115287066 CET	49771	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:27.115309000 CET	443	49771	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:27.115693092 CET	443	49771	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:27.118630886 CET	49771	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:27.118797064 CET	49771	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:27.118824959 CET	443	49771	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:27.119051933 CET	49771	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:27.119287014 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:27.119354963 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:27.119443893 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:27.119607925 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:27.119632959 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:27.131675005 CET	443	49770	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:27.134387970 CET	49770	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.138166904 CET	49770	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.138197899 CET	443	49770	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:27.138452053 CET	443	49770	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:27.141251087 CET	49770	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.141405106 CET	443	49770	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:27.141442060 CET	49770	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.141453028 CET	443	49770	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:27.141716003 CET	49770	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.146262884 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:27.223798037 CET	443	49772	35.190.72.216	192.168.2.4
Nov 24, 2024 08:46:27.223982096 CET	49772	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:46:27.229357004 CET	49772	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:46:27.229401112 CET	443	49772	35.190.72.216	192.168.2.4
Nov 24, 2024 08:46:27.229501963 CET	49772	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:46:27.229546070 CET	443	49772	35.190.72.216	192.168.2.4
Nov 24, 2024 08:46:27.229820013 CET	49772	443	192.168.2.4	35.190.72.216
Nov 24, 2024 08:46:27.265944004 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:27.274537086 CET	443	49773	151.101.65.91	192.168.2.4
Nov 24, 2024 08:46:27.277806997 CET	49773	443	192.168.2.4	151.101.65.91
Nov 24, 2024 08:46:27.286947012 CET	49773	443	192.168.2.4	151.101.65.91
Nov 24, 2024 08:46:27.286964893 CET	443	49773	151.101.65.91	192.168.2.4
Nov 24, 2024 08:46:27.287168980 CET	443	49773	151.101.65.91	192.168.2.4
Nov 24, 2024 08:46:27.289896011 CET	49773	443	192.168.2.4	151.101.65.91
Nov 24, 2024 08:46:27.290000916 CET	49773	443	192.168.2.4	151.101.65.91
Nov 24, 2024 08:46:27.290009022 CET	443	49773	151.101.65.91	192.168.2.4
Nov 24, 2024 08:46:27.290019989 CET	443	49773	151.101.65.91	192.168.2.4
Nov 24, 2024 08:46:27.301403046 CET	49776	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.301441908 CET	443	49776	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:27.301675081 CET	49776	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.301826954 CET	49776	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.301839113 CET	443	49776	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:27.303864956 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.303925991 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:27.304088116 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.304234982 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.304255962 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:27.306794882 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.306807995 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:27.306884050 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.307033062 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:27.307039976 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:27.403168917 CET	443	49774	35.201.103.21	192.168.2.4
Nov 24, 2024 08:46:27.403187990 CET	443	49774	35.201.103.21	192.168.2.4
Nov 24, 2024 08:46:27.403249025 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 08:46:27.408324003 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 08:46:27.408350945 CET	443	49774	35.201.103.21	192.168.2.4
Nov 24, 2024 08:46:27.408467054 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 08:46:27.408588886 CET	443	49774	35.201.103.21	192.168.2.4
Nov 24, 2024 08:46:27.408785105 CET	49774	443	192.168.2.4	35.201.103.21
Nov 24, 2024 08:46:27.423027039 CET	49779	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:27.423055887 CET	443	49779	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:27.423206091 CET	49779	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:27.423381090 CET	49779	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:27.423389912 CET	443	49779	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:27.470366955 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:27.474117041 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:27.499329090 CET	443	49773	151.101.65.91	192.168.2.4
Nov 24, 2024 08:46:27.499417067 CET	49773	443	192.168.2.4	151.101.65.91
Nov 24, 2024 08:46:27.525744915 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:27.593815088 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:27.820976019 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:27.880036116 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:28.430694103 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:28.430802107 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:28.435353041 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:28.435369015 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:28.435709953 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:28.437788010 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:28.437927008 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:28.437973022 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:28.438169956 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:28.441766977 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:28.517378092 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.517673016 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.518158913 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.518460035 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.521691084 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.521720886 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.521977901 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.525136948 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.525158882 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.525347948 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.529278994 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.529468060 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.529570103 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.529597998 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.530051947 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.530121088 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.530210972 CET	443	49778	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.530353069 CET	49778	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.530798912 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.561306000 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:28.564834118 CET	443	49776	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.564970016 CET	49776	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.568557024 CET	49776	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.568574905 CET	443	49776	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.568811893 CET	443	49776	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.571304083 CET	49776	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.571408987 CET	49776	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.571465015 CET	443	49776	35.244.181.201	192.168.2.4
Nov 24, 2024 08:46:28.575370073 CET	49776	443	192.168.2.4	35.244.181.201
Nov 24, 2024 08:46:28.729248047 CET	443	49779	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:28.729516983 CET	49779	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:28.734344006 CET	49779	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:28.734366894 CET	443	49779	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:28.734797001 CET	443	49779	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:28.737818003 CET	49779	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:28.737977982 CET	49779	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:28.738085985 CET	443	49779	34.149.100.209	192.168.2.4
Nov 24, 2024 08:46:28.738233089 CET	49779	443	192.168.2.4	34.149.100.209
Nov 24, 2024 08:46:28.766506910 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:28.770488024 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:28.813992023 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:28.890141010 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:29.095983028 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:29.146147013 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:38.773940086 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:38.966500044 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:39.112715960 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:39.232214928 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:46.240107059 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:46.240144968 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:46.240215063 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:46.241627932 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:46.241636992 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:47.544013023 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:47.544120073 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:47.548134089 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:47.548142910 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:47.548250914 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:47.548253059 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:47.548263073 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:47.550710917 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:47.670195103 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:47.755331993 CET	443	49781	34.107.243.93	192.168.2.4
Nov 24, 2024 08:46:47.755539894 CET	49781	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:46:47.874504089 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:47.877994061 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:47.915561914 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:47.997658968 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:48.201724052 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:48.254364967 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:55.981654882 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:55.981769085 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:55.981800079 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:55.981836081 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:55.981926918 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:55.981981993 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:55.983541012 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:55.983551025 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:55.983551979 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:55.983763933 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:55.983793020 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:55.983943939 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:55.983964920 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:55.984031916 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:55.984045029 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.204086065 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.206080914 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.209181070 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.209216118 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.209573030 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.211762905 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.211977959 CET	443	49799	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.212017059 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.226099968 CET	49799	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.243695974 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.243820906 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.246803999 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.246819019 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.247066975 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.248977900 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.249115944 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.249134064 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.249352932 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.249373913 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.254172087 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:57.286818981 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.286897898 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.290085077 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.290110111 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.290348053 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.292699099 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.292840958 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.292841911 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.292854071 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.373723984 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:57.503333092 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 08:46:57.503416061 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 08:46:57.577765942 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:57.581346035 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:57.628722906 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:46:57.700995922 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:57.906527996 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:46:57.967400074 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:00.871741056 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:00.991318941 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:01.196676970 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:01.200346947 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:01.238532066 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:01.319940090 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:01.524072886 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:01.577173948 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:11.204613924 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:11.324162006 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:11.536688089 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:11.656338930 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:21.342715979 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:21.463670015 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:21.665767908 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:21.785605907 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:27.706527948 CET	49872	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:47:27.706643105 CET	443	49872	34.107.243.93	192.168.2.4
Nov 24, 2024 08:47:27.706831932 CET	49872	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:47:27.708451033 CET	49872	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:47:27.708491087 CET	443	49872	34.107.243.93	192.168.2.4
Nov 24, 2024 08:47:28.971726894 CET	443	49872	34.107.243.93	192.168.2.4
Nov 24, 2024 08:47:28.971812010 CET	49872	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:47:28.976840019 CET	49872	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:47:28.976861000 CET	443	49872	34.107.243.93	192.168.2.4
Nov 24, 2024 08:47:28.976963043 CET	49872	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:47:28.977016926 CET	443	49872	34.107.243.93	192.168.2.4
Nov 24, 2024 08:47:28.977838993 CET	49872	443	192.168.2.4	34.107.243.93
Nov 24, 2024 08:47:28.979928970 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:29.099607944 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:29.308485031 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:29.312539101 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:29.350471973 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:29.432849884 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:29.636816978 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:29.689120054 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:39.315716982 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:39.435348034 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:39.647871971 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:39.767535925 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:49.461438894 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:49.581402063 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:49.778002977 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:49.897466898 CET	80	49760	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:59.588409901 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:47:59.708077908 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 08:47:59.904841900 CET	49760	80	192.168.2.4	34.107.221.82
Nov 24, 2024 08:48:00.024466038 CET	80	49760	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 08:45:57.528700113 CET	63363	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:45:57.667491913 CET	53	63363	1.1.1.1	192.168.2.4
Nov 24, 2024 08:45:57.668313026 CET	63908	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:45:58.016124964 CET	53	63908	1.1.1.1	192.168.2.4
Nov 24, 2024 08:45:59.488981962 CET	63219	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:45:59.489315987 CET	59987	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:45:59.626003027 CET	53	63219	1.1.1.1	192.168.2.4
Nov 24, 2024 08:45:59.627650023 CET	64825	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:45:59.627886057 CET	59488	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:45:59.766874075 CET	53	64825	1.1.1.1	192.168.2.4
Nov 24, 2024 08:45:59.766891003 CET	53	59488	1.1.1.1	192.168.2.4
Nov 24, 2024 08:45:59.768280029 CET	58725	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:45:59.768333912 CET	61733	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:45:59.905186892 CET	53	58725	1.1.1.1	192.168.2.4
Nov 24, 2024 08:45:59.905510902 CET	53	61733	1.1.1.1	192.168.2.4
Nov 24, 2024 08:45:59.957428932 CET	56948	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:00.094912052 CET	53	56948	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:00.279247046 CET	52096	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:00.329241991 CET	63345	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:00.416501045 CET	53	52096	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:00.417216063 CET	56627	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:00.427829027 CET	65100	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:00.466830969 CET	53	63345	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:00.468084097 CET	62909	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:00.556258917 CET	53	56627	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:00.565289974 CET	53	65100	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:00.565967083 CET	62153	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:00.592129946 CET	65387	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:00.605875015 CET	53	62909	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:00.606488943 CET	52398	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:00.703965902 CET	53	62153	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:00.730731010 CET	53	65387	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:00.733413935 CET	54406	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:00.744350910 CET	53	52398	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:00.872823954 CET	53	54406	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:00.884221077 CET	63921	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:00.887496948 CET	58195	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:01.021478891 CET	53	63921	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:01.025018930 CET	53	58195	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:01.046354055 CET	60935	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:01.183702946 CET	53	60935	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:01.298974991 CET	63245	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:02.728910923 CET	49345	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:02.837043047 CET	54015	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:03.068689108 CET	53	54015	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:03.070019960 CET	58323	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:03.208451986 CET	53	58323	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:03.219928026 CET	59460	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:03.356986046 CET	53	59460	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:03.495326996 CET	60162	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:03.599129915 CET	64818	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:03.632895947 CET	53	60162	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:03.643201113 CET	63789	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:03.673266888 CET	53	53155	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:03.737936974 CET	53	64818	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:03.740483046 CET	55008	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:03.780401945 CET	53	63789	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:03.782499075 CET	53411	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:03.877713919 CET	53	55008	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:03.920002937 CET	53	53411	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:06.889128923 CET	61216	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:06.954092979 CET	50482	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:07.026086092 CET	53	61216	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:07.034938097 CET	61454	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:07.172317982 CET	53	61454	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:07.173346996 CET	60605	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:07.315783978 CET	53	60605	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:11.328567982 CET	54099	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:11.466327906 CET	53	54099	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:13.187794924 CET	60978	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:13.325104952 CET	53	60978	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:13.326033115 CET	59424	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:13.463680029 CET	53	59424	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.156578064 CET	60968	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.156836033 CET	49419	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.157069921 CET	59115	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.293639898 CET	53	60968	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.293798923 CET	53	49419	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.294775009 CET	53	59115	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.294789076 CET	65249	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.294826031 CET	58915	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.295376062 CET	51818	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.431716919 CET	53	65249	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.431816101 CET	53	58915	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.432702065 CET	62906	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.432703018 CET	62451	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.433128119 CET	53	51818	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.433723927 CET	59734	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.569979906 CET	53	62906	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.570733070 CET	53	62451	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.741213083 CET	53	59734	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.850128889 CET	49913	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.850441933 CET	57206	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.987404108 CET	53	49913	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.987446070 CET	53	57206	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:15.988440990 CET	50936	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:15.988581896 CET	58225	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:16.125555992 CET	53	58225	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:16.125854969 CET	53	50936	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:16.126393080 CET	52847	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:16.126535892 CET	62705	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:16.263575077 CET	53	52847	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:16.339835882 CET	53	62705	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:24.821849108 CET	61112	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:24.958998919 CET	53	61112	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:25.826412916 CET	62444	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:25.849670887 CET	56060	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:25.963711023 CET	64208	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:25.963808060 CET	53	62444	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:25.987639904 CET	53	56060	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:26.015347004 CET	62987	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:26.101841927 CET	53	64208	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:26.117558002 CET	62596	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:26.153254032 CET	53	62987	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:26.161679029 CET	56534	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:26.257033110 CET	53	62596	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:26.284800053 CET	65209	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:26.300616980 CET	53	56534	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:26.422322989 CET	53	65209	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:28.770757914 CET	50591	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:46.240494967 CET	52327	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:46.377866983 CET	53	52327	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:47.551237106 CET	61444	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:47.691071987 CET	50696	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:47.828098059 CET	53	50696	1.1.1.1	192.168.2.4
Nov 24, 2024 08:46:55.981949091 CET	49903	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:46:56.119903088 CET	53	49903	1.1.1.1	192.168.2.4
Nov 24, 2024 08:47:27.564584017 CET	56277	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:47:27.705245018 CET	53	56277	1.1.1.1	192.168.2.4
Nov 24, 2024 08:47:27.706412077 CET	64580	53	192.168.2.4	1.1.1.1
Nov 24, 2024 08:47:27.843327999 CET	53	64580	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 08:45:57.528700113 CET	192.168.2.4	1.1.1.1	0x90ab	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:45:57.668313026 CET	192.168.2.4	1.1.1.1	0x1bcd	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 08:45:59.488981962 CET	192.168.2.4	1.1.1.1	0x3e0f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:45:59.489315987 CET	192.168.2.4	1.1.1.1	0xf7ec	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:45:59.627650023 CET	192.168.2.4	1.1.1.1	0x43d2	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:45:59.627886057 CET	192.168.2.4	1.1.1.1	0x540b	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:45:59.768280029 CET	192.168.2.4	1.1.1.1	0x716c	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 08:45:59.768333912 CET	192.168.2.4	1.1.1.1	0xe912	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 24, 2024 08:45:59.957428932 CET	192.168.2.4	1.1.1.1	0xc24c	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.279247046 CET	192.168.2.4	1.1.1.1	0x11dc	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.329241991 CET	192.168.2.4	1.1.1.1	0xd051	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.417216063 CET	192.168.2.4	1.1.1.1	0x8bfd	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 08:46:00.427829027 CET	192.168.2.4	1.1.1.1	0xcce8	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.468084097 CET	192.168.2.4	1.1.1.1	0x11c1	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.565967083 CET	192.168.2.4	1.1.1.1	0x5d4b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 08:46:00.592129946 CET	192.168.2.4	1.1.1.1	0xcee8	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.606488943 CET	192.168.2.4	1.1.1.1	0x6865	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 08:46:00.733413935 CET	192.168.2.4	1.1.1.1	0xeb08	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.884221077 CET	192.168.2.4	1.1.1.1	0xa94a	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.887496948 CET	192.168.2.4	1.1.1.1	0x5ae	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 08:46:01.046354055 CET	192.168.2.4	1.1.1.1	0x5f04	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:01.298974991 CET	192.168.2.4	1.1.1.1	0xdb41	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:02.728910923 CET	192.168.2.4	1.1.1.1	0xe85e	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:02.837043047 CET	192.168.2.4	1.1.1.1	0x778c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.070019960 CET	192.168.2.4	1.1.1.1	0xe9a6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.219928026 CET	192.168.2.4	1.1.1.1	0x46a2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 08:46:03.495326996 CET	192.168.2.4	1.1.1.1	0xa7f5	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.599129915 CET	192.168.2.4	1.1.1.1	0xd3ef	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.643201113 CET	192.168.2.4	1.1.1.1	0xae83	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.740483046 CET	192.168.2.4	1.1.1.1	0x6455	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 08:46:03.782499075 CET	192.168.2.4	1.1.1.1	0xf02b	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 08:46:06.889128923 CET	192.168.2.4	1.1.1.1	0xe76f	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:06.954092979 CET	192.168.2.4	1.1.1.1	0x81c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:07.034938097 CET	192.168.2.4	1.1.1.1	0x9135	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:07.173346996 CET	192.168.2.4	1.1.1.1	0x67e	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 08:46:11.328567982 CET	192.168.2.4	1.1.1.1	0x115a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 08:46:13.187794924 CET	192.168.2.4	1.1.1.1	0x9449	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:13.326033115 CET	192.168.2.4	1.1.1.1	0x88d6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 08:46:15.156578064 CET	192.168.2.4	1.1.1.1	0x10d7	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.156836033 CET	192.168.2.4	1.1.1.1	0x6c9c	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.157069921 CET	192.168.2.4	1.1.1.1	0x6f7e	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.294789076 CET	192.168.2.4	1.1.1.1	0x67ae	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.294826031 CET	192.168.2.4	1.1.1.1	0xe714	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.295376062 CET	192.168.2.4	1.1.1.1	0x8a4b	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.432702065 CET	192.168.2.4	1.1.1.1	0x422f	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 24, 2024 08:46:15.432703018 CET	192.168.2.4	1.1.1.1	0xa0b0	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 24, 2024 08:46:15.433723927 CET	192.168.2.4	1.1.1.1	0x114e	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 24, 2024 08:46:15.850128889 CET	192.168.2.4	1.1.1.1	0x3a58	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.850441933 CET	192.168.2.4	1.1.1.1	0xd824	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.988440990 CET	192.168.2.4	1.1.1.1	0x6850	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.988581896 CET	192.168.2.4	1.1.1.1	0x3d56	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:16.126393080 CET	192.168.2.4	1.1.1.1	0x1963	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 24, 2024 08:46:16.126535892 CET	192.168.2.4	1.1.1.1	0x413e	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 24, 2024 08:46:24.821849108 CET	192.168.2.4	1.1.1.1	0x5195	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 08:46:25.826412916 CET	192.168.2.4	1.1.1.1	0xa671	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 08:46:25.849670887 CET	192.168.2.4	1.1.1.1	0x6595	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:25.963711023 CET	192.168.2.4	1.1.1.1	0xca71	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:26.015347004 CET	192.168.2.4	1.1.1.1	0x9cf4	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:26.117558002 CET	192.168.2.4	1.1.1.1	0xf9e2	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:26.161679029 CET	192.168.2.4	1.1.1.1	0x2614	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 24, 2024 08:46:26.284800053 CET	192.168.2.4	1.1.1.1	0xd2	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 08:46:28.770757914 CET	192.168.2.4	1.1.1.1	0xf425	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:46.240494967 CET	192.168.2.4	1.1.1.1	0xdde7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 08:46:47.551237106 CET	192.168.2.4	1.1.1.1	0xeac5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:47.691071987 CET	192.168.2.4	1.1.1.1	0x1e6f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:55.981949091 CET	192.168.2.4	1.1.1.1	0xfcf6	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 08:47:27.564584017 CET	192.168.2.4	1.1.1.1	0x681b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:47:27.706412077 CET	192.168.2.4	1.1.1.1	0x968f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 08:45:57.516472101 CET	1.1.1.1	192.168.2.4	0xf975	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:45:57.667491913 CET	1.1.1.1	192.168.2.4	0x90ab	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:45:59.626003027 CET	1.1.1.1	192.168.2.4	0x3e0f	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:45:59.626250982 CET	1.1.1.1	192.168.2.4	0xf7ec	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:45:59.626250982 CET	1.1.1.1	192.168.2.4	0xf7ec	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:45:59.766874075 CET	1.1.1.1	192.168.2.4	0x43d2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:45:59.766891003 CET	1.1.1.1	192.168.2.4	0x540b	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:45:59.905186892 CET	1.1.1.1	192.168.2.4	0x716c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 08:45:59.905510902 CET	1.1.1.1	192.168.2.4	0xe912	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 24, 2024 08:46:00.094912052 CET	1.1.1.1	192.168.2.4	0xc24c	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.416501045 CET	1.1.1.1	192.168.2.4	0x11dc	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.422097921 CET	1.1.1.1	192.168.2.4	0x9bc7	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:00.422097921 CET	1.1.1.1	192.168.2.4	0x9bc7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.466830969 CET	1.1.1.1	192.168.2.4	0xd051	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:00.466830969 CET	1.1.1.1	192.168.2.4	0xd051	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.565289974 CET	1.1.1.1	192.168.2.4	0xcce8	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.605875015 CET	1.1.1.1	192.168.2.4	0x11c1	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.730731010 CET	1.1.1.1	192.168.2.4	0xcee8	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:00.730731010 CET	1.1.1.1	192.168.2.4	0xcee8	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:00.730731010 CET	1.1.1.1	192.168.2.4	0xcee8	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:00.872823954 CET	1.1.1.1	192.168.2.4	0xeb08	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:01.021478891 CET	1.1.1.1	192.168.2.4	0xa94a	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:01.025018930 CET	1.1.1.1	192.168.2.4	0x5ae	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 08:46:01.183702946 CET	1.1.1.1	192.168.2.4	0x5f04	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:01.183702946 CET	1.1.1.1	192.168.2.4	0x5f04	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:01.436295986 CET	1.1.1.1	192.168.2.4	0xdb41	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:01.436295986 CET	1.1.1.1	192.168.2.4	0xdb41	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.068689108 CET	1.1.1.1	192.168.2.4	0x778c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.139189005 CET	1.1.1.1	192.168.2.4	0xe85e	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:03.208451986 CET	1.1.1.1	192.168.2.4	0xe9a6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.579082966 CET	1.1.1.1	192.168.2.4	0x777e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.612416029 CET	1.1.1.1	192.168.2.4	0xdf49	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:03.612416029 CET	1.1.1.1	192.168.2.4	0xdf49	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.632895947 CET	1.1.1.1	192.168.2.4	0xa7f5	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:03.632895947 CET	1.1.1.1	192.168.2.4	0xa7f5	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.737936974 CET	1.1.1.1	192.168.2.4	0xd3ef	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:03.780401945 CET	1.1.1.1	192.168.2.4	0xae83	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:07.026086092 CET	1.1.1.1	192.168.2.4	0xe76f	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:07.026086092 CET	1.1.1.1	192.168.2.4	0xe76f	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:07.026086092 CET	1.1.1.1	192.168.2.4	0xe76f	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:07.091212988 CET	1.1.1.1	192.168.2.4	0x81c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:07.091212988 CET	1.1.1.1	192.168.2.4	0x81c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:07.093240023 CET	1.1.1.1	192.168.2.4	0x1c77	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:07.172317982 CET	1.1.1.1	192.168.2.4	0x9135	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:13.325104952 CET	1.1.1.1	192.168.2.4	0x9449	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.293639898 CET	1.1.1.1	192.168.2.4	0x10d7	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:15.293639898 CET	1.1.1.1	192.168.2.4	0x10d7	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.293639898 CET	1.1.1.1	192.168.2.4	0x10d7	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.293639898 CET	1.1.1.1	192.168.2.4	0x10d7	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.293639898 CET	1.1.1.1	192.168.2.4	0x10d7	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.293639898 CET	1.1.1.1	192.168.2.4	0x10d7	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.293639898 CET	1.1.1.1	192.168.2.4	0x10d7	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.293639898 CET	1.1.1.1	192.168.2.4	0x10d7	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.293798923 CET	1.1.1.1	192.168.2.4	0x6c9c	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:15.293798923 CET	1.1.1.1	192.168.2.4	0x6c9c	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.294775009 CET	1.1.1.1	192.168.2.4	0x6f7e	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:15.294775009 CET	1.1.1.1	192.168.2.4	0x6f7e	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.431716919 CET	1.1.1.1	192.168.2.4	0x67ae	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.431716919 CET	1.1.1.1	192.168.2.4	0x67ae	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.431716919 CET	1.1.1.1	192.168.2.4	0x67ae	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.431716919 CET	1.1.1.1	192.168.2.4	0x67ae	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.431716919 CET	1.1.1.1	192.168.2.4	0x67ae	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.431716919 CET	1.1.1.1	192.168.2.4	0x67ae	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.431716919 CET	1.1.1.1	192.168.2.4	0x67ae	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.431816101 CET	1.1.1.1	192.168.2.4	0xe714	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.433128119 CET	1.1.1.1	192.168.2.4	0x8a4b	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.569979906 CET	1.1.1.1	192.168.2.4	0x422f	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 08:46:15.569979906 CET	1.1.1.1	192.168.2.4	0x422f	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 08:46:15.569979906 CET	1.1.1.1	192.168.2.4	0x422f	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 08:46:15.569979906 CET	1.1.1.1	192.168.2.4	0x422f	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 08:46:15.570733070 CET	1.1.1.1	192.168.2.4	0xa0b0	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 24, 2024 08:46:15.741213083 CET	1.1.1.1	192.168.2.4	0x114e	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 24, 2024 08:46:15.987404108 CET	1.1.1.1	192.168.2.4	0x3a58	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:15.987404108 CET	1.1.1.1	192.168.2.4	0x3a58	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.987404108 CET	1.1.1.1	192.168.2.4	0x3a58	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.987404108 CET	1.1.1.1	192.168.2.4	0x3a58	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.987404108 CET	1.1.1.1	192.168.2.4	0x3a58	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:15.987446070 CET	1.1.1.1	192.168.2.4	0xd824	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:16.125555992 CET	1.1.1.1	192.168.2.4	0x3d56	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:16.125555992 CET	1.1.1.1	192.168.2.4	0x3d56	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:16.125555992 CET	1.1.1.1	192.168.2.4	0x3d56	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:16.125555992 CET	1.1.1.1	192.168.2.4	0x3d56	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:16.125854969 CET	1.1.1.1	192.168.2.4	0x6850	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:16.125854969 CET	1.1.1.1	192.168.2.4	0x6850	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:16.125854969 CET	1.1.1.1	192.168.2.4	0x6850	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:16.125854969 CET	1.1.1.1	192.168.2.4	0x6850	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:25.987639904 CET	1.1.1.1	192.168.2.4	0x6595	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:25.987639904 CET	1.1.1.1	192.168.2.4	0x6595	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:25.987639904 CET	1.1.1.1	192.168.2.4	0x6595	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:25.987639904 CET	1.1.1.1	192.168.2.4	0x6595	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:26.101841927 CET	1.1.1.1	192.168.2.4	0xca71	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:26.101841927 CET	1.1.1.1	192.168.2.4	0xca71	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:26.153254032 CET	1.1.1.1	192.168.2.4	0x9cf4	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:26.153254032 CET	1.1.1.1	192.168.2.4	0x9cf4	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:26.153254032 CET	1.1.1.1	192.168.2.4	0x9cf4	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:26.153254032 CET	1.1.1.1	192.168.2.4	0x9cf4	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:26.257033110 CET	1.1.1.1	192.168.2.4	0xf9e2	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:26.300616980 CET	1.1.1.1	192.168.2.4	0x2614	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 08:46:26.300616980 CET	1.1.1.1	192.168.2.4	0x2614	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 08:46:26.300616980 CET	1.1.1.1	192.168.2.4	0x2614	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 08:46:26.300616980 CET	1.1.1.1	192.168.2.4	0x2614	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 08:46:28.908432007 CET	1.1.1.1	192.168.2.4	0xf425	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:28.908432007 CET	1.1.1.1	192.168.2.4	0xf425	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:29.436978102 CET	1.1.1.1	192.168.2.4	0x19ba	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:29.436978102 CET	1.1.1.1	192.168.2.4	0x19ba	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:47.689675093 CET	1.1.1.1	192.168.2.4	0xeac5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 08:46:47.689675093 CET	1.1.1.1	192.168.2.4	0xeac5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:47.828098059 CET	1.1.1.1	192.168.2.4	0x1e6f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:46:55.979355097 CET	1.1.1.1	192.168.2.4	0x41d9	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 08:47:27.705245018 CET	1.1.1.1	192.168.2.4	0x681b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	34.107.221.82	80	8000	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:45:59.748312950 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:46:00.879973888 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50868 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	8000	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:46:01.568536043 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:46:02.652071953 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 29215 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	8000	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:46:02.701991081 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:46:03.835129023 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50871 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 08:46:06.954482079 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:46:07.278085947 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50875 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 08:46:11.092773914 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:46:11.417180061 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50879 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 08:46:14.800879002 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:46:15.124468088 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50882 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 08:46:25.128674030 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:46:26.108767986 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:46:26.434144974 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50894 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 08:46:27.146262884 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:46:27.470366955 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50895 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 08:46:28.441766977 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:46:28.766506910 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50896 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 08:46:38.773940086 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:46:47.550710917 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:46:47.874504089 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50915 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 08:46:57.254172087 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:46:57.577765942 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50925 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 08:47:00.871741056 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:47:01.196676970 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50929 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 08:47:11.204613924 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:47:21.342715979 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:47:28.979928970 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 08:47:29.308485031 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 50957 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 08:47:39.315716982 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:47:49.461438894 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:47:59.588409901 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49760	34.107.221.82	80	8000	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 08:46:07.220030069 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:46:08.365524054 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 08:50:47 GMT Age: 82521 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 08:46:11.090008974 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:46:11.414155960 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 08:50:47 GMT Age: 82524 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 08:46:13.187649012 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:46:13.520859957 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 08:50:47 GMT Age: 82526 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 08:46:15.297785044 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:46:15.622155905 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 08:50:47 GMT Age: 82528 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 08:46:25.630275011 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:46:26.437334061 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:46:26.761456013 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 08:50:47 GMT Age: 82539 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 08:46:27.474117041 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:46:27.820976019 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 08:50:47 GMT Age: 82540 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 08:46:28.770488024 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:46:29.095983028 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 08:50:47 GMT Age: 82541 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 08:46:39.112715960 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:46:47.877994061 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:46:48.201724052 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 08:50:47 GMT Age: 82561 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 08:46:57.581346035 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:46:57.906527996 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 08:50:47 GMT Age: 82570 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 08:47:01.200346947 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:47:01.524072886 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 08:50:47 GMT Age: 82574 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 08:47:11.536688089 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:47:21.665767908 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:47:29.312539101 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 08:47:29.636816978 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 08:50:47 GMT Age: 82602 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 08:47:39.647871971 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:47:49.778002977 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 08:47:59.904841900 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	02:45:50
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xcb0000
File size:	921'600 bytes
MD5 hash:	9F7CB01682D1FBE5FC35EB17E7900B4F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:45:51
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:45:51
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:45:53
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:45:53
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:45:53
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:45:53
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:45:53
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:45:53
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:45:53
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xf0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:45:53
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:45:54
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:45:54
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:45:54
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	02:45:55
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38740587-0ab5-4558-a083-ac020817d2ac} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b1106d310 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	02:45:57
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4100 -parentBuildID 20230927232528 -prefsHandle 4060 -prefMapHandle 4076 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abdc506f-27bb-439e-bf29-d9789595e83a} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b11083610 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	02:46:02
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9efa6a00-eda8-4ed7-870f-68f089d89d22} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 25b225f3d10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1560
Total number of Limit Nodes:	72

Executed Functions

Function 00CB42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00CB430D

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

GetCurrentProcess.KERNEL32(?,00D4CB64,00000000,?,?), ref: 00CB4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00CB4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00CB4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00CB4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00CB4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00CB447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00CB44A0

Strings

GetNativeSystemInfo, xrefs: 00CB4460
kernel32.dll, xrefs: 00CB444F
|O, xrefs: 00CF36F8

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 0823085229b336285242525327ac7cb7533de1385d19bc77f6edd1e9bdc08d51
Instruction ID: 7a58aa119b28bde18eed74462b498a76393cd6a63c349c4a259fc8ab9a8e982c
Opcode Fuzzy Hash: 0823085229b336285242525327ac7cb7533de1385d19bc77f6edd1e9bdc08d51
Instruction Fuzzy Hash: 6CA1917E93E3C4EFC716DB697C411E57FAC6B26740B085899E081D3B22D2614A0EDB32

Function 00CB42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00CB50AA,?,?,00000000,00000000), ref: 00CB42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00CB50AA,?,?,00000000,00000000), ref: 00CB42C9
LoadResource.KERNEL32(?,00000000,?,?,00CB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CB4F20), ref: 00CF35BE
SizeofResource.KERNEL32(?,00000000,?,?,00CB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CB4F20), ref: 00CF35D3
LockResource.KERNEL32(00CB50AA,?,?,00CB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00CB4F20,?), ref: 00CF35E6

Strings

SCRIPT, xrefs: 00CB42BF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2a4b07e74bb5403f67cbcf842e87c50bf61e9a5ac54249b9e02f3bf5aec61a4b
Instruction ID: d77471d7cc93a751cf0b96ba3a730ce6788b27d990166107abdadf92b6bfb7cb
Opcode Fuzzy Hash: 2a4b07e74bb5403f67cbcf842e87c50bf61e9a5ac54249b9e02f3bf5aec61a4b
Instruction Fuzzy Hash: 69118E74201700BFEB258FA5DC89F677BB9EBC6B51F144169F412DA260DBB1DD009631

Function 00CF2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00CB2B6B

Part of subcall function 00CB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D81418,?,00CB2E7F,?,?,?,00000000), ref: 00CB3A78

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00D72224), ref: 00CF2C10
ShellExecuteW.SHELL32(00000000,?,?,00D72224), ref: 00CF2C17

Strings

runas, xrefs: 00CF2C0B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 96e0414a4b839d8bc27e8212bbc8f26f7a021a976ebd467d667c18ecfd64fbb6
Instruction ID: 4ce0196ec84998e520c102abdbba401357ed0113be1669675760732be6afebea
Opcode Fuzzy Hash: 96e0414a4b839d8bc27e8212bbc8f26f7a021a976ebd467d667c18ecfd64fbb6
Instruction Fuzzy Hash: D711BE31208385ABC714FF64D8929FEBBA8AB91700F44142DF196521A2DF218A4EA723

Function 00D1D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D1D501
Process32FirstW.KERNEL32(00000000,?), ref: 00D1D50F
Process32NextW.KERNEL32(00000000,?), ref: 00D1D52F
CloseHandle.KERNELBASE(00000000), ref: 00D1D5DC

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e50a5e144a56e0ea3727c5cafe935705aa83878bae604a0a0eeff58e9732c43c
Instruction ID: 4de3b29042e1758ed0e523f7acd5954589805577d872c50f9fa633a31c38d19d
Opcode Fuzzy Hash: e50a5e144a56e0ea3727c5cafe935705aa83878bae604a0a0eeff58e9732c43c
Instruction Fuzzy Hash: E031A271108300AFD300EF54D885AEFBBF9EF9A354F14092DF585861A1EF719985DBA2

Function 00D1DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00CF5222), ref: 00D1DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00D1DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00D1DBEE
FindClose.KERNEL32(00000000), ref: 00D1DBFA

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 95f0a77237c5c67e00ca71e1480eb0573afb94a181bbf721d46c8b267f4ad5f2
Instruction ID: 3a49b4dfafdbf82eeeb64e07e17b01a01d472b33afe00d04df328eef6a201571
Opcode Fuzzy Hash: 95f0a77237c5c67e00ca71e1480eb0573afb94a181bbf721d46c8b267f4ad5f2
Instruction Fuzzy Hash: C4F0A734421A106782206FB8AC4D4EA377E9E06334B144B02F575C11E0EFF05994C5F9

Function 00CD4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00CE28E9,?,00CD4CBE,00CE28E9,00D788B8,0000000C,00CD4E15,00CE28E9,00000002,00000000,?,00CE28E9), ref: 00CD4D09
TerminateProcess.KERNEL32(00000000,?,00CD4CBE,00CE28E9,00D788B8,0000000C,00CD4E15,00CE28E9,00000002,00000000,?,00CE28E9), ref: 00CD4D10
ExitProcess.KERNEL32 ref: 00CD4D22

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8e84e7606bd8b99796f0d879a9d02d892b7c400ce9d0d6db8d7239ec71fc1732
Instruction ID: aab6652ba8f3e74a0a0d3657421e26e5431bbe5c25cea83a470f31b681c3b6ae
Opcode Fuzzy Hash: 8e84e7606bd8b99796f0d879a9d02d892b7c400ce9d0d6db8d7239ec71fc1732
Instruction Fuzzy Hash: 68E0B635011288ABCF65AF64DD0DA583B6AFB42781B144015FE15CB322CB35EE42DA90

Function 00D3AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00D3B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D3B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D3B1D4
_wcslen.LIBCMT ref: 00D3B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D3B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D3B236
_wcslen.LIBCMT ref: 00D3B332

Part of subcall function 00D205A7: GetStdHandle.KERNEL32(000000F6), ref: 00D205C6

_wcslen.LIBCMT ref: 00D3B34B
_wcslen.LIBCMT ref: 00D3B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D3B3B6
GetLastError.KERNEL32(00000000), ref: 00D3B407
CloseHandle.KERNEL32(?), ref: 00D3B439
CloseHandle.KERNEL32(00000000), ref: 00D3B44A
CloseHandle.KERNEL32(00000000), ref: 00D3B45C
CloseHandle.KERNEL32(00000000), ref: 00D3B46E
CloseHandle.KERNEL32(?), ref: 00D3B4E3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: acbb038716550c4c80156c25327ff24b03c2b2057e45cec48f4c00744675bd27
Instruction ID: d109858e16eba8791f6960bcc45675ec202544a5dd9f2ecc305798ecec318ab1
Opcode Fuzzy Hash: acbb038716550c4c80156c25327ff24b03c2b2057e45cec48f4c00744675bd27
Instruction Fuzzy Hash: 8EF18F316043009FC724EF24C891B6EBBE5EF85324F18855EF9959B2A2DB31EC45DB62

Function 00CBD733 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CBD807
timeGetTime.WINMM ref: 00CBDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CBDB28
TranslateMessage.USER32(?), ref: 00CBDB7B
DispatchMessageW.USER32(?), ref: 00CBDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CBDB9F
Sleep.KERNELBASE(0000000A), ref: 00CBDBB1

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 99cdce98c655599a37261cd33b8b3fa6f344141944b38868adc080726efd2e5c
Instruction ID: 554b2154b5a2b0402df97c86857bc111cde694f55fd425bd8d3409af90e91dca
Opcode Fuzzy Hash: 99cdce98c655599a37261cd33b8b3fa6f344141944b38868adc080726efd2e5c
Instruction Fuzzy Hash: BE42E330605341EFD728CF24C898BBAB7E4FF45304F18455DE4AA87291EB71E944DBA2

Function 00CB2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CB2D07
RegisterClassExW.USER32(00000030), ref: 00CB2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CB2D42
InitCommonControlsEx.COMCTL32(?), ref: 00CB2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CB2D6F
LoadIconW.USER32(000000A9), ref: 00CB2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CB2D94

Strings

TaskbarCreated, xrefs: 00CB2D37
+, xrefs: 00CB2CF0
0, xrefs: 00CB2CE9
AutoIt v3 GUI, xrefs: 00CB2D23

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: ac874d7901126dfb7b77c2dfd3cf5c62130b3e49b17d6ae374f900d926ed0a2b
Instruction ID: 665adf4b98dfa03e90d75937047d70dd42609612885f122aed75d9d47d575d0f
Opcode Fuzzy Hash: ac874d7901126dfb7b77c2dfd3cf5c62130b3e49b17d6ae374f900d926ed0a2b
Instruction Fuzzy Hash: 5421E5B9922308AFDB40EFA4E849BDDBBB8FB09700F10511AF511E63A0D7B10545CFA0

Function 00CF065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CF039A: CreateFileW.KERNELBASE(00000000,00000000,?,00CF0704,?,?,00000000,?,00CF0704,00000000,0000000C), ref: 00CF03B7

GetLastError.KERNEL32 ref: 00CF076F
__dosmaperr.LIBCMT ref: 00CF0776
GetFileType.KERNELBASE(00000000), ref: 00CF0782
GetLastError.KERNEL32 ref: 00CF078C
__dosmaperr.LIBCMT ref: 00CF0795
CloseHandle.KERNEL32(00000000), ref: 00CF07B5
CloseHandle.KERNEL32(?), ref: 00CF08FF
GetLastError.KERNEL32 ref: 00CF0931
__dosmaperr.LIBCMT ref: 00CF0938

Strings

H, xrefs: 00CF08BD

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1c3d9c23d1624c154354e5136aeb853133e23b5b9f76d915419699dacd15a4a3
Instruction ID: c8507e2eeed7a19fa4e13fba79f0564a5435e9d76c065e29556b5d5dfb647bf3
Opcode Fuzzy Hash: 1c3d9c23d1624c154354e5136aeb853133e23b5b9f76d915419699dacd15a4a3
Instruction Fuzzy Hash: 31A11832A101088FDF59AF68D8517BE7BA0AF06320F24415EFA15DF3D2D7319916DBA2

Function 00CB344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D81418,?,00CB2E7F,?,?,?,00000000), ref: 00CB3A78

Part of subcall function 00CB3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CB3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00CB356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CF318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CF31CE
RegCloseKey.ADVAPI32(?), ref: 00CF3210
_wcslen.LIBCMT ref: 00CF3277
_wcslen.LIBCMT ref: 00CF3286

Strings

\Include\, xrefs: 00CB3527
Software\AutoIt v3\AutoIt, xrefs: 00CB3560
Include, xrefs: 00CF3184, 00CF31C5
\, xrefs: 00CF328C

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f52cacbbf6e3c14870773c34cad31bfd9ad9a047bd8f6a969f9158986e27e01d
Instruction ID: f39212bdb8a6428da3d89083079d1b2567430b03117aeb1457b8fd4469997db3
Opcode Fuzzy Hash: f52cacbbf6e3c14870773c34cad31bfd9ad9a047bd8f6a969f9158986e27e01d
Instruction Fuzzy Hash: 89717B71415304AEC314EF69EC919BBBBE8FF85740F40042EF545D32A1EB359A48DB62

Function 00CB2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00CB2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00CB2B9D
LoadIconW.USER32(00000063), ref: 00CB2BB3
LoadIconW.USER32(000000A4), ref: 00CB2BC5
LoadIconW.USER32(000000A2), ref: 00CB2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00CB2BEF
RegisterClassExW.USER32(?), ref: 00CB2C40

Part of subcall function 00CB2CD4: GetSysColorBrush.USER32(0000000F), ref: 00CB2D07
Part of subcall function 00CB2CD4: RegisterClassExW.USER32(00000030), ref: 00CB2D31
Part of subcall function 00CB2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00CB2D42
Part of subcall function 00CB2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00CB2D5F
Part of subcall function 00CB2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00CB2D6F
Part of subcall function 00CB2CD4: LoadIconW.USER32(000000A9), ref: 00CB2D85
Part of subcall function 00CB2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00CB2D94

Strings

0, xrefs: 00CB2C0F
#, xrefs: 00CB2C16
AutoIt v3, xrefs: 00CB2C2F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4e200a3e0cd75400b2e07fb9d23a2edb027d9d3a92d28ff14f177d3b3ced76a3
Instruction ID: 1fe6ed15ba7d86b1292052669bea14d889fc55a7d0b51292001cbd3468953f37
Opcode Fuzzy Hash: 4e200a3e0cd75400b2e07fb9d23a2edb027d9d3a92d28ff14f177d3b3ced76a3
Instruction Fuzzy Hash: 84212978E21318ABDB109FA5EC55AED7FB8FB48B50F10001AE500E67A0D7B11549CFA0

Function 00CB3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00CB316A,?,?), ref: 00CB31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00CB316A,?,?), ref: 00CB3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CB3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00CB316A,?,?), ref: 00CB3232
CreatePopupMenu.USER32 ref: 00CB3246
PostQuitMessage.USER32(00000000), ref: 00CB3267

Strings

TaskbarCreated, xrefs: 00CB322D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 0fffca7991ac7ff1b9d36801b4bd61445947581dac78a328fead2bd55caaf30b
Instruction ID: 06f3481ad6d4bcdcc4fc67a7b1f775fc5fbd4d991decdbe2d7fa16eed5639feb
Opcode Fuzzy Hash: 0fffca7991ac7ff1b9d36801b4bd61445947581dac78a328fead2bd55caaf30b
Instruction Fuzzy Hash: B241E7392A0388A7DF156B7CDD1ABFD3A1DEB05340F040115F921D63A2DB719B459772

Function 00CB1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00CB1459
CoUninitialize.COMBASE ref: 00CB14F8
UnregisterHotKey.USER32(?), ref: 00CB16DD
DestroyWindow.USER32(?), ref: 00CF24B9
FreeLibrary.KERNEL32(?), ref: 00CF251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CF254B

Strings

close all, xrefs: 00CB1454

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 4b47c5dc7d415cfdb2f481ccd6a550eb3e2c2bcd0d4f87f41f1bfc32a7c555d7
Instruction ID: d969daeef739378a5d82438044e90d603202f90ef0a27210194af6ea68076bcd
Opcode Fuzzy Hash: 4b47c5dc7d415cfdb2f481ccd6a550eb3e2c2bcd0d4f87f41f1bfc32a7c555d7
Instruction Fuzzy Hash: B4D17E31702212CFCB69EF15C4A5B69F7A5FF05700F5841ADE94AAB251CB31AD12CF51

Function 00CB2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00CB2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00CB2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CB1CAD,?), ref: 00CB2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00CB1CAD,?), ref: 00CB2CCF

Strings

AutoIt v3, xrefs: 00CB2C89, 00CB2C8E, 00CB2C8F
edit, xrefs: 00CB2CAC

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 968e6873f9edae4647784ab04a6d1d7b060a3025e73e405838d4ec1aaa4143b8
Instruction ID: f94a8d2662ff96068ba38ee73201a1a5820ec7eeadc5df9e90087ff45385ff2c
Opcode Fuzzy Hash: 968e6873f9edae4647784ab04a6d1d7b060a3025e73e405838d4ec1aaa4143b8
Instruction Fuzzy Hash: C8F0B7795613907BEB611B57AC08EB72EBDD7C6F50B00105AF900E26A0C665185ADFB0

Function 00CB3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00CB3B0F,SwapMouseButtons,00000004,?), ref: 00CB3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00CB3B0F,SwapMouseButtons,00000004,?), ref: 00CB3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00CB3B0F,SwapMouseButtons,00000004,?), ref: 00CB3B83

Strings

Control Panel\Mouse, xrefs: 00CB3B3E

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 65eb83b2a59f13b3202e7847af9e913a9632f8e64f7ec412ec590098a31e8cf0
Instruction ID: b6d539c170f6c981422aa8a3412ffff3269820a4387fdc7c41c28de61880a8b0
Opcode Fuzzy Hash: 65eb83b2a59f13b3202e7847af9e913a9632f8e64f7ec412ec590098a31e8cf0
Instruction Fuzzy Hash: 7F1127B5621248FFDB208FA5DC84AEEBBB8EF05745F10856AA805D7214E6319F409BA0

Function 00CB3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CF33A2

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CB3A04

Strings

Line: , xrefs: 00CF33EB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: b0f3a5aa0c84e8fdef3332cbaba2fb51c0499e7ff5f8d4477e3c923d7b0352f5
Instruction ID: a418daf5bb20f3dbb3081a1b32b1da8d51baf3ef5e1e125235b3a871e10a4641
Opcode Fuzzy Hash: b0f3a5aa0c84e8fdef3332cbaba2fb51c0499e7ff5f8d4477e3c923d7b0352f5
Instruction Fuzzy Hash: FC31C171448344ABC325EB20DC45BEBB7ECAB80710F10452AF599821A1EB709B4ED7D2

Function 00CCFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00CD0668

Part of subcall function 00CD32A4: RaiseException.KERNEL32(?,?,?,00CD068A,?,00D81444,?,?,?,?,?,?,00CD068A,00CB1129,00D78738,00CB1129), ref: 00CD3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00CD0685

Strings

Unknown exception, xrefs: 00CD0692

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: fd994d60abbbd023b0354b38764103a3e9b7808a3064547f5a5eb413ae1f1f46
Instruction ID: 988abd58e34ade988d981dce1f066ca0440a168b47c082e7a1dba293e11dc0a9
Opcode Fuzzy Hash: fd994d60abbbd023b0354b38764103a3e9b7808a3064547f5a5eb413ae1f1f46
Instruction Fuzzy Hash: 12F0A434900249778B04BA69E84AE5D776D5E00350B70413ABA2896692EF71DB169591

Function 00CB10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CB1BF4
Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00CB1BFC
Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CB1C07
Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CB1C12
Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00CB1C1A
Part of subcall function 00CB1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00CB1C22

Part of subcall function 00CB1B4A: RegisterWindowMessageW.USER32(00000004,?,00CB12C4), ref: 00CB1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00CB136A
OleInitialize.OLE32 ref: 00CB1388
CloseHandle.KERNEL32(00000000,00000000), ref: 00CF24AB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3ec72773dffeebb489c27e222ddde738eb4930db828eb07f8d867ba1fe1e4ae5
Instruction ID: 4445c26a254bde54042e822afab60cd579a136a6e994ed12918cd120df0965d8
Opcode Fuzzy Hash: 3ec72773dffeebb489c27e222ddde738eb4930db828eb07f8d867ba1fe1e4ae5
Instruction Fuzzy Hash: 75718CBC9213009FC384EF7AE8566953AFCFB89344B5486AAD44AD7361EB30440E9F75

Function 00D1C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00CB3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D1C259
KillTimer.USER32(?,00000001,?,?), ref: 00D1C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D1C270

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: ab7b9c4112eba92a977517545b3b85dba9f6e7a0fe64095b8edf7932f12fa5ca
Instruction ID: 5daaf73a739c2bcf4eedc9832dd771ea59a457074002d7c7cbe7f740e6e402da
Opcode Fuzzy Hash: ab7b9c4112eba92a977517545b3b85dba9f6e7a0fe64095b8edf7932f12fa5ca
Instruction Fuzzy Hash: 7131E370950344BFEB328F649845BEBBBEC9B06308F04109ED2DA93241CB745AC8CB65

Function 00CE86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00CE85CC,?,00D78CC8,0000000C), ref: 00CE8704
GetLastError.KERNEL32(?,00CE85CC,?,00D78CC8,0000000C), ref: 00CE870E
__dosmaperr.LIBCMT ref: 00CE8739

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: fd72aca83a6329d09cee2b0a4f3a6224322e5b8d31eb8e11284fffb637c20f11
Instruction ID: 1df5389f93efa75fdc0087dfb4cd64ec03c7db94601d03bd3a9e1ca6b9087efa
Opcode Fuzzy Hash: fd72aca83a6329d09cee2b0a4f3a6224322e5b8d31eb8e11284fffb637c20f11
Instruction Fuzzy Hash: 06018E336156E017C2606737684677E7B4D4F82778F390119F92CCB1E2DEA0CD89D260

Function 00CBDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00CBDB7B
DispatchMessageW.USER32(?), ref: 00CBDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CBDB9F
Sleep.KERNELBASE(0000000A), ref: 00CBDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00D01CC9

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 3574a36dda5b26bf91cea721d5dc1d2bfc70e1e167ebafecbd2d52a2064f4a58
Instruction ID: 2ace7b404421e0ab1cc5b9eef4a66e2bbbe0804105f358115acc8b8bfb7e15de
Opcode Fuzzy Hash: 3574a36dda5b26bf91cea721d5dc1d2bfc70e1e167ebafecbd2d52a2064f4a58
Instruction Fuzzy Hash: E1F05E346553409BEB70CB60CC49FEA73BCEB45311F504618E65AD31C0EB3094898B35

Function 00CC1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00CC17F6

Strings

CALL, xrefs: 00CC17C6

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: ada7808ce35fa4d2ccc699e4eb02451aa25eaa9edf8d304bfad201122a31180d
Instruction ID: affbc643892b96123180fd229898eea3d376b4716fad484325d1b6f231e15dc0
Opcode Fuzzy Hash: ada7808ce35fa4d2ccc699e4eb02451aa25eaa9edf8d304bfad201122a31180d
Instruction Fuzzy Hash: 97226B706082019FC714DF16C494F2ABBF1BF86314F28895DF89A8B3A2D731E955DB92

Function 00CB2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00CF2C8C

Part of subcall function 00CB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB3A97,?,?,00CB2E7F,?,?,?,00000000), ref: 00CB3AC2

Part of subcall function 00CB2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CB2DC4

Strings

X, xrefs: 00CF2C5A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 560f32af8a6cef71373cc74a074540d664d161d52e50e6a324c5b5acf86b67bc
Instruction ID: 91f09702ab792c5756787df73cc8af2d837a873dfc29f20179d5803ef7b22346
Opcode Fuzzy Hash: 560f32af8a6cef71373cc74a074540d664d161d52e50e6a324c5b5acf86b67bc
Instruction Fuzzy Hash: 4A219371A102989BDB41DF94C845BEE7BFCAF49704F008059E509A7341EBB49A499F61

Function 00CB3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CB3908

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 89ebb1daaf6f6a6a896fc0f2439173681ea031e9b0ea48e369b034b62e196314
Instruction ID: a7733768fcb1de60c9a98a3019633132ced56720404350c24c60b99ac3a36546
Opcode Fuzzy Hash: 89ebb1daaf6f6a6a896fc0f2439173681ea031e9b0ea48e369b034b62e196314
Instruction Fuzzy Hash: 48316B74A047419FD761DF24D8847D7BBE8FB49708F00092EF6A987290E771AA49CB62

Function 00CCF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00CCF661

Part of subcall function 00CBD733: GetInputState.USER32 ref: 00CBD807

Sleep.KERNEL32(00000000), ref: 00D0F2DE

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: c3140cfc9119b7c1bce7eac3149c5c7d285ed838278b4f01af521e1b2dd3d2e6
Instruction ID: f454e875d845b14be3ffa9e9ca41336d9c61399ed64a99e90a4384fc718cb944
Opcode Fuzzy Hash: c3140cfc9119b7c1bce7eac3149c5c7d285ed838278b4f01af521e1b2dd3d2e6
Instruction Fuzzy Hash: 36F08C35240305AFD360EF79D449BAAB7E8EF46760F000029F85AC73A0DBB0AC00CBA1

Function 00CB4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CB4EDD,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E9C
Part of subcall function 00CB4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CB4EAE
Part of subcall function 00CB4E90: FreeLibrary.KERNEL32(00000000,?,?,00CB4EDD,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4EFD

Part of subcall function 00CB4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CF3CDE,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E62
Part of subcall function 00CB4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CB4E74
Part of subcall function 00CB4E59: FreeLibrary.KERNEL32(00000000,?,?,00CF3CDE,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E87

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7d348e9c3554d40429a384477e799e1367357050d22e46589f7f3fa5a2f46d30
Instruction ID: 5a85a5bb91fa504d1e2fc308d9a32688ee14830bd70a428ea7d69430636a73b6
Opcode Fuzzy Hash: 7d348e9c3554d40429a384477e799e1367357050d22e46589f7f3fa5a2f46d30
Instruction Fuzzy Hash: 0A11C432614205ABCF18BBA4DC02BFE77A59F40710F104429F542A71C2EE70DE45A760

Function 00CE8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00CE8440

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a1745549dff80c1cac675a24f77a755dc6750f8dd5ce35aebac334a72d463b6f
Instruction ID: 6ac58364871d4d3e50826350aad330764273dc3d4de98bef903f6f8cf4ef84a0
Opcode Fuzzy Hash: a1745549dff80c1cac675a24f77a755dc6750f8dd5ce35aebac334a72d463b6f
Instruction Fuzzy Hash: AB11487190420AAFCB05DF59E94099E7BF4EF48310F104059F808AB352DA30EA15CBA5

Function 00CE5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE4C7D: RtlAllocateHeap.NTDLL(00000008,00CB1129,00000000,?,00CE2E29,00000001,00000364,?,?,?,00CDF2DE,00CE3863,00D81444,?,00CCFDF5,?), ref: 00CE4CBE

_free.LIBCMT ref: 00CE506C

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: aa3366b70a29955f7a057b0180e81a7196aee893612dde1528f93e3567efd73f
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 390126722047846BE3218E669885A5AFBECFB89370F25051DF194832C0EA70A905C6B4

Function 00CDE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: f05a4f1ca0d0c7a9c5a5fcc8ea0b5c7c46ef4f031328b464f0a9ddf3ff693029
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C5F0F432510A1896C6313A6B8C05B9A339C9F52334F10071BF6259A3D2DB74E907A6A5

Function 00CE4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00CB1129,00000000,?,00CE2E29,00000001,00000364,?,?,?,00CDF2DE,00CE3863,00D81444,?,00CCFDF5,?), ref: 00CE4CBE

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: aa0330cea4865b0897b1408e975fad2f0c13426fe502b6d9262a926ca959fd92
Instruction ID: 3452c03550955508b56a62a4554ec904138e9d5c925798659fa4a0d8750bfb1d
Opcode Fuzzy Hash: aa0330cea4865b0897b1408e975fad2f0c13426fe502b6d9262a926ca959fd92
Instruction Fuzzy Hash: F8F0E2316032A467DB295F679C09B5A3788BF817A0B344126BA2AEB790CA30D90196E0

Function 00CE3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6,?,00CB1129), ref: 00CE3852

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7ca1a649e57692edf6cc8f582284577ca8a51095419ae2c6906361ca3a7e08ef
Instruction ID: c2d9bc6337887ed0c00163cdf27fee814961582e717feba556d101624578b758
Opcode Fuzzy Hash: 7ca1a649e57692edf6cc8f582284577ca8a51095419ae2c6906361ca3a7e08ef
Instruction Fuzzy Hash: CEE0E5312012E467D7312AA79C09B9A3748AB827B4F050123BE25976D0CB20FF0192F0

Function 00CB4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4F6D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d587750582e523508b8a3e704da259042e4081104b02cb65f76f35220ab28a49
Instruction ID: 371810bc6bd8e087aeeefe976e279b5b939894eef31cf790bbb747b89c1aa12a
Opcode Fuzzy Hash: d587750582e523508b8a3e704da259042e4081104b02cb65f76f35220ab28a49
Instruction Fuzzy Hash: E1F03971509752CFDB38AFA5D4908A2BBF4EF14329720897EE2EA83622C7319C44DF10

Function 00D42A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D42A66

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: a9ad8a6b4f9514da3d1bb963b608a51b9c0d8967b1079b57c7c0005597c6bc24
Instruction ID: c53ad82dd5d4011791d8c39b8bc96ce7c8ba6e039f9ac51a9c9f18bedd1e7dc4
Opcode Fuzzy Hash: a9ad8a6b4f9514da3d1bb963b608a51b9c0d8967b1079b57c7c0005597c6bc24
Instruction Fuzzy Hash: CCE04F36360226BBC754EB30FC858FA735CEB613957508536BC56C3110DF30DA9686B0

Function 00CB30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00CB314E

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 7c23dc2e50363a2333801fcca590af2b259eb66f948b84cc057dfc0142465c5e
Instruction ID: 2291cb5e761674f06180c102cb570a9293c91a123a318ac8040f882e2b195d27
Opcode Fuzzy Hash: 7c23dc2e50363a2333801fcca590af2b259eb66f948b84cc057dfc0142465c5e
Instruction Fuzzy Hash: 7CF037749143549FE7529F64DC467D97BBCA701708F0000E9A648D6391E7745B89CF61

Function 00CB2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CB2DC4

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: df1559b053c988b51f0e234bf4b26cbc7cf9aba3bf1d64a97076b4028a957851
Instruction ID: 88cd8a190c56394bacf683fda01a83459860ac081c7acd67d1366c1a01e66ea8
Opcode Fuzzy Hash: df1559b053c988b51f0e234bf4b26cbc7cf9aba3bf1d64a97076b4028a957851
Instruction Fuzzy Hash: 06E0CD766012245BC710D698DC05FEA77EDDFC8790F040071FD09D7248D9A4AD809551

Function 00CB2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CB3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00CB3908

Part of subcall function 00CBD733: GetInputState.USER32 ref: 00CBD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00CB2B6B

Part of subcall function 00CB30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00CB314E

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 3162aaddb7d73adb7c5c0efa56c9783a5f1f37407f7e455a25f6eca99a167460
Instruction ID: 8d77ca7b4c68eac29c26a403139c68e204eb34de6d1160b61795ca22ce3d5cd6
Opcode Fuzzy Hash: 3162aaddb7d73adb7c5c0efa56c9783a5f1f37407f7e455a25f6eca99a167460
Instruction Fuzzy Hash: 2DE0862530428407CA04BB74A8565EDA7599BD1751F40153EF143872A3DE254A4A5362

Function 00CF039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00CF0704,?,?,00000000,?,00CF0704,00000000,0000000C), ref: 00CF03B7

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a4cbc7b217a6b666709883b23a6143d1478007c5493318ef03654fbf34ebdb9f
Instruction ID: 04fb20b538360f996cd1eb855a26e1ca83c32b052fa924a3dc478606c3a2f781
Opcode Fuzzy Hash: a4cbc7b217a6b666709883b23a6143d1478007c5493318ef03654fbf34ebdb9f
Instruction Fuzzy Hash: 67D06C3205024DBBDF028F84DD06EDA3BAAFB48714F014000BE1896120C732E821AB90

Function 00CB1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00CB1CBC

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0a7f51076eef21e987fdda40668e96e61e8c2add31553e098cc88ae21312e4a5
Instruction ID: a032e0fbdda815dcf8252e879a347d7bc7ffd37f418a72f003e43c25a2c008c9
Opcode Fuzzy Hash: 0a7f51076eef21e987fdda40668e96e61e8c2add31553e098cc88ae21312e4a5
Instruction Fuzzy Hash: 65C09B392E03049FF2144B80FC4AF647764A348B00F044001F709D57E3C3A12410D770

Non-executed Functions

Function 00D49576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D4961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D4965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D4969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D496C9
SendMessageW.USER32 ref: 00D496F2
GetKeyState.USER32(00000011), ref: 00D4978B
GetKeyState.USER32(00000009), ref: 00D49798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D497AE
GetKeyState.USER32(00000010), ref: 00D497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D497E9
SendMessageW.USER32 ref: 00D49810
SendMessageW.USER32(?,00001030,?,00D47E95), ref: 00D49918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D4992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D49941
SetCapture.USER32(?), ref: 00D4994A
ClientToScreen.USER32(?,?), ref: 00D499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D499D6
ReleaseCapture.USER32 ref: 00D499E1
GetCursorPos.USER32(?), ref: 00D49A19
ScreenToClient.USER32(?,?), ref: 00D49A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D49A80
SendMessageW.USER32 ref: 00D49AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D49AEB
SendMessageW.USER32 ref: 00D49B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D49B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D49B4A
GetCursorPos.USER32(?), ref: 00D49B68
ScreenToClient.USER32(?,?), ref: 00D49B75
GetParent.USER32(?), ref: 00D49B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D49BFA
SendMessageW.USER32 ref: 00D49C2B
ClientToScreen.USER32(?,?), ref: 00D49C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D49CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D49CDE
SendMessageW.USER32 ref: 00D49D01
ClientToScreen.USER32(?,?), ref: 00D49D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D49D82

Part of subcall function 00CC9944: GetWindowLongW.USER32(?,000000EB), ref: 00CC9952

GetWindowLongW.USER32(?,000000F0), ref: 00D49E05

Strings

@GUI_DRAGID, xrefs: 00D4997D
F, xrefs: 00D49D07

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 3a3821383ea48523a3369e285978491c87d1b1a84a213fcff0ca3869f435323b
Instruction ID: cd8d2e333d550a6b4b5c7ac7809a7b13962d60ba6c9aacb43cc1d60d6af89158
Opcode Fuzzy Hash: 3a3821383ea48523a3369e285978491c87d1b1a84a213fcff0ca3869f435323b
Instruction Fuzzy Hash: 34428934205301AFDB20DF25CCA4EABBBE9EF49310F194619F6A9872A1D731E855CF61

Function 00D44873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00D448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00D44908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00D44927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00D4494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00D4495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00D4497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00D449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00D449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00D44A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D44A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00D44A7E
IsMenu.USER32(?), ref: 00D44A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D44AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D44B20
GetWindowLongW.USER32(?,000000F0), ref: 00D44B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00D44BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00D44C82
wsprintfW.USER32 ref: 00D44CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D44CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D44CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D44D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D44D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00D44D5A

Strings

%d/%02d/%02d, xrefs: 00D44CA8

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 5be3ee3baf13e953407c1da2a00d97d62eccef631a0141963d8d02846191c57d
Instruction ID: 9eea34ed6fb8af273df97547118ad6a18b8214e76786476557689505e1425e5c
Opcode Fuzzy Hash: 5be3ee3baf13e953407c1da2a00d97d62eccef631a0141963d8d02846191c57d
Instruction Fuzzy Hash: 8612DF71600314ABEB259F24CC49FAE7BF8EF45710F188129F916EA2E1DB74D985CB60

Function 00CCF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00CCF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D0F474
IsIconic.USER32(00000000), ref: 00D0F47D
ShowWindow.USER32(00000000,00000009), ref: 00D0F48A
SetForegroundWindow.USER32(00000000), ref: 00D0F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D0F4AA
GetCurrentThreadId.KERNEL32 ref: 00D0F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D0F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D0F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D0F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00D0F4DE
SetForegroundWindow.USER32(00000000), ref: 00D0F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0F4F6
keybd_event.USER32(00000012,00000000), ref: 00D0F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0F50B
keybd_event.USER32(00000012,00000000), ref: 00D0F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0F519
keybd_event.USER32(00000012,00000000), ref: 00D0F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D0F528
keybd_event.USER32(00000012,00000000), ref: 00D0F52D
SetForegroundWindow.USER32(00000000), ref: 00D0F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00D0F557

Strings

Shell_TrayWnd, xrefs: 00D0F46F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7577eea93e1d585bd1fa008cdd4c54d8f84582ec237152c36b3c4aa2a214bcbd
Instruction ID: 82df9588293d383ebcee0b6255dca173bc86fd91d35f48dd66135c49eaa62666
Opcode Fuzzy Hash: 7577eea93e1d585bd1fa008cdd4c54d8f84582ec237152c36b3c4aa2a214bcbd
Instruction Fuzzy Hash: 42316375A51318BBEB306FB59C4AFBF7E6CEB45B50F241025FA04E62D1C6B09D00AA70

Function 00D11201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00D116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D1170D
Part of subcall function 00D116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D1173A
Part of subcall function 00D116C3: GetLastError.KERNEL32 ref: 00D1174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00D11286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00D112A8
CloseHandle.KERNEL32(?), ref: 00D112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D112D1
GetProcessWindowStation.USER32 ref: 00D112EA
SetProcessWindowStation.USER32(00000000), ref: 00D112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D11310

Part of subcall function 00D110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D111FC), ref: 00D110D4
Part of subcall function 00D110BF: CloseHandle.KERNEL32(?,?,00D111FC), ref: 00D110E9

Strings

default, xrefs: 00D1130B
, xrefs: 00D1125A
winsta0, xrefs: 00D112CC

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: be7e58c91dc826a9dd25db4806bec71dd6f407142b6eb64bae1167ce492d56da
Instruction ID: 4e20cd7148c187908202f53e2ec8d3eec255ee7f12cc8478fea61a33c4dfe8c1
Opcode Fuzzy Hash: be7e58c91dc826a9dd25db4806bec71dd6f407142b6eb64bae1167ce492d56da
Instruction Fuzzy Hash: EB818D75A00309BBDF109FA4EC49BEE7BB9EF05704F184129FA10E62A1DB718984CB31

Function 00D10B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D11114
Part of subcall function 00D110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11120
Part of subcall function 00D110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D1112F
Part of subcall function 00D110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11136
Part of subcall function 00D110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D1114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D10BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D10C00
GetLengthSid.ADVAPI32(?), ref: 00D10C17
GetAce.ADVAPI32(?,00000000,?), ref: 00D10C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D10C6D
GetLengthSid.ADVAPI32(?), ref: 00D10C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D10C8C
HeapAlloc.KERNEL32(00000000), ref: 00D10C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D10CB4
CopySid.ADVAPI32(00000000), ref: 00D10CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D10CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D10D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D10D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10D45
HeapFree.KERNEL32(00000000), ref: 00D10D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10D55
HeapFree.KERNEL32(00000000), ref: 00D10D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10D65
HeapFree.KERNEL32(00000000), ref: 00D10D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D10D78
HeapFree.KERNEL32(00000000), ref: 00D10D7F

Part of subcall function 00D11193: GetProcessHeap.KERNEL32(00000008,00D10BB1,?,00000000,?,00D10BB1,?), ref: 00D111A1
Part of subcall function 00D11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D10BB1,?), ref: 00D111A8
Part of subcall function 00D11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D10BB1,?), ref: 00D111B7

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 798bd35adfae9e67ca55f01c147a039b8f9755f595fcfaf9380f496deeec79a1
Instruction ID: 5c5d77362d2dc7170a09c2b788e363fce3409b3e57bdc64cca84ca4f4a61a97a
Opcode Fuzzy Hash: 798bd35adfae9e67ca55f01c147a039b8f9755f595fcfaf9380f496deeec79a1
Instruction Fuzzy Hash: 1F715F75A0120ABBDF10EFA4EC44BEEBBBDBF05300F084515E914E6251DBB1A985CB70

Function 00D2EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D4CC08), ref: 00D2EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D2EB37
GetClipboardData.USER32(0000000D), ref: 00D2EB43
CloseClipboard.USER32 ref: 00D2EB4F
GlobalLock.KERNEL32(00000000), ref: 00D2EB87
CloseClipboard.USER32 ref: 00D2EB91
GlobalUnlock.KERNEL32(00000000), ref: 00D2EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00D2EBC9
GetClipboardData.USER32(00000001), ref: 00D2EBD1
GlobalLock.KERNEL32(00000000), ref: 00D2EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00D2EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00D2EC38
GetClipboardData.USER32(0000000F), ref: 00D2EC44
GlobalLock.KERNEL32(00000000), ref: 00D2EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00D2EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D2EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00D2ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00D2ECF3
CountClipboardFormats.USER32 ref: 00D2ED14
CloseClipboard.USER32 ref: 00D2ED59

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 245acf37924e42ec3154d80607e03802049f3b8d76a69baedc31ddab38b21500
Instruction ID: bf314fbd8b7f87b017e157fa88e75e7a4dfa33f3d7f26c7ee33d63508691c3e5
Opcode Fuzzy Hash: 245acf37924e42ec3154d80607e03802049f3b8d76a69baedc31ddab38b21500
Instruction Fuzzy Hash: D261DE38204301AFD300EF64E888F6A7BA4EF95718F185519F496C72A2DB71ED45DBB2

Function 00D2698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D269BE
FindClose.KERNEL32(00000000), ref: 00D26A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D26A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D26A75

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00D26AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D26ADF

Strings

%03d, xrefs: 00D26DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00D26B32
%02d, xrefs: 00D26C00, 00D26C0A, 00D26C5A, 00D26CAA, 00D26CFA, 00D26D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00D26B6A
%4d, xrefs: 00D26BB1

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 1255950cd9ab1be89b8d9095de1799558a01376cef2fdbf58942f95c91a90d39
Instruction ID: 23ce579d9b2a9e0a0b7503998eef142fecb604c29daa0fd7c5ec8a0296177d7e
Opcode Fuzzy Hash: 1255950cd9ab1be89b8d9095de1799558a01376cef2fdbf58942f95c91a90d39
Instruction Fuzzy Hash: FAD15172508300AFC710EFA4D891EABB7ECAF99704F04491DF589D7291EB74DA48DB62

Function 00D29642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00D29663
GetFileAttributesW.KERNEL32(?), ref: 00D296A1
SetFileAttributesW.KERNEL32(?,?), ref: 00D296BB
FindNextFileW.KERNEL32(00000000,?), ref: 00D296D3
FindClose.KERNEL32(00000000), ref: 00D296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00D296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00D2974A
SetCurrentDirectoryW.KERNEL32(00D76B7C), ref: 00D29768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D29772
FindClose.KERNEL32(00000000), ref: 00D2977F
FindClose.KERNEL32(00000000), ref: 00D2978F

Strings

*.*, xrefs: 00D296F5

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: d83247c4a06fdb90d16e305800b72a0045e1b9a8e77cfe2d0ad38e99890b309a
Instruction ID: 48c4abc32de2c76fd9a9b158e9f5e70a95402877e922efa883b55e7d3aef465f
Opcode Fuzzy Hash: d83247c4a06fdb90d16e305800b72a0045e1b9a8e77cfe2d0ad38e99890b309a
Instruction Fuzzy Hash: 5731E4365016296FDB14EFB4EC58ADEB7ACAF0A325F144156F905E3190EB70DD448E34

Function 00D2979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00D297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00D29819
FindClose.KERNEL32(00000000), ref: 00D29824
FindFirstFileW.KERNEL32(*.*,?), ref: 00D29840
SetCurrentDirectoryW.KERNEL32(?), ref: 00D29890
SetCurrentDirectoryW.KERNEL32(00D76B7C), ref: 00D298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D298B8
FindClose.KERNEL32(00000000), ref: 00D298C5
FindClose.KERNEL32(00000000), ref: 00D298D5

Part of subcall function 00D1DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D1DB00

Strings

*.*, xrefs: 00D2983B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 6a56cb693863eab87d2bac639cd0d1168c95c4ce164caca683524e212f6801a5
Instruction ID: 92f00c292870f019b8c73cbd8a12edc9e7b6a4b91b4804ada1a38b8c22b4cba9
Opcode Fuzzy Hash: 6a56cb693863eab87d2bac639cd0d1168c95c4ce164caca683524e212f6801a5
Instruction Fuzzy Hash: 483114315016296FDB14EFB4EC58ADEF3ACAF16324F184156E904E2190EB70D949CA74

Function 00D3BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D3B6AE,?,?), ref: 00D3C9B5
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3C9F1
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA68
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D3BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00D3BFA9
RegCloseKey.ADVAPI32(00000000), ref: 00D3BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D3C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D3C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D3C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D3C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00D3C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00D3C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D3C382
RegCloseKey.ADVAPI32(00000000), ref: 00D3C38F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 7740e3f60f4fd330bc8d2faae2a6efa90223b72f8d5a0527035c4eda534aabd1
Instruction ID: 2c9823e8f693f3be2972368090beb33b0d83d5effcba4e88be76f1b7776a6e26
Opcode Fuzzy Hash: 7740e3f60f4fd330bc8d2faae2a6efa90223b72f8d5a0527035c4eda534aabd1
Instruction Fuzzy Hash: 9A0271716142009FC714DF28C891E2ABBE5EF89314F18D49DF88ADB2A2DB31EC45CB61

Function 00D28195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D28257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D28267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D28273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D28310
SetCurrentDirectoryW.KERNEL32(?), ref: 00D28324
SetCurrentDirectoryW.KERNEL32(?), ref: 00D28356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D2838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00D28395

Strings

*.*, xrefs: 00D2839B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 6f6004287303f651e048e8fabb0e2ff6706e89c8c533d9db65dea64059dbd6d9
Instruction ID: c9c55e61246942f308255185a235c14f4ab0ae65120fc8440fa4272f0ccceb13
Opcode Fuzzy Hash: 6f6004287303f651e048e8fabb0e2ff6706e89c8c533d9db65dea64059dbd6d9
Instruction Fuzzy Hash: E9618D725043159FC710EF64D8809AEB3E8FF99314F04891EF989C7251EB31E949DBA2

Function 00D1D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB3A97,?,?,00CB2E7F,?,?,?,00000000), ref: 00CB3AC2

Part of subcall function 00D1E199: GetFileAttributesW.KERNEL32(?,00D1CF95), ref: 00D1E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D1D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00D1D1DD
MoveFileW.KERNEL32(?,?), ref: 00D1D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D1D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D1D237

Part of subcall function 00D1D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00D1D21C,?,?), ref: 00D1D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00D1D253
FindClose.KERNEL32(00000000), ref: 00D1D264

Strings

\*.*, xrefs: 00D1D0CD, 00D1D0D6, 00D1D0EB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 4b5fb9145d31d8a783e5318c2e2b714751a640ca5120d5e7cd69150467f9f997
Instruction ID: 4f8c4deaaa683f2e2ef847ce0a3080f848e3cb4862186fb6266f6fbbbe5aa7cb
Opcode Fuzzy Hash: 4b5fb9145d31d8a783e5318c2e2b714751a640ca5120d5e7cd69150467f9f997
Instruction Fuzzy Hash: 24615B3180124DABCF05EBE0E9929EDB7B6AF55300F244165E402771A1EF31AF89EB70

Function 00D2ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D2ED91
EmptyClipboard.USER32 ref: 00D2ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00D2EDAC
CloseClipboard.USER32 ref: 00D2EEA3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 213219cccd4d2529c8022e8da4b14657ecafaa89ddde2473ee6ce9ffc72430f6
Instruction ID: 1358d75ba4260ecf0ec9cfb96fe00907e78f0597d3c50f12baa36b075d5daa8f
Opcode Fuzzy Hash: 213219cccd4d2529c8022e8da4b14657ecafaa89ddde2473ee6ce9ffc72430f6
Instruction Fuzzy Hash: F741AE39205621AFD320DF16E888B29BBE5EF55318F19C099F415CB762C775EC41CBA0

Function 00D1E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D1170D
Part of subcall function 00D116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D1173A
Part of subcall function 00D116C3: GetLastError.KERNEL32 ref: 00D1174A

ExitWindowsEx.USER32(?,00000000), ref: 00D1E932

Strings

, xrefs: 00D1E95C
@, xrefs: 00D1E925
, xrefs: 00D1E920
SeShutdownPrivilege, xrefs: 00D1E902

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8d92e412a5c0cfbe8b4cb5c605f024c96582fb54fcd4b251f5307928a8af95d7
Instruction ID: 7d49cd5400704207fdd74a67ca8e9763f48f3c53132fb0ba449270d923152bdd
Opcode Fuzzy Hash: 8d92e412a5c0cfbe8b4cb5c605f024c96582fb54fcd4b251f5307928a8af95d7
Instruction Fuzzy Hash: 9B01A776620311BBEB542774BC86BFA735C9B18750F194422FD03E21D1DDA59CC089B4

Function 00D31204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D31276
WSAGetLastError.WSOCK32 ref: 00D31283
bind.WSOCK32(00000000,?,00000010), ref: 00D312BA
WSAGetLastError.WSOCK32 ref: 00D312C5
closesocket.WSOCK32(00000000), ref: 00D312F4
listen.WSOCK32(00000000,00000005), ref: 00D31303
WSAGetLastError.WSOCK32 ref: 00D3130D
closesocket.WSOCK32(00000000), ref: 00D3133C

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 51e3f457c6eaeff92f200d4679873917a2801b350d781132a12b643821f18cca
Instruction ID: 7a9e3f281d12d62265a7032a02f667f6476c1e51f02b5c90a536bb1160bdd37a
Opcode Fuzzy Hash: 51e3f457c6eaeff92f200d4679873917a2801b350d781132a12b643821f18cca
Instruction Fuzzy Hash: A84191396002019FD710DF64C489B6ABBE5BF46318F188198E8568F396C771EC85CBF1

Function 00D1D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB3A97,?,?,00CB2E7F,?,?,?,00000000), ref: 00CB3AC2

Part of subcall function 00D1E199: GetFileAttributesW.KERNEL32(?,00D1CF95), ref: 00D1E19A

FindFirstFileW.KERNEL32(?,?), ref: 00D1D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00D1D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00D1D481
FindClose.KERNEL32(00000000), ref: 00D1D498
FindClose.KERNEL32(00000000), ref: 00D1D4A1

Strings

\*.*, xrefs: 00D1D3F2

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d5c000e83238ba89476cf347262a3e2bbd5efc40a99ef303267d7a0e0ed8d246
Instruction ID: 319b01128b349191d51b802d633deba8a735e02ed442548365ad24777c58bbe8
Opcode Fuzzy Hash: d5c000e83238ba89476cf347262a3e2bbd5efc40a99ef303267d7a0e0ed8d246
Instruction Fuzzy Hash: 47317E31019385ABC304EF64D8919EFB7E8AE96300F444A1DF4D1921A1EF70EA49E773

Function 00CEE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CEE645

Strings

1#SNAN, xrefs: 00CEF844
1#IND, xrefs: 00CEF83D
1#QNAN, xrefs: 00CEF84B
1#INF, xrefs: 00CEF852

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 3776a9c6d4d99aa986c24112f6a257d1fae1ed0a97fbcbfb0b35c963c62d0597
Instruction ID: 2033e09336a48741d648082b4d6a53f3351a77ec67ff20a3493444238ea5eb0c
Opcode Fuzzy Hash: 3776a9c6d4d99aa986c24112f6a257d1fae1ed0a97fbcbfb0b35c963c62d0597
Instruction Fuzzy Hash: FFC26D72E046688FDB25CF29DD407EAB7B5EB48345F1441EAD85DE7280E774AE828F40

Function 00D2648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D264DC
CoInitialize.OLE32(00000000), ref: 00D26639
CoCreateInstance.OLE32(00D4FCF8,00000000,00000001,00D4FB68,?), ref: 00D26650
CoUninitialize.OLE32 ref: 00D268D4

Strings

.lnk, xrefs: 00D264BA, 00D26524, 00D265E0

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: b30622a29c714ef1bab16f2e466ea7884ea44336b328e8168359d54d72f5d1d5
Instruction ID: f9b3dfeb17eff5eba88556277173a9fe59ad128bfc08208a907587bdd2ebbd5a
Opcode Fuzzy Hash: b30622a29c714ef1bab16f2e466ea7884ea44336b328e8168359d54d72f5d1d5
Instruction Fuzzy Hash: 31D15B715083119FC304EF64D8819ABB7E8FF95308F14495DF5958B2A1EB31ED05CBA2

Function 00D322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00D322E8

Part of subcall function 00D2E4EC: GetWindowRect.USER32(?,?), ref: 00D2E504

GetDesktopWindow.USER32 ref: 00D32312
GetWindowRect.USER32(00000000), ref: 00D32319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00D32355
GetCursorPos.USER32(?), ref: 00D32381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D323DF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 48f444ea5fd7b13e2c08c5c649b462fcb9fdee49a7575d335c9be08c82432b92
Instruction ID: 6bfc427e9375f5ed46a47ae461fb04a6dd31963c4c35bf08fc30fabb71c81651
Opcode Fuzzy Hash: 48f444ea5fd7b13e2c08c5c649b462fcb9fdee49a7575d335c9be08c82432b92
Instruction Fuzzy Hash: 0A31CD72905315ABD720DF14D849AABBBA9FF85314F04091DF985D7291DB34EA08CBA2

Function 00D29B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00D29B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00D29C8B

Part of subcall function 00D23874: GetInputState.USER32 ref: 00D238CB
Part of subcall function 00D23874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D23966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00D29BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00D29C75

Strings

*.*, xrefs: 00D29B5D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: f6da8f2a587c3555f4b8f7092ef3ca0fde3099ac4ac19db30e10ab5825324848
Instruction ID: 85459b0731a7cf42dd2cb895afe2813c306b2106dca85a5ca1c8ae94abeeec6f
Opcode Fuzzy Hash: f6da8f2a587c3555f4b8f7092ef3ca0fde3099ac4ac19db30e10ab5825324848
Instruction Fuzzy Hash: C841B17190421AAFCF14DFA4D895AEEBBF8FF55304F24405AE805A2291EB309E84DF70

Function 00CC997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00CC9A4E
GetSysColor.USER32(0000000F), ref: 00CC9B23
SetBkColor.GDI32(?,00000000), ref: 00CC9B36

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: fb6a745356b6cc5954779d5de8e2bb7fcf1737dbbe95d5064d0f6b4231a0c31a
Instruction ID: 95389e5578623305956a00ea54f93f3db1d97560d1fd67a8669f4a455c9e67f0
Opcode Fuzzy Hash: fb6a745356b6cc5954779d5de8e2bb7fcf1737dbbe95d5064d0f6b4231a0c31a
Instruction Fuzzy Hash: 5BA11771609544BFE728AA2ECC5DF7B365DEB86340F19010DF016DA6E1CA35AE01E375

Function 00D31806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D3307A
Part of subcall function 00D3304E: _wcslen.LIBCMT ref: 00D3309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D3185D
WSAGetLastError.WSOCK32 ref: 00D31884
bind.WSOCK32(00000000,?,00000010), ref: 00D318DB
WSAGetLastError.WSOCK32 ref: 00D318E6
closesocket.WSOCK32(00000000), ref: 00D31915

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: aad2b1bc054c9957d747807a3d8ec1908e2bfcfa06661b4c4a62c4722b43c33d
Instruction ID: 39bd79b01d20be3f2a6c85cdd58f8359a637ba0630e713af2d8cd52d5116a008
Opcode Fuzzy Hash: aad2b1bc054c9957d747807a3d8ec1908e2bfcfa06661b4c4a62c4722b43c33d
Instruction Fuzzy Hash: 8A51B175A00200AFEB10EF24C886F6A77E5AB49718F18809CF9169F3D3C771AD419BB1

Function 00D41C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D41CC0
IsWindowEnabled.USER32 ref: 00D41CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00D41CDB
IsIconic.USER32 ref: 00D41CE9
IsZoomed.USER32 ref: 00D41CF7

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a317e4c801b980f328f9b2cda4035d48b9795d40e3967e48c9483b75ab1cce62
Instruction ID: cdaf54502f7060b9f6363bd6995c8155d612d802cf2efde667694139db9880b7
Opcode Fuzzy Hash: a317e4c801b980f328f9b2cda4035d48b9795d40e3967e48c9483b75ab1cce62
Instruction Fuzzy Hash: 0A2191397412115FD7208F1ADC84B6ABBA5EF85315F1D9058E84ACB351C771EC82CBB0

Function 00CB8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00CB83E8
VUUU, xrefs: 00CB83FA
VUUU, xrefs: 00CB843C
ERCP, xrefs: 00CB813C
VUUU, xrefs: 00CF5DF0

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 0a13dffd5f822c04e3e486fde9a24584f9dc5206fa44c44ac4daf7a2aae97bac
Instruction ID: 33917e466e234bcfc94ab349acded2720780f0ed51a3c9391f5486f271db8a24
Opcode Fuzzy Hash: 0a13dffd5f822c04e3e486fde9a24584f9dc5206fa44c44ac4daf7a2aae97bac
Instruction Fuzzy Hash: 69A27C70A0061ECBDF64CF58C9507FEB7B5BB54314F2481AAEA25A7284DB309E85CF91

Function 00D1AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00D1AAAC
SetKeyboardState.USER32(00000080), ref: 00D1AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00D1AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00D1AB88

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ac5d41ce285ce94d318f6baae962bd0316e4e698cb558ca234c6605197def393
Instruction ID: e248086b8d0794e363ff978ba34f65e6aac3c31ac8273fac7cf0282fd1bb5a71
Opcode Fuzzy Hash: ac5d41ce285ce94d318f6baae962bd0316e4e698cb558ca234c6605197def393
Instruction Fuzzy Hash: 7A312770A46288BEEB30CB6CED05BFA7BA6AF45310F08421AF081961D1DB7589C1C772

Function 00CEBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CEBB7F

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

GetTimeZoneInformation.KERNEL32 ref: 00CEBB91
WideCharToMultiByte.KERNEL32(00000000,?,00D8121C,000000FF,?,0000003F,?,?), ref: 00CEBC09
WideCharToMultiByte.KERNEL32(00000000,?,00D81270,000000FF,?,0000003F,?,?,?,00D8121C,000000FF,?,0000003F,?,?), ref: 00CEBC36

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: f3eb9e80ded5a7b2eff4b365bd045ce33b5a06f78a36a8f41f8db8a221db23f7
Instruction ID: e3977ecb2d9534975109bfa607b06fff27839729823846d5aaa9ac95e6827f09
Opcode Fuzzy Hash: f3eb9e80ded5a7b2eff4b365bd045ce33b5a06f78a36a8f41f8db8a221db23f7
Instruction Fuzzy Hash: 5431C175908385DFCB10DF6ADC82A3ABBB8FF45310B24426AE064D73A1D7309E06DB64

Function 00D2CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00D2CE89
GetLastError.KERNEL32(?,00000000), ref: 00D2CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00D2CEFE

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: cced437b933f14c941b9ef3fd236fa3949990c5e26fe0f3703a1bf25334da69a
Instruction ID: bc1ba96652e34eea1ef1bbe778c9164cce75a02dc3db5cc1a6b727b5537ba963
Opcode Fuzzy Hash: cced437b933f14c941b9ef3fd236fa3949990c5e26fe0f3703a1bf25334da69a
Instruction Fuzzy Hash: 1821EDB1511715ABDB20DFA5E988BAA77F8EF20318F14541EE646D2251E770EE088B70

Function 00D18298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D182AA

Strings

|, xrefs: 00D182DA
(, xrefs: 00D182F0

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 2620c311197c7140b1c11257f8834b61ce1bbd95474758651bb59626820fca63
Instruction ID: 9b4b6c2fe68d86bbc8d9aac44bda71838711980f1c6485781a78ab361efdf5a1
Opcode Fuzzy Hash: 2620c311197c7140b1c11257f8834b61ce1bbd95474758651bb59626820fca63
Instruction Fuzzy Hash: CB323774A00705AFC728CF59D080AAAB7F1FF48710B15C56EE49ADB3A1EB70E981DB54

Function 00D25C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D25CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00D25D17
FindClose.KERNEL32(?), ref: 00D25D5F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: d662604d5565b3c880b128a79a2490d7d2fcc1cafb74fae24acd16c8e8fad3a5
Instruction ID: ec5ba73e53b214a8d289b436a79bb3a6decd5fbe0c6cc94e4097de396a825c68
Opcode Fuzzy Hash: d662604d5565b3c880b128a79a2490d7d2fcc1cafb74fae24acd16c8e8fad3a5
Instruction Fuzzy Hash: C7518A34604A019FC714CF28E494E96B7E4FF4A318F14855EE99A8B3A2DB30ED45CBA1

Function 00CE2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00CE271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CE2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00CE2731

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e30ccef2295b7f3df1bf6d2283dd9799558498094fbfa59b9c57aadebad8b63c
Instruction ID: 6a56f2c01897bc94c718c1047e1dcbe721d92ab029b2b5d5181a3b3391d7df23
Opcode Fuzzy Hash: e30ccef2295b7f3df1bf6d2283dd9799558498094fbfa59b9c57aadebad8b63c
Instruction Fuzzy Hash: 1D31D374911318ABCB21DF68DC8879DBBB8BF08310F5051EAE81CA7260E7709F819F54

Function 00D251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00D25238
SetErrorMode.KERNEL32(00000000), ref: 00D252A1

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 775ce6f5449abe96192105af95f6c4725119f762ab852f73fdf6fa76dde5dd2c
Instruction ID: 7f5f3caa6bd5b16111994b0a49738a03ee2e9e13519d446e6ab38ce1c2c259e0
Opcode Fuzzy Hash: 775ce6f5449abe96192105af95f6c4725119f762ab852f73fdf6fa76dde5dd2c
Instruction Fuzzy Hash: D6312F75A10618DFDB00DF54D8C4EADBBB5FF49318F188099E8059B396DB31E855CB60

Function 00D116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00CCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CD0668
Part of subcall function 00CCFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00CD0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D1170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D1173A
GetLastError.KERNEL32 ref: 00D1174A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 72192f49d3f7a97ab5ef0c05acaa8a6415bdc0e8dd3febad7df2997a95d98ccd
Instruction ID: 963744f905399ce06e44ec0ecb385341ee1a3ad543b23a33dc33474bc7c26a7b
Opcode Fuzzy Hash: 72192f49d3f7a97ab5ef0c05acaa8a6415bdc0e8dd3febad7df2997a95d98ccd
Instruction Fuzzy Hash: 7D11C1B2410304BFD7189F54EC86EAAB7B9EB04714B20852EE05693291EB70FC81CA30

Function 00D1D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D1D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00D1D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D1D650

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: ac0ded9e5507226cf3ce6e10501ca071928e5cc06815a164f398865008dd4e42
Instruction ID: 0013e0c18fe0ae7b156cdb1b52d49c1160102f888b27de99e49523131e157675
Opcode Fuzzy Hash: ac0ded9e5507226cf3ce6e10501ca071928e5cc06815a164f398865008dd4e42
Instruction Fuzzy Hash: BE113C75E05328BBDB208F95AC45FAFBBBCEB45B50F108115F904E7290D6B05A058BA1

Function 00D11663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00D1168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D116A1
FreeSid.ADVAPI32(?), ref: 00D116B1

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1afe0910643b6960da015a578e46b3961ce03cae451bb329b01961c829ea70bd
Instruction ID: 7835642fb71cb839eafcffef425ad65bb0f9d389bbecd6269ee8fa3562cee322
Opcode Fuzzy Hash: 1afe0910643b6960da015a578e46b3961ce03cae451bb329b01961c829ea70bd
Instruction Fuzzy Hash: E9F0F475A51309FBDB00DFE49C89AAEBBBCEB08605F504965E501E2281E774AA448A64

Function 00D0D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00D0D28C

Strings

X64, xrefs: 00D0D2A8

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: abaca3d4662244d3e35965a3052625ceb5ef618ca42ad0a604015cb2f1428623
Instruction ID: 234e423eeed505b810c9ff23bf1e7a145ca3c0c279ab77c1661c7d508d101ee0
Opcode Fuzzy Hash: abaca3d4662244d3e35965a3052625ceb5ef618ca42ad0a604015cb2f1428623
Instruction Fuzzy Hash: 0CD0C9B481211DEBCF90CBA0DCC8ED9B37CBB04305F100156F106E2140D73095488F20

Function 00CDCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 4df6fbf500ba29928ad6a8d8aa331780b98fd796c334c7f1f396f2c59dc5e196
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A7020D71E0111A9BDF14CFA9C9C06ADFBF1EF88314F25416ADA29E7384D731AA41CB94

Function 00D268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00D26918
FindClose.KERNEL32(00000000), ref: 00D26961

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f37709ec62163e826c5c60ea36c8b9fef1896037b1e3f809ab4f0728b827863c
Instruction ID: a4cc98753cd57bea9f4389d08b8750ef99d6abe1937ab3263c42cffffabfde04
Opcode Fuzzy Hash: f37709ec62163e826c5c60ea36c8b9fef1896037b1e3f809ab4f0728b827863c
Instruction Fuzzy Hash: 4B11AC356042109FC710CF69D484A26BBE0EF85328F08C699E4698B2A2CB70EC45CBA0

Function 00D237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00D34891,?,?,00000035,?), ref: 00D237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00D34891,?,?,00000035,?), ref: 00D237F4

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d37c583de75900586de7fdf90e89e48e82120148b9ba9213af39a12afda4ab0d
Instruction ID: cdfc3de2dd2a76d3243ec67542b162ede92384896f763223b4f2b74523b2692f
Opcode Fuzzy Hash: d37c583de75900586de7fdf90e89e48e82120148b9ba9213af39a12afda4ab0d
Instruction Fuzzy Hash: 14F0E5B47053286BEB605BA69C4DFEB3AAEEFC5765F000265F609D3291D9A09904C7B0

Function 00D1B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00D1B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00D1B270

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3150d9f4343a1e4f525aca52f35d6ba96f641d5365ea53815f2eb3160d3d60d5
Instruction ID: be2311588f3a7ac92b16bbf792adef977c1da64064d5e50d609868be6aa959e5
Opcode Fuzzy Hash: 3150d9f4343a1e4f525aca52f35d6ba96f641d5365ea53815f2eb3160d3d60d5
Instruction Fuzzy Hash: 9CF06D7480424DABDB058FA0C805BEE7BB0FF04315F00800AF951A5191C779C2059FA4

Function 00D110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D111FC), ref: 00D110D4
CloseHandle.KERNEL32(?,?,00D111FC), ref: 00D110E9

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6cef6f037a129ee325edd890f044666b1a0c639cfbf468956185e2e3f6ae4f60
Instruction ID: ca4be5dc8ab00d8440d61147baf06a26a84cdbc63e581f1cc05008d4ecec0f32
Opcode Fuzzy Hash: 6cef6f037a129ee325edd890f044666b1a0c639cfbf468956185e2e3f6ae4f60
Instruction Fuzzy Hash: F8E04F36015710AFE7252F11FC09F7377A9EB04310B14882DF5A6C04B1DB626C90EB20

Function 00CBCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00D00C40

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: ef86a60432b4cc845b73516a8dace5632ed6e45dd8fd4181ccdcb2bc53dd928f
Instruction ID: 077927ccf4ef2427df8610de862f30600b23afc22b48fe64b3a96780593db1f6
Opcode Fuzzy Hash: ef86a60432b4cc845b73516a8dace5632ed6e45dd8fd4181ccdcb2bc53dd928f
Instruction Fuzzy Hash: BE328B74900218EBDF14DF94C8C5BFDBBB5BF05304F248069E81AAB292DB75AE45DB60

Function 00CE676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CE6766,?,?,00000008,?,?,00CEFEFE,00000000), ref: 00CE6998

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ffc226a674e3d6ade988c0172a04618396c7c74777fcb5c4cb6ede584b4b71e9
Instruction ID: 7a14245d19c20d88168a5254e3814ec5aa5d54fe7461e5139d60a8af477aa17c
Opcode Fuzzy Hash: ffc226a674e3d6ade988c0172a04618396c7c74777fcb5c4cb6ede584b4b71e9
Instruction Fuzzy Hash: 66B14A316206489FD715CF29C48AB657BE0FF553A4F258658E8E9CF2E2C335EA91CB40

Function 00CCB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00D0851F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 13928628abd20dfce4fce78b7508705d809ae8dba0ffbfe00f10e8129c2995f0
Instruction ID: 3b4b93f0d1626ed1796afb21576ad510dd5296f45cf42445c214de0209ef8a8c
Opcode Fuzzy Hash: 13928628abd20dfce4fce78b7508705d809ae8dba0ffbfe00f10e8129c2995f0
Instruction Fuzzy Hash: 2E123275D002299BDB14CF99C881BEEB7B5FF48710F14815AE849EB295DB309E81DFA0

Function 00D2EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D2EABD

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7bd55d87dbb682fc5a43c44c62083de68764bf10b58fecfbfeeeb55e45948aa3
Instruction ID: 01406eda90e7f7ae42dd53e42b291bac3cb57c318abfb010aed3477817e6b3d5
Opcode Fuzzy Hash: 7bd55d87dbb682fc5a43c44c62083de68764bf10b58fecfbfeeeb55e45948aa3
Instruction Fuzzy Hash: 06E04F352102149FC710EF59E844E9AF7EDAFA9764F00841AFC4AC7361DBB0EC408BA1

Function 00CD09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00CD03EE), ref: 00CD09DA

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 72d9eb1eb4624c74dcbb7336089bd4c4ffeb5c4d44d410f1c226f48fba7ced13
Instruction ID: ca0b3149f2327715815c20ae95f18e33ab609aca341a303c067e74bb0c07c8bf
Opcode Fuzzy Hash: 72d9eb1eb4624c74dcbb7336089bd4c4ffeb5c4d44d410f1c226f48fba7ced13
Instruction Fuzzy Hash:

Function 00CD781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00CD798B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: ad1e91533b4ec43b00539ee065d58df94d06badc36dacef1d223a837e2b82221
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7B51787260C6455BDB3856298D6A7BE63859B02300F18070BDBA6E73C2F635DF05F352

Function 00CE6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010011f3062d93eb9f335f6e0aab3d6a31512ebf8624efab819e13e5bb4e0dd1
Instruction ID: bc910f394976bf99bb763bf25188831e1c0876a2529b9567038f25711a4daf1c
Opcode Fuzzy Hash: 010011f3062d93eb9f335f6e0aab3d6a31512ebf8624efab819e13e5bb4e0dd1
Instruction Fuzzy Hash: 48324522D29F814DD7239635DC223356659AFB73C6F24C737FC2AB5AA9EB29C5834100

Function 00CCCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01be1581cfe9e27a69d40088f3b56fbf4342e50a05bf280eba31e7437245d3ce
Instruction ID: 992fbaf7073ab1fd593e7c73222a0ad1a1917fd06b4708535decb2a737589c44
Opcode Fuzzy Hash: 01be1581cfe9e27a69d40088f3b56fbf4342e50a05bf280eba31e7437245d3ce
Instruction Fuzzy Hash: 9932E331A201558BDF38CB29C4D4BBD77A1EB45310F28966AE89EDB2D1E230DD81DB71

Function 00CB7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758c2f9f38064c75a88bfeaccf88c5171d7c6173e1d49713411eae05875a007d
Instruction ID: ed4bc30155827dfdba6633a66f3f28638370f019a103a3c6744ab3820403fde9
Opcode Fuzzy Hash: 758c2f9f38064c75a88bfeaccf88c5171d7c6173e1d49713411eae05875a007d
Instruction Fuzzy Hash: 1922CF70A046099FDF14CF69C881AEEB7F6FF44300F204229EA16E7291EB369E55DB51

Function 00CB91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed0445d0f50ecfceded1fd9d94c771ee92d678f6f183d1c819efa821f4845bd
Instruction ID: 3c3010c5b0dd8294f196dce5f68c0d89323db08aff66753436f98f2664a1b0ed
Opcode Fuzzy Hash: aed0445d0f50ecfceded1fd9d94c771ee92d678f6f183d1c819efa821f4845bd
Instruction Fuzzy Hash: E102A6B0E00209EBDB14DF55D881BAEB7B1FF44300F218169E916DB3A1EB31AE51DB95

Function 00CE9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c736aba4b6c93ed1410442544ff55214081edb24273a709081406d03068a8d
Instruction ID: 28892d51ff8e04603258dd394e8e2e30cb6462f05aae443a2a3e28aa57888703
Opcode Fuzzy Hash: 28c736aba4b6c93ed1410442544ff55214081edb24273a709081406d03068a8d
Instruction Fuzzy Hash: E0B1F321D2AF414DD72396398831336B75CAFBB6D6F91D71BFC26B4E62EB2186834140

Function 00CD1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 041029ab5c7e4cada80318825c87e43d10b85d79db64f0ff0bff9624009c91cc
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 9C9167722080E35ADB2A463E857403EFFE15A923A131E079FDDF2CA3C5EE14CA54D620

Function 00CD1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: eb14fde57e0d5d5b7aeb96ccfbaf09a4b32b2f914f1e42f663e9815e6931d1e4
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 1B917B732090A349DB2D477A857403DFFE15AA23A131E479FDAF2CB2C5EE24DA54D620

Function 00CD19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 4120916e1e761d3711803a953a0e30765e636d0ad994897c866a67258b95a6db
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 8F9165722090A36EDB2D427A857403EFFE15A923A131E079FD9F6CA2C5FD14C754E620

Function 00CD7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0172fa1913dfdf8a903a67007aadf8643e3a8c2c830568926afcab3e27dd8e
Instruction ID: c83006fb9fa871d46fdd0e34018dd347816cd8011c1a7641c3d41cd6e70c8ce7
Opcode Fuzzy Hash: 0f0172fa1913dfdf8a903a67007aadf8643e3a8c2c830568926afcab3e27dd8e
Instruction Fuzzy Hash: 1F614671208709B7DE349A2889A6BBE6394DF41700F101B1BEB97DB381FA319F46E355

Function 00CD7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d5cfaea98e0b0ec977febf462f9418a741ada31302812964bc1a731d23392c
Instruction ID: 1f46e193a91921fd849fd6058c6712d3d8f7c57d7d392f3132f19dfbb1c2d811
Opcode Fuzzy Hash: 73d5cfaea98e0b0ec977febf462f9418a741ada31302812964bc1a731d23392c
Instruction Fuzzy Hash: 70617B312087095BDE385A288896BBF6396DF42704F100B5BEB53DB781FA32EF469355

Function 00CD1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 19cf736c139af9d0fdf1e7a2646f4d608df0c9e6ba7ce6615c44438ed11a3c72
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: BD8175726080A319DB2D867A857403EFFE15A923A131F079FD9F2CA2D1EE24C754E620

Function 00D22046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb912c1cd5a9ce12e2f07c155a7cb40ff180a15d956a36f081664958353aed4
Instruction ID: 078d34f0f4dc02c1c053e425f40b45b189e46d6d80d052e29daab6692d8a849c
Opcode Fuzzy Hash: 0eb912c1cd5a9ce12e2f07c155a7cb40ff180a15d956a36f081664958353aed4
Instruction Fuzzy Hash: 4621B7326206118BD728CF79C92367E73E5EB64314F19862EE4A7C77D0DE35A904CBA0

Function 00D32ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D32B30
DeleteObject.GDI32(00000000), ref: 00D32B43
DestroyWindow.USER32 ref: 00D32B52
GetDesktopWindow.USER32 ref: 00D32B6D
GetWindowRect.USER32(00000000), ref: 00D32B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00D32CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00D32CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32CF8
GetClientRect.USER32(00000000,?), ref: 00D32D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D32D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32D80
GlobalLock.KERNEL32(00000000), ref: 00D32D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32D98
GlobalUnlock.KERNEL32(00000000), ref: 00D32DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32DA8
GlobalFree.KERNEL32(00000000), ref: 00D32DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D4FC38,00000000), ref: 00D32DDB
GlobalFree.KERNEL32(00000000), ref: 00D32DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00D32E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00D32E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D32E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D3303F

Strings

, xrefs: 00D32FC5
DISPLAY, xrefs: 00D32EA2
AutoIt v3, xrefs: 00D32CF2
static, xrefs: 00D32D3A, 00D32E91

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 46414b326882e631b8dd32b6dc4072656eda60f288c8ac85a27cc188ef41a42b
Instruction ID: 997ed36b2dbd3311195eca152100bf634d8b8ba35254f3207c992e22a5a18c73
Opcode Fuzzy Hash: 46414b326882e631b8dd32b6dc4072656eda60f288c8ac85a27cc188ef41a42b
Instruction Fuzzy Hash: 38026775A10209AFDB14DFA4CC89EAE7BB9EF49310F048158F915EB2A1DB70AD05CB70

Function 00D470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D4712F
GetSysColorBrush.USER32(0000000F), ref: 00D47160
GetSysColor.USER32(0000000F), ref: 00D4716C
SetBkColor.GDI32(?,000000FF), ref: 00D47186
SelectObject.GDI32(?,?), ref: 00D47195
InflateRect.USER32(?,000000FF,000000FF), ref: 00D471C0
GetSysColor.USER32(00000010), ref: 00D471C8
CreateSolidBrush.GDI32(00000000), ref: 00D471CF
FrameRect.USER32(?,?,00000000), ref: 00D471DE
DeleteObject.GDI32(00000000), ref: 00D471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00D47230
FillRect.USER32(?,?,?), ref: 00D47262
GetWindowLongW.USER32(?,000000F0), ref: 00D47284

Part of subcall function 00D473E8: GetSysColor.USER32(00000012), ref: 00D47421
Part of subcall function 00D473E8: SetTextColor.GDI32(?,?), ref: 00D47425
Part of subcall function 00D473E8: GetSysColorBrush.USER32(0000000F), ref: 00D4743B
Part of subcall function 00D473E8: GetSysColor.USER32(0000000F), ref: 00D47446
Part of subcall function 00D473E8: GetSysColor.USER32(00000011), ref: 00D47463
Part of subcall function 00D473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D47471
Part of subcall function 00D473E8: SelectObject.GDI32(?,00000000), ref: 00D47482
Part of subcall function 00D473E8: SetBkColor.GDI32(?,00000000), ref: 00D4748B
Part of subcall function 00D473E8: SelectObject.GDI32(?,?), ref: 00D47498
Part of subcall function 00D473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00D474B7
Part of subcall function 00D473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D474CE
Part of subcall function 00D473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00D474DB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: efb746921abeb7b6eac6ddc93f6d78055286f0de057d3bf7bac3e361e4124f1d
Instruction ID: 8c1d12ceed8108a3c7e49b9337ac33d0d32f24dad569c68c3a999006ca57912e
Opcode Fuzzy Hash: efb746921abeb7b6eac6ddc93f6d78055286f0de057d3bf7bac3e361e4124f1d
Instruction Fuzzy Hash: F8A1B076019301AFDB509F60DC48E6F7BA9FB4A320F141A19F9A2E62E1D770E944CF61

Function 00CC8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00CC8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00D06AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D06AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D06F43

Part of subcall function 00CC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CC8BE8,?,00000000,?,?,?,?,00CC8BBA,00000000,?), ref: 00CC8FC5

SendMessageW.USER32(?,00001053), ref: 00D06F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D06F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00D06FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00D06FB7

Strings

0, xrefs: 00D06DCF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: a5767962969a5f953494796b4977cf383bb12a2a8ffa058d90e4345e6eafc6e7
Instruction ID: 345210bd74a70d0d5faa91aace513c321f105157df2c0a65e713dab7a6a342d1
Opcode Fuzzy Hash: a5767962969a5f953494796b4977cf383bb12a2a8ffa058d90e4345e6eafc6e7
Instruction Fuzzy Hash: 57127B38601211AFD725DF24C854BAABBA5FB45300F18846DF599CB2A1CB31EC66DFA1

Function 00D32711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D3273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D3286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00D328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00D328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00D32900
GetClientRect.USER32(00000000,?), ref: 00D3290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00D32955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D32964
GetStockObject.GDI32(00000011), ref: 00D32974
SelectObject.GDI32(00000000,00000000), ref: 00D32978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00D32988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D32991
DeleteDC.GDI32(00000000), ref: 00D3299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00D32A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D32A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D32A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00D32A77
GetStockObject.GDI32(00000011), ref: 00D32A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D32A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00D32A97

Strings

msctls_progress32, xrefs: 00D32A13
DISPLAY, xrefs: 00D3295A
AutoIt v3, xrefs: 00D328F8
static, xrefs: 00D3294F, 00D32A71

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 0340c14c8d854ccf802a2284d336dc6b43a632888563c6c9a65003136df61263
Instruction ID: f53af5fe218e20cb44f4a4c9a44409ff93a882293405abdab9080ecd8ccf6fad
Opcode Fuzzy Hash: 0340c14c8d854ccf802a2284d336dc6b43a632888563c6c9a65003136df61263
Instruction Fuzzy Hash: BDB16DB5A10315AFEB14DFA8CC49FAE7BA9EB49710F008614F915E72A0D770ED44CBA4

Function 00D24ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D24AED
GetDriveTypeW.KERNEL32(?,00D4CB68,?,\\.\,00D4CC08), ref: 00D24BCA
SetErrorMode.KERNEL32(00000000,00D4CB68,?,\\.\,00D4CC08), ref: 00D24D36

Strings

Network, xrefs: 00D24C02
SSD, xrefs: 00D24C4A
iSCSI, xrefs: 00D24CC2
RAMDisk, xrefs: 00D24BF4
PhysicalDrive, xrefs: 00D24B76
SSA, xrefs: 00D24CA6
Unknown, xrefs: 00D24BED, 00D24C83
1394, xrefs: 00D24C9F
MMC, xrefs: 00D24CDE
SATA, xrefs: 00D24CD0
Removable, xrefs: 00D24C10, 00D24C15
CDROM, xrefs: 00D24BFB
FileBackedVirtual, xrefs: 00D24CEC
USB, xrefs: 00D24CB4
RAID, xrefs: 00D24CBB
Fibre, xrefs: 00D24CAD
ATAPI, xrefs: 00D24C91
SCSI, xrefs: 00D24C8A
Fixed, xrefs: 00D24C09
Virtual, xrefs: 00D24CE5
ATA, xrefs: 00D24C98
\\.\, xrefs: 00D24B3F
SAS, xrefs: 00D24CC9

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: b7a36ed22581628f71b9c4a7b742422928b8170b58e13ba8da9cfbe801a99702
Instruction ID: 3a6722cb4d39232767f7518122a4295a4b807d140d9d1a33a217a18a6961f391
Opcode Fuzzy Hash: b7a36ed22581628f71b9c4a7b742422928b8170b58e13ba8da9cfbe801a99702
Instruction Fuzzy Hash: 7061D2306016159FCB15DF28EA829A977B0EF64308B248016FC4AAB792FB31DD45EB71

Function 00D473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D47421
SetTextColor.GDI32(?,?), ref: 00D47425
GetSysColorBrush.USER32(0000000F), ref: 00D4743B
GetSysColor.USER32(0000000F), ref: 00D47446
CreateSolidBrush.GDI32(?), ref: 00D4744B
GetSysColor.USER32(00000011), ref: 00D47463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D47471
SelectObject.GDI32(?,00000000), ref: 00D47482
SetBkColor.GDI32(?,00000000), ref: 00D4748B
SelectObject.GDI32(?,?), ref: 00D47498
InflateRect.USER32(?,000000FF,000000FF), ref: 00D474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00D474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D4752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D47554
InflateRect.USER32(?,000000FD,000000FD), ref: 00D47572
DrawFocusRect.USER32(?,?), ref: 00D4757D
GetSysColor.USER32(00000011), ref: 00D4758E
SetTextColor.GDI32(?,00000000), ref: 00D47596
DrawTextW.USER32(?,00D470F5,000000FF,?,00000000), ref: 00D475A8
SelectObject.GDI32(?,?), ref: 00D475BF
DeleteObject.GDI32(?), ref: 00D475CA
SelectObject.GDI32(?,?), ref: 00D475D0
DeleteObject.GDI32(?), ref: 00D475D5
SetTextColor.GDI32(?,?), ref: 00D475DB
SetBkColor.GDI32(?,?), ref: 00D475E5

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1343435845f5693f98de970de447409f1cbfd7ca177d7dd7552e2973f1ec40ec
Instruction ID: 8c7722046d6b70869b7e9b02be7f45e62036eeacead77b210392819b6f11cc2b
Opcode Fuzzy Hash: 1343435845f5693f98de970de447409f1cbfd7ca177d7dd7552e2973f1ec40ec
Instruction Fuzzy Hash: 7C617A76901218AFDF009FA4DC48EAEBFB9EB09320F155115F915FB2A1D7709940CFA0

Function 00D40FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D41128
GetDesktopWindow.USER32 ref: 00D4113D
GetWindowRect.USER32(00000000), ref: 00D41144
GetWindowLongW.USER32(?,000000F0), ref: 00D41199
DestroyWindow.USER32(?), ref: 00D411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D4120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D4121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00D41232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00D41245
IsWindowVisible.USER32(00000000), ref: 00D412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00D412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00D412D0
GetWindowRect.USER32(00000000,?), ref: 00D412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00D4130E
GetMonitorInfoW.USER32(00000000,?), ref: 00D41328
CopyRect.USER32(?,?), ref: 00D4133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00D413AA

Strings

0, xrefs: 00D410D3
(, xrefs: 00D4131B
tooltips_class32, xrefs: 00D411E6

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 3249e651cfaa5395f4f7c7f4e67bc2d72b5bd89c87360130e91aada84344113d
Instruction ID: 7e7efc9ae76a628af58e52da8c5fc87f355d7854ec87b4a96a154fc67c1842e1
Opcode Fuzzy Hash: 3249e651cfaa5395f4f7c7f4e67bc2d72b5bd89c87360130e91aada84344113d
Instruction Fuzzy Hash: D5B18C75604341AFD714DF64C889BAEBBE4FF85350F048918F9999B2A1C771EC84CBA2

Function 00CC8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CC8968
GetSystemMetrics.USER32(00000007), ref: 00CC8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00CC899B
GetSystemMetrics.USER32(00000008), ref: 00CC89A3
GetSystemMetrics.USER32(00000004), ref: 00CC89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00CC89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00CC89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00CC8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00CC8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00CC8A5A
GetStockObject.GDI32(00000011), ref: 00CC8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CC8A81

Part of subcall function 00CC912D: GetCursorPos.USER32(?), ref: 00CC9141
Part of subcall function 00CC912D: ScreenToClient.USER32(00000000,?), ref: 00CC915E
Part of subcall function 00CC912D: GetAsyncKeyState.USER32(00000001), ref: 00CC9183
Part of subcall function 00CC912D: GetAsyncKeyState.USER32(00000002), ref: 00CC919D

SetTimer.USER32(00000000,00000000,00000028,00CC90FC), ref: 00CC8AA8

Strings

AutoIt v3 GUI, xrefs: 00CC8A20

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 42a661137234515969637dc4967a7f0425cf43b22599d3c7474e3ee4f6772008
Instruction ID: 7eaa6569fad4bf2c6fcaf4146dfd3fb934ad6113cadc9bcab0e6c3f6298f58c1
Opcode Fuzzy Hash: 42a661137234515969637dc4967a7f0425cf43b22599d3c7474e3ee4f6772008
Instruction Fuzzy Hash: BBB16839A0020AAFDB14DFA8C845BAE3BB5FB48314F154229FA15E72D0DB34E945CF64

Function 00D10D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D11114
Part of subcall function 00D110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11120
Part of subcall function 00D110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D1112F
Part of subcall function 00D110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11136
Part of subcall function 00D110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D1114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D10DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D10E29
GetLengthSid.ADVAPI32(?), ref: 00D10E40
GetAce.ADVAPI32(?,00000000,?), ref: 00D10E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D10E96
GetLengthSid.ADVAPI32(?), ref: 00D10EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D10EB5
HeapAlloc.KERNEL32(00000000), ref: 00D10EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D10EDD
CopySid.ADVAPI32(00000000), ref: 00D10EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D10F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D10F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D10F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10F6E
HeapFree.KERNEL32(00000000), ref: 00D10F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10F7E
HeapFree.KERNEL32(00000000), ref: 00D10F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D10F8E
HeapFree.KERNEL32(00000000), ref: 00D10F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00D10FA1
HeapFree.KERNEL32(00000000), ref: 00D10FA8

Part of subcall function 00D11193: GetProcessHeap.KERNEL32(00000008,00D10BB1,?,00000000,?,00D10BB1,?), ref: 00D111A1
Part of subcall function 00D11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D10BB1,?), ref: 00D111A8
Part of subcall function 00D11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D10BB1,?), ref: 00D111B7

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3f534c53a4cc1a3b9260b0c6937d5a8c07ac3294ee50a19de50c5c5041f30380
Instruction ID: 7ff7f79626f28b7ea68a42d7a574d95474eafc373639e4472f776f8d7f92ae62
Opcode Fuzzy Hash: 3f534c53a4cc1a3b9260b0c6937d5a8c07ac3294ee50a19de50c5c5041f30380
Instruction Fuzzy Hash: 68714C7590530ABBDF20AFA5EC45BEEBBB8BF05300F084115F919E6291DB719986CB70

Function 00D3C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D3C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D4CC08,00000000,?,00000000,?,?), ref: 00D3C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00D3C5A4
_wcslen.LIBCMT ref: 00D3C5F4
_wcslen.LIBCMT ref: 00D3C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00D3C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00D3C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00D3C84D
RegCloseKey.ADVAPI32(?), ref: 00D3C881
RegCloseKey.ADVAPI32(00000000), ref: 00D3C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00D3C960

Strings

REG_EXPAND_SZ, xrefs: 00D3C5CD
REG_QWORD, xrefs: 00D3C8C3
REG_MULTI_SZ, xrefs: 00D3C6F5
REG_BINARY, xrefs: 00D3C913
REG_DWORD, xrefs: 00D3C804
REG_SZ, xrefs: 00D3C644

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: beae05ceca724ced2371a8f3826199bb4bf1dee911bc340372d9657dd83d119e
Instruction ID: be7c60bad22b5b99a671818fb7a6dd4e27da693dc2d80e68bd7a7b9095e5191f
Opcode Fuzzy Hash: beae05ceca724ced2371a8f3826199bb4bf1dee911bc340372d9657dd83d119e
Instruction Fuzzy Hash: EA126A356142019FC714DF14C881A6AB7E5EF88714F08889DF98AAB3A2DB31FD45DBA1

Function 00D4091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D409C6
_wcslen.LIBCMT ref: 00D40A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D40A54
_wcslen.LIBCMT ref: 00D40A8A
_wcslen.LIBCMT ref: 00D40B06
_wcslen.LIBCMT ref: 00D40B81

Part of subcall function 00CCF9F2: _wcslen.LIBCMT ref: 00CCF9FD

Part of subcall function 00D12BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D12BFA

Strings

COLLAPSE, xrefs: 00D40B01, 00D40B1C
ISCHECKED, xrefs: 00D40CE1
EXPAND, xrefs: 00D40BF8
GETTOTALCOUNT, xrefs: 00D409F2, 00D40A17
GETSELECTED, xrefs: 00D40C4E
GETTEXT, xrefs: 00D40C97
GETITEMCOUNT, xrefs: 00D40C1E
SELECT, xrefs: 00D40D11
EXISTS, xrefs: 00D40B7C, 00D40B97
CHECK, xrefs: 00D40A85, 00D40AA0
UNCHECK, xrefs: 00D40D3E

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: dd63a4636b3faeba39c6fb1fbb05f2c0e419d89a0b6f45d068849eb7df9afc70
Instruction ID: 2e17aa06b56fc729494b74198c0b81625877112130e70a2758e18a16558f6b65
Opcode Fuzzy Hash: dd63a4636b3faeba39c6fb1fbb05f2c0e419d89a0b6f45d068849eb7df9afc70
Instruction Fuzzy Hash: CCE1B0312083019FCB14DF24C45196ABBE1FF98314F18895DF99A9B762DB31ED4ACBA1

Function 00D3C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D3B6AE,?,?), ref: 00D3C9B5
_wcslen.LIBCMT ref: 00D3C9F1
_wcslen.LIBCMT ref: 00D3CA68
_wcslen.LIBCMT ref: 00D3CA9E
_wcslen.LIBCMT ref: 00D3CAF9
_wcslen.LIBCMT ref: 00D3CB2F
_wcslen.LIBCMT ref: 00D3CB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 00D3CAF3, 00D3CAF8
HKLM, xrefs: 00D3CA98, 00D3CA9D
HKEY_CURRENT_CONFIG, xrefs: 00D3CB79, 00D3CB7E
HKEY_CURRENT_USER, xrefs: 00D3CBBD
HKCU, xrefs: 00D3CBCE
HKCC, xrefs: 00D3CBAC
HKCR, xrefs: 00D3CB29, 00D3CB2E
HKEY_LOCAL_MACHINE, xrefs: 00D3CA62, 00D3CA67
HKU, xrefs: 00D3CBF0
HKEY_USERS, xrefs: 00D3CBDF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f39534c291437705c1eb1720693a63a3fa6a1271da330daf2d8d8abc113410d3
Instruction ID: 0c64553d4a7d36c70c6ede9dd115b09a5e3f1857bcc29cf386f298fd9cd278ca
Opcode Fuzzy Hash: f39534c291437705c1eb1720693a63a3fa6a1271da330daf2d8d8abc113410d3
Instruction Fuzzy Hash: 2871D43362012A8BCB20DF7CCD516BE7395AF60754F296529F896B7284EA31CD45D3B0

Function 00D4833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D4835A
_wcslen.LIBCMT ref: 00D4836E
_wcslen.LIBCMT ref: 00D48391
_wcslen.LIBCMT ref: 00D483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00D4361A,?), ref: 00D4844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D48487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D48501
FreeLibrary.KERNEL32(?), ref: 00D4850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D4851D
DestroyIcon.USER32(?), ref: 00D4852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D48549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D48555

Strings

.icl, xrefs: 00D48368
.exe, xrefs: 00D48388
.dll, xrefs: 00D483AB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8e7543262049f189abeaf3b4c1fe783faf39c292495c705d0df2a18e7fda7285
Instruction ID: 614086689c35b9e5c90d7a7425bafe71104ad235eee06d4ae972ed411085fe94
Opcode Fuzzy Hash: 8e7543262049f189abeaf3b4c1fe783faf39c292495c705d0df2a18e7fda7285
Instruction Fuzzy Hash: AB61BF71940315BFEB14DF64CC85BBE77A8BB04B61F10460AF919E61D1DB74AA80EBB0

Function 00CB7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 00CB785F, 00CB78B1
#OnAutoItStartRegister, xrefs: 00CB7817
Bad directive syntax error, xrefs: 00CF519A
#notrayicon, xrefs: 00CB77E7
#include, xrefs: 00CB7847
Cannot parse #include, xrefs: 00CF5279
', xrefs: 00CF5169
#comments-end, xrefs: 00CB78D9
Unterminated group of comments, xrefs: 00CF528C
#requireadmin, xrefs: 00CB77FF
#ce, xrefs: 00CB78ED
#pragma compile, xrefs: 00CB77D3
#cs, xrefs: 00CB7873, 00CB78C5
#include-once, xrefs: 00CB782F
", xrefs: 00CF5153

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: ea9f49bac70082255ba8f1b61c2ccc2ce2715a347fb9b96a3f28a65f5b39d072
Instruction ID: 7b905bb21029c62ea63fcb7f30d352c1496ee92f49b268541f1345c2dc6d2b44
Opcode Fuzzy Hash: ea9f49bac70082255ba8f1b61c2ccc2ce2715a347fb9b96a3f28a65f5b39d072
Instruction Fuzzy Hash: E681E571A44609BFDB21AF60CC42FFE37A9AF55300F044125FF15AA192EB70DA15E7A1

Function 00D23E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00D23EF8
_wcslen.LIBCMT ref: 00D23F03
_wcslen.LIBCMT ref: 00D23F5A
_wcslen.LIBCMT ref: 00D23F98
GetDriveTypeW.KERNEL32(?), ref: 00D23FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D2401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D24059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D24087

Strings

closed, xrefs: 00D23F08, 00D23F2D, 00D23F46, 00D23F7E, 00D23F97
wait, xrefs: 00D24044
close cd wait, xrefs: 00D24072
type cdaudio alias cd wait, xrefs: 00D24001
open, xrefs: 00D23F54, 00D23F59
close, xrefs: 00D23EFE, 00D23F18
open , xrefs: 00D23FE5
set cd door , xrefs: 00D24028

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 427d88168f35aa2a9709c44dacea9e7bb677b0489940cf3d85b8932b91205b7d
Instruction ID: 5411cfa116a62198fa943477f60a16f9d202285d2a3df5ed5900b9d6144c4758
Opcode Fuzzy Hash: 427d88168f35aa2a9709c44dacea9e7bb677b0489940cf3d85b8932b91205b7d
Instruction Fuzzy Hash: 0C7112326043219FC310EF24D9808ABB7F4EFA4758F14892DF995972A1EB31DD49CBA1

Function 00D15A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D15A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D15A40
SetWindowTextW.USER32(?,?), ref: 00D15A57
GetDlgItem.USER32(?,000003EA), ref: 00D15A6C
SetWindowTextW.USER32(00000000,?), ref: 00D15A72
GetDlgItem.USER32(?,000003E9), ref: 00D15A82
SetWindowTextW.USER32(00000000,?), ref: 00D15A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D15AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D15AC3
GetWindowRect.USER32(?,?), ref: 00D15ACC
_wcslen.LIBCMT ref: 00D15B33
SetWindowTextW.USER32(?,?), ref: 00D15B6F
GetDesktopWindow.USER32 ref: 00D15B75
GetWindowRect.USER32(00000000), ref: 00D15B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00D15BD3
GetClientRect.USER32(?,?), ref: 00D15BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00D15C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D15C2F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: aca9230ffbf873abf9726f05cf11dfe1a0c2edc27dce1e6c66d8d9738f8da49c
Instruction ID: 57f41997fdfebfb06b39cd763a5a9ef4214b4333528b7614944315503ca3ed30
Opcode Fuzzy Hash: aca9230ffbf873abf9726f05cf11dfe1a0c2edc27dce1e6c66d8d9738f8da49c
Instruction Fuzzy Hash: D3716F35900B05EFDB20DFA8EE85BAEBBF5FF48704F144518E542A26A4DB75E940CB60

Function 00D2FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00D2FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00D2FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00D2FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00D2FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00D2FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00D2FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00D2FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00D2FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00D2FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00D2FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00D2FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00D2FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00D2FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00D2FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00D2FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00D2FECC
GetCursorInfo.USER32(?), ref: 00D2FEDC
GetLastError.KERNEL32 ref: 00D2FF1E

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 6c03b785b19fd6cea57bd84aeaeb27e63185e3f64329d8a2bd44bca5481863cd
Instruction ID: 57fa41a64c89d3de04a60e89fc4e6f9ffd7a41d2689b10a6a70a58d93e0a47b5
Opcode Fuzzy Hash: 6c03b785b19fd6cea57bd84aeaeb27e63185e3f64329d8a2bd44bca5481863cd
Instruction Fuzzy Hash: FF4160B0D083196ADB109FBA9C8985EBFF8FF04354B54453AE119E7291DB78A9018EA0

Function 00CD00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00CD00C6

Part of subcall function 00CD00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D8070C,00000FA0,51D34078,?,?,?,?,00CF23B3,000000FF), ref: 00CD011C
Part of subcall function 00CD00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00CF23B3,000000FF), ref: 00CD0127
Part of subcall function 00CD00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00CF23B3,000000FF), ref: 00CD0138
Part of subcall function 00CD00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00CD014E
Part of subcall function 00CD00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00CD015C
Part of subcall function 00CD00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00CD016A
Part of subcall function 00CD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CD0195
Part of subcall function 00CD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00CD01A0

___scrt_fastfail.LIBCMT ref: 00CD00E7

Part of subcall function 00CD00A3: __onexit.LIBCMT ref: 00CD00A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00CD0122
InitializeConditionVariable, xrefs: 00CD0148
SleepConditionVariableCS, xrefs: 00CD0154
WakeAllConditionVariable, xrefs: 00CD0162
kernel32.dll, xrefs: 00CD0133

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 4c25f98c4fad79c9c5e0b10bf4335e977aa01cfc1e9e5c14dc9d3c0315b060bc
Instruction ID: a7b0fae049b08a79b67923d90e6e6aa1b45e63d292b74d8436f589118bc2d700
Opcode Fuzzy Hash: 4c25f98c4fad79c9c5e0b10bf4335e977aa01cfc1e9e5c14dc9d3c0315b060bc
Instruction Fuzzy Hash: 9621C636A557106FE7506FA8AC46B6E7798EB05B61F20013FFA01E23A1DB7498048AB0

Function 00D130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D1318D
_wcslen.LIBCMT ref: 00D131F8

Strings

TEXT, xrefs: 00D1347C
CLASS, xrefs: 00D13188, 00D131A5
INSTANCE, xrefs: 00D13453
CLASSNN, xrefs: 00D131F3, 00D13204
REGEXPCLASS, xrefs: 00D13255, 00D13266
NAME, xrefs: 00D13335, 00D13346

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 3ff596b25e5134a158fbb8bc0ab715ef93845c65ac327788ca4df94af67211f5
Instruction ID: f24176d50e43ad7a3e4dd0bd967d6cea54aae116c666a05aaf623ab6ecf6a147
Opcode Fuzzy Hash: 3ff596b25e5134a158fbb8bc0ab715ef93845c65ac327788ca4df94af67211f5
Instruction Fuzzy Hash: DFE1E532A00616BBDB18DFA8E4517EDBBB5BF44710F58811AE456A7240EF30AEC597B0

Function 00D244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00D4CC08), ref: 00D24527
_wcslen.LIBCMT ref: 00D2453B
_wcslen.LIBCMT ref: 00D24599
_wcslen.LIBCMT ref: 00D245F4
_wcslen.LIBCMT ref: 00D2463F
_wcslen.LIBCMT ref: 00D246A7

Part of subcall function 00CCF9F2: _wcslen.LIBCMT ref: 00CCF9FD

GetDriveTypeW.KERNEL32(?,00D76BF0,00000061), ref: 00D24743

Strings

fixed, xrefs: 00D24635, 00D2463A
network, xrefs: 00D2469D, 00D246A2
unknown, xrefs: 00D24708
cdrom, xrefs: 00D2458F, 00D24594
ramdisk, xrefs: 00D246F1
removable, xrefs: 00D245EA, 00D245EF
all, xrefs: 00D24531, 00D24536

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 32a552537b31bdda931c5fbeb64b185fff94b7af225d75ee7fc225120328d5dd
Instruction ID: b49d5541352a5ddc18b031273a3015bfcb155bb2d23ae81887a24011f8b8249a
Opcode Fuzzy Hash: 32a552537b31bdda931c5fbeb64b185fff94b7af225d75ee7fc225120328d5dd
Instruction Fuzzy Hash: 4BB1D5316083229FC710DF28E890AAEB7E5EFA5718F54491DF996C7291E730D845CBB2

Function 00D33FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D4CC08), ref: 00D340BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D340CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00D4CC08), ref: 00D340F2
FreeLibrary.KERNEL32(00000000,?,00D4CC08), ref: 00D3413E
StringFromGUID2.OLE32(?,?,00000028,?,00D4CC08), ref: 00D341A8
SysFreeString.OLEAUT32(00000009), ref: 00D34262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D342C8
SysFreeString.OLEAUT32(?), ref: 00D342F2

Strings

GetModuleHandleExW, xrefs: 00D340C7
kernel32.dll, xrefs: 00D340B6

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 9b32af13f6fd5f449f9aa2967a8c9b8d7d6663ce36969e0a368ecc34bab3581b
Instruction ID: 234aeff25d79003a279bfa264b5ff7e646e1726847df0d9c42fef9f7cce9a46f
Opcode Fuzzy Hash: 9b32af13f6fd5f449f9aa2967a8c9b8d7d6663ce36969e0a368ecc34bab3581b
Instruction Fuzzy Hash: B2122B75A00219EFDB14CF94C884EAEBBB5FF45314F288098E905AB261D775FD46CBA0

Function 00CB326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D81990), ref: 00CF2F8D
GetMenuItemCount.USER32(00D81990), ref: 00CF303D
GetCursorPos.USER32(?), ref: 00CF3081
SetForegroundWindow.USER32(00000000), ref: 00CF308A
TrackPopupMenuEx.USER32(00D81990,00000000,?,00000000,00000000,00000000), ref: 00CF309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CF30A9

Strings

0, xrefs: 00CB327D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 53b8ee1e1f5fcad1b54541d3ee9eb38fd31df1d5511f759b5e507aa6f0cfb108
Instruction ID: a67a4b85f669cf8959e6fc364e444f19247c3a07e935bef5a1b800be6e39436d
Opcode Fuzzy Hash: 53b8ee1e1f5fcad1b54541d3ee9eb38fd31df1d5511f759b5e507aa6f0cfb108
Instruction Fuzzy Hash: 59713F30640259BFEB218F65CC49FEABF64FF01324F204206F624AA1E1C7B19D50DB62

Function 00D46CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00D46DEB

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D46E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D46E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D46E94
DestroyWindow.USER32(?), ref: 00D46EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00CB0000,00000000), ref: 00D46EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D46EFD
GetDesktopWindow.USER32 ref: 00D46F16
GetWindowRect.USER32(00000000), ref: 00D46F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D46F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D46F4D

Part of subcall function 00CC9944: GetWindowLongW.USER32(?,000000EB), ref: 00CC9952

Strings

0, xrefs: 00D46D98
tooltips_class32, xrefs: 00D46E58, 00D46EDD

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f8ba903d2ec1c52c5ea26f3e2a7c3bbdfd2f96872f17dce66000b3a139f19b4d
Instruction ID: 8d053564d3939e96a39d97f654077c958067340cdf921d7a532ae58248bfbca0
Opcode Fuzzy Hash: f8ba903d2ec1c52c5ea26f3e2a7c3bbdfd2f96872f17dce66000b3a139f19b4d
Instruction Fuzzy Hash: 20714A74104344AFDB21DF18D844BAABBE9FF8A304F08441DF99AD7261D770E90ADB22

Function 00D4911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

DragQueryPoint.SHELL32(?,?), ref: 00D49147

Part of subcall function 00D47674: ClientToScreen.USER32(?,?), ref: 00D4769A
Part of subcall function 00D47674: GetWindowRect.USER32(?,?), ref: 00D47710
Part of subcall function 00D47674: PtInRect.USER32(?,?,00D48B89), ref: 00D47720

SendMessageW.USER32(?,000000B0,?,?), ref: 00D491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D49225
SendMessageW.USER32(?,000000B0,?,?), ref: 00D4923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D49255
SendMessageW.USER32(?,000000B1,?,?), ref: 00D49277
DragFinish.SHELL32(?), ref: 00D4927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D49371

Strings

@GUI_DROPID, xrefs: 00D4929E
@GUI_DRAGFILE, xrefs: 00D49320
@GUI_DRAGID, xrefs: 00D492E9

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 5f0db3d4d602aae15bb72faaf682991ca0f7674cef268d5e4bf1d399a12a668f
Instruction ID: 87a5a154e109966ce2ae8fabe5e161313cfb58c05ae1a4b97bdfdc6c2c6691be
Opcode Fuzzy Hash: 5f0db3d4d602aae15bb72faaf682991ca0f7674cef268d5e4bf1d399a12a668f
Instruction Fuzzy Hash: CA616B71108301AFD701EF64DC95DAFBBE8EF89750F40091EF595932A1DB70AA49CB62

Function 00D2C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D2C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D2C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D2C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00D2C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00D2C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00D2C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D2C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D2C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00D2C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00D2C5F0
InternetCloseHandle.WININET(00000000), ref: 00D2C5FB

Strings

, xrefs: 00D2C575

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 2d3876d2f6c9334ed0bda22184051f0965ae2f0b5610eec5a3c03a3a4253fe18
Instruction ID: 7343f6420210fd193f2d8a3f0729881dd2234f43159b88dd7a568dbec2d89c73
Opcode Fuzzy Hash: 2d3876d2f6c9334ed0bda22184051f0965ae2f0b5610eec5a3c03a3a4253fe18
Instruction Fuzzy Hash: F85168B4111718AFEB219F609988AAB7BBCFF19348F04641AF945D6210EB75ED049B70

Function 00D4856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00D48592
GetFileSize.KERNEL32(00000000,00000000), ref: 00D485A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00D485AD
CloseHandle.KERNEL32(00000000), ref: 00D485BA
GlobalLock.KERNEL32(00000000), ref: 00D485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00D485D7
GlobalUnlock.KERNEL32(00000000), ref: 00D485E0
CloseHandle.KERNEL32(00000000), ref: 00D485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00D485F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D4FC38,?), ref: 00D48611
GlobalFree.KERNEL32(00000000), ref: 00D48621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00D48641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00D48671
DeleteObject.GDI32(00000000), ref: 00D48699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D486AF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 12a3fba9b5ca43280707030a1b3a7cd7721b7b3331fdc92f8b4597bb3ebf066d
Instruction ID: 6443dd01b0020031bc179fb2b58f34c049e4751e2100801e6b03f168060c462d
Opcode Fuzzy Hash: 12a3fba9b5ca43280707030a1b3a7cd7721b7b3331fdc92f8b4597bb3ebf066d
Instruction Fuzzy Hash: B6412979601304AFDB519FA5CC88EAE7BB8EF8A751F148058F909E7260DB709901DF30

Function 00D214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00D21502
VariantCopy.OLEAUT32(?,?), ref: 00D2150B
VariantClear.OLEAUT32(?), ref: 00D21517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00D215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00D21657
VariantInit.OLEAUT32(?), ref: 00D21708
SysFreeString.OLEAUT32(?), ref: 00D2178C
VariantClear.OLEAUT32(?), ref: 00D217D8
VariantClear.OLEAUT32(?), ref: 00D217E7
VariantInit.OLEAUT32(00000000), ref: 00D21823

Strings

Default, xrefs: 00D216AF
%4d%02d%02d%02d%02d%02d, xrefs: 00D21625

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: e32ffa7d36d9f0897ef2378a8ede696bc8071249c243da0578b7adf62a476f0d
Instruction ID: 984ded34f174ad0a836cea3516cb42b823a02aae9127b0d41c63266806abec63
Opcode Fuzzy Hash: e32ffa7d36d9f0897ef2378a8ede696bc8071249c243da0578b7adf62a476f0d
Instruction Fuzzy Hash: 2CD12335A00225EBDB009F65E885BBDB7B5BF65708F14C49AF446AB280DB30EC41EB71

Function 00D3B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D3B6AE,?,?), ref: 00D3C9B5
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3C9F1
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA68
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D3B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D3B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00D3B80A
RegCloseKey.ADVAPI32(?), ref: 00D3B87E
RegCloseKey.ADVAPI32(?), ref: 00D3B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00D3B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D3B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00D3B922
FreeLibrary.KERNEL32(00000000), ref: 00D3B983
RegCloseKey.ADVAPI32(00000000), ref: 00D3B994

Strings

advapi32.dll, xrefs: 00D3B8ED
RegDeleteKeyExW, xrefs: 00D3B8FE

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: c864a2d154720881a7b1a682e0b8a32a3f36581836fc9be65311d22cda849177
Instruction ID: 5852c6cb81e9c7836b2a29c7a33df1d855a7579d63553b43c84745bcda95cce1
Opcode Fuzzy Hash: c864a2d154720881a7b1a682e0b8a32a3f36581836fc9be65311d22cda849177
Instruction Fuzzy Hash: 7BC18A34208201AFD710DF14C495F6ABBE5FF84318F18859DF69A8B2A2CB71ED45DBA1

Function 00D3255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00D325E8
CreateCompatibleDC.GDI32(?), ref: 00D325F4
SelectObject.GDI32(00000000,?), ref: 00D32601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00D3266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00D326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00D326D0
SelectObject.GDI32(?,?), ref: 00D326D8
DeleteObject.GDI32(?), ref: 00D326E1
DeleteDC.GDI32(?), ref: 00D326E8
ReleaseDC.USER32(00000000,?), ref: 00D326F3

Strings

(, xrefs: 00D3268D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 39e05062eaf5a634b8a135c4e5f35df2fa74846739e2e17bdf750a90c1f58d17
Instruction ID: 044b76ed8a6bd71fbff1afac50613ccccfa20f5e320167bec5e03108300b30c7
Opcode Fuzzy Hash: 39e05062eaf5a634b8a135c4e5f35df2fa74846739e2e17bdf750a90c1f58d17
Instruction Fuzzy Hash: F961D1B5D01219EFCF14CFA8D885AAEBBB6FF48310F208529E955A7350D770A941CFA0

Function 00CEDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00CEDAA1

Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED659
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED66B
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED67D
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED68F
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6A1
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6B3
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6C5
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6D7
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6E9
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED6FB
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED70D
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED71F
Part of subcall function 00CED63C: _free.LIBCMT ref: 00CED731

_free.LIBCMT ref: 00CEDA96

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

_free.LIBCMT ref: 00CEDAB8
_free.LIBCMT ref: 00CEDACD
_free.LIBCMT ref: 00CEDAD8
_free.LIBCMT ref: 00CEDAFA
_free.LIBCMT ref: 00CEDB0D
_free.LIBCMT ref: 00CEDB1B
_free.LIBCMT ref: 00CEDB26
_free.LIBCMT ref: 00CEDB5E
_free.LIBCMT ref: 00CEDB65
_free.LIBCMT ref: 00CEDB82
_free.LIBCMT ref: 00CEDB9A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5f0efd061fc2a70c84980f512faaf9cd31ae632f0b64011295a69aaced4ae2c5
Instruction ID: 000496fa921bed2439fd28a7324bcae5a1d335f27faa1e12318053b3d4c3eb35
Opcode Fuzzy Hash: 5f0efd061fc2a70c84980f512faaf9cd31ae632f0b64011295a69aaced4ae2c5
Instruction Fuzzy Hash: 683162316043899FDB21AE3AE846B5A77E9FF00310F155429F46AD7192EF35EE80E720

Function 00D1365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D1369C
_wcslen.LIBCMT ref: 00D136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D13797
GetClassNameW.USER32(?,?,00000400), ref: 00D1380C
GetDlgCtrlID.USER32(?), ref: 00D1385D
GetWindowRect.USER32(?,?), ref: 00D13882
GetParent.USER32(?), ref: 00D138A0
ScreenToClient.USER32(00000000), ref: 00D138A7
GetClassNameW.USER32(?,?,00000100), ref: 00D13921
GetWindowTextW.USER32(?,?,00000400), ref: 00D1395D

Strings

%s%u, xrefs: 00D13734

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2d8983f5f48048af8592d6e1561ded59cacdade970f7f22f94b65d5667088444
Instruction ID: e6e3837ac1bcb17707648d43caae0db3b50f87d6739fa588ec986cd53572b4ae
Opcode Fuzzy Hash: 2d8983f5f48048af8592d6e1561ded59cacdade970f7f22f94b65d5667088444
Instruction Fuzzy Hash: AE91AD71204706BFD718DF24E885BEAB7A8FF44350F048629F999D2190DB30EA85CBB1

Function 00D14954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00D14994
GetWindowTextW.USER32(?,?,00000400), ref: 00D149DA
_wcslen.LIBCMT ref: 00D149EB
CharUpperBuffW.USER32(?,00000000), ref: 00D149F7
_wcsstr.LIBVCRUNTIME ref: 00D14A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00D14A64
GetWindowTextW.USER32(?,?,00000400), ref: 00D14A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00D14AE6
GetClassNameW.USER32(?,?,00000400), ref: 00D14B20
GetWindowRect.USER32(?,?), ref: 00D14B8B

Strings

ThumbnailClass, xrefs: 00D14A6F, 00D14AF1

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 03360ec9f04a50feb25aa6a0f99974955e738eea400895ad3b51e78f4fff692b
Instruction ID: cfda011b7b8f9005e97e3e42f5db1eab0923df48e901842a15ab0b1006df18b4
Opcode Fuzzy Hash: 03360ec9f04a50feb25aa6a0f99974955e738eea400895ad3b51e78f4fff692b
Instruction Fuzzy Hash: F4919C71109205AFDB04CF14E985BEA77A8EF84354F08846AFD899A196DF30ED85CBB1

Function 00D1BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00D81990,000000FF,00000000,00000030), ref: 00D1BFAC
SetMenuItemInfoW.USER32(00D81990,00000004,00000000,00000030), ref: 00D1BFE1
Sleep.KERNEL32(000001F4), ref: 00D1BFF3
GetMenuItemCount.USER32(?), ref: 00D1C039
GetMenuItemID.USER32(?,00000000), ref: 00D1C056
GetMenuItemID.USER32(?,-00000001), ref: 00D1C082
GetMenuItemID.USER32(?,?), ref: 00D1C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D1C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D1C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D1C145

Strings

0, xrefs: 00D1BF3D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: a73021e09a016ae0b08aff538b0c6d88c988d200549bbf46dd3ef5c1bcca3086
Instruction ID: 4991fe0a0b51487f661df280d7e472c0d86bc7df9b0f9127dfff8b81372d0aa0
Opcode Fuzzy Hash: a73021e09a016ae0b08aff538b0c6d88c988d200549bbf46dd3ef5c1bcca3086
Instruction Fuzzy Hash: C7618EB49A038ABFDF11CF64EC88AEE7BB8EB05354F045055E841A3291DB31AD85CB70

Function 00D3CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D3CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00D3CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D3CD48

Part of subcall function 00D3CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00D3CCAA
Part of subcall function 00D3CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00D3CCBD
Part of subcall function 00D3CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D3CCCF
Part of subcall function 00D3CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00D3CD05
Part of subcall function 00D3CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00D3CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D3CCF3

Strings

advapi32.dll, xrefs: 00D3CCB8
RegDeleteKeyExW, xrefs: 00D3CCC9

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: e28bb4627bacea53e001cd20d9239fa42f56cd95aa24537f10cdbe39201126d1
Instruction ID: 35b67c0789e40b2f2717fa98f12548a9d65288be8c1246fa6aa18e5af03459cf
Opcode Fuzzy Hash: e28bb4627bacea53e001cd20d9239fa42f56cd95aa24537f10cdbe39201126d1
Instruction Fuzzy Hash: 41316E75912229BBDB208F55DC88EFFBB7CEF46750F041165B905E2240DA349A45DBB0

Function 00D23D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D23D40
_wcslen.LIBCMT ref: 00D23D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D23D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00D23DBE
RemoveDirectoryW.KERNEL32(?), ref: 00D23DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00D23E55
CloseHandle.KERNEL32(00000000), ref: 00D23E60
CloseHandle.KERNEL32(00000000), ref: 00D23E6B

Strings

\, xrefs: 00D23D77
\??\%s, xrefs: 00D23D5B
:, xrefs: 00D23D82

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: c0c14e53159c227913166f5e43e1647482fc3c94de5d1407f9fe754192303b0f
Instruction ID: b5315c3051cd7e78eb469694a264bdbb4dd2170557b7acffbffebb598cff3577
Opcode Fuzzy Hash: c0c14e53159c227913166f5e43e1647482fc3c94de5d1407f9fe754192303b0f
Instruction Fuzzy Hash: 2631AF76A10219ABDB209FA0DC89FEB37BCEF89704F1441A6F609D6160EB7497448B34

Function 00D1E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00D1E6B4

Part of subcall function 00CCE551: timeGetTime.WINMM(?,?,00D1E6D4), ref: 00CCE555

Sleep.KERNEL32(0000000A), ref: 00D1E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00D1E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D1E727
SetActiveWindow.USER32 ref: 00D1E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D1E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00D1E773
Sleep.KERNEL32(000000FA), ref: 00D1E77E
IsWindow.USER32 ref: 00D1E78A
EndDialog.USER32(00000000), ref: 00D1E79B

Strings

BUTTON, xrefs: 00D1E719

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1a9c341390b0d8a05774d6d8a5b46479efcec005a10816d90677c017c8bf7f38
Instruction ID: 0c38af0b3ad754bf8f4150c587dbb142098f78f5701e557d3b94de51385eea61
Opcode Fuzzy Hash: 1a9c341390b0d8a05774d6d8a5b46479efcec005a10816d90677c017c8bf7f38
Instruction Fuzzy Hash: 14214C74221304BFFB005F61FC8AA753BA9FB56748B145424F905C23A1EE71AC449B34

Function 00D1E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D1EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D1EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D1EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D1EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D1EAA7

Strings

play PlayMe wait, xrefs: 00D1EA91
status PlayMe mode, xrefs: 00D1EA58
play PlayMe, xrefs: 00D1EAA2
close PlayMe, xrefs: 00D1EA6E, 00D1EA9B
alias PlayMe, xrefs: 00D1EA36
open , xrefs: 00D1EA0C

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 57591803cc47c4223fb2ca4142b61ed93c2eb4ade74b3668f7ddd46b916c8f23
Instruction ID: 19e7466a951a80e4fa41236b29fdee0d4bf3f0dc9397fd9ed20d5715eadf9b29
Opcode Fuzzy Hash: 57591803cc47c4223fb2ca4142b61ed93c2eb4ade74b3668f7ddd46b916c8f23
Instruction Fuzzy Hash: F5114F21A902697DD724A7A2EC4ADFB6B7CEFD1B00F444429B905A20D1FF704949C9B0

Function 00D19F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D1A012
SetKeyboardState.USER32(?), ref: 00D1A07D
GetAsyncKeyState.USER32(000000A0), ref: 00D1A09D
GetKeyState.USER32(000000A0), ref: 00D1A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00D1A0E3
GetKeyState.USER32(000000A1), ref: 00D1A0F4
GetAsyncKeyState.USER32(00000011), ref: 00D1A120
GetKeyState.USER32(00000011), ref: 00D1A12E
GetAsyncKeyState.USER32(00000012), ref: 00D1A157
GetKeyState.USER32(00000012), ref: 00D1A165
GetAsyncKeyState.USER32(0000005B), ref: 00D1A18E
GetKeyState.USER32(0000005B), ref: 00D1A19C

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a0080fb8d401f9e065d80550e0aa5dca585c3b1155189d08165060367ca3c16b
Instruction ID: fbe62bcd60d7c2af23ce4c1b59c53e46d7d4b3f83fc57b764b650d94ce534d93
Opcode Fuzzy Hash: a0080fb8d401f9e065d80550e0aa5dca585c3b1155189d08165060367ca3c16b
Instruction Fuzzy Hash: 7551D9609057843AFB35EBB4A9207EAEFB49F12380F0C8599D5C2571C2DE649ACCC772

Function 00D15CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D15CE2
GetWindowRect.USER32(00000000,?), ref: 00D15CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00D15D59
GetDlgItem.USER32(?,00000002), ref: 00D15D69
GetWindowRect.USER32(00000000,?), ref: 00D15D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00D15DCF
GetDlgItem.USER32(?,000003E9), ref: 00D15DDD
GetWindowRect.USER32(00000000,?), ref: 00D15DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00D15E31
GetDlgItem.USER32(?,000003EA), ref: 00D15E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D15E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00D15E67

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f3e5a5701189d4ec223c09c0dffbb641bf1fdc24c840ff5d7a1daaad033a2a96
Instruction ID: a70051c2da096d651df7fba1511db441c8c4f9f88366b90f488c32032e5dee2a
Opcode Fuzzy Hash: f3e5a5701189d4ec223c09c0dffbb641bf1fdc24c840ff5d7a1daaad033a2a96
Instruction Fuzzy Hash: 77511F74B10705AFDB18CF68ED89AAE7BB5EB89300F148129F915E6294DB749E40CB60

Function 00CC8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00CC8BE8,?,00000000,?,?,?,?,00CC8BBA,00000000,?), ref: 00CC8FC5

DestroyWindow.USER32(?), ref: 00CC8C81
KillTimer.USER32(00000000,?,?,?,?,00CC8BBA,00000000,?), ref: 00CC8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00D06973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00CC8BBA,00000000,?), ref: 00D069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00CC8BBA,00000000,?), ref: 00D069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00CC8BBA,00000000), ref: 00D069D4
DeleteObject.GDI32(00000000), ref: 00D069E6

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 0a76f572e8cab97b2cceea1e6a72c11469ec0e291bc4a78757069a67c288cf82
Instruction ID: bffdf17165cf7bff67502600837ec5aba431edf3c2851fde34c050f6ee645daf
Opcode Fuzzy Hash: 0a76f572e8cab97b2cceea1e6a72c11469ec0e291bc4a78757069a67c288cf82
Instruction Fuzzy Hash: B461A838112700DFCB21AF15D948B2A7BF1FB45312F14451CE0569BAA0CB35AD99DFB0

Function 00CC9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9944: GetWindowLongW.USER32(?,000000EB), ref: 00CC9952

GetSysColor.USER32(0000000F), ref: 00CC9862

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8ec4233e2f2b7ad54d415cffb5d6cefd7d56ecdb2fb9cbc741771aef6e1945a6
Instruction ID: ac8e36a1fc3d088e91adb776d2886d408593ed0b7ffa3d269313adcca508dea4
Opcode Fuzzy Hash: 8ec4233e2f2b7ad54d415cffb5d6cefd7d56ecdb2fb9cbc741771aef6e1945a6
Instruction Fuzzy Hash: 9E417B35905740AFDB205F38DC8CFB93BA5EB07320F185659F9B69B2E2D6319942DB20

Function 00D196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00CFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00D19717
LoadStringW.USER32(00000000,?,00CFF7F8,00000001), ref: 00D19720

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00CFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00D19742
LoadStringW.USER32(00000000,?,00CFF7F8,00000001), ref: 00D19745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00D19866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D1984A
Line %d (File "%s"):, xrefs: 00D1978F
Line %d:, xrefs: 00D197A0
Error: , xrefs: 00D1981D
^ ERROR, xrefs: 00D197FB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 30cf7c9292a534da507bf830ddaf6412bcd7e532a05f8240dde6aaa2c179fff6
Instruction ID: 9ea6b648522d559e49afcf13136db53d77ce825313e4d7c21c1fc17b95805634
Opcode Fuzzy Hash: 30cf7c9292a534da507bf830ddaf6412bcd7e532a05f8240dde6aaa2c179fff6
Instruction Fuzzy Hash: DE411972900219ABCB04EBE0DDA6DEEB778EF55340F600065F605B20A2EE356F49DB71

Function 00D106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00D107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00D107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00D107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00D10804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00D1082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D10837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D1083C

Strings

SOFTWARE\Classes\, xrefs: 00D1070E
\CLSID, xrefs: 00D10724
\IPC$, xrefs: 00D10784

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 45c6d51ba1e185124ba2fa07223802375811700ed5e851971beac01ad39cba27
Instruction ID: 6bfd9482d59c653f15d7e06d1ebe4769cc47e7e76d58b532740f6728e32ac75f
Opcode Fuzzy Hash: 45c6d51ba1e185124ba2fa07223802375811700ed5e851971beac01ad39cba27
Instruction Fuzzy Hash: 57411876C10229ABDF11EFA4EC95CEEB778FF44350F144129E905A72A1EB709E44DBA0

Function 00D43F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D4403B
CreateCompatibleDC.GDI32(00000000), ref: 00D44042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D44055
SelectObject.GDI32(00000000,00000000), ref: 00D4405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D44068
DeleteDC.GDI32(00000000), ref: 00D44072
GetWindowLongW.USER32(?,000000EC), ref: 00D4407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00D44092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00D4409E

Strings

static, xrefs: 00D43FD3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 0a20040ccb9910a7c890eb973db98bdde3aa46643dae9b6017e55d5702be7880
Instruction ID: 21e2490215821a314f2b5b88652e24ecafa42ce0c68ff2e459221ecc52b565a1
Opcode Fuzzy Hash: 0a20040ccb9910a7c890eb973db98bdde3aa46643dae9b6017e55d5702be7880
Instruction Fuzzy Hash: 62318C36112219ABDF219FA8DC09FDA3B68EF0E320F050211FA58E61A0C775D860DBB4

Function 00D33C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D33C5C
CoInitialize.OLE32(00000000), ref: 00D33C8A
CoUninitialize.OLE32 ref: 00D33C94
_wcslen.LIBCMT ref: 00D33D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00D33DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D33ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00D33F0E
CoGetObject.OLE32(?,00000000,00D4FB98,?), ref: 00D33F2D
SetErrorMode.KERNEL32(00000000), ref: 00D33F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D33FC4
VariantClear.OLEAUT32(?), ref: 00D33FD8

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 25709804b3995bbef4a86c1d52cd5e04a75833db619aed84ef13a320eff52a55
Instruction ID: abb95ecc0e7df7ab401843ab84cb13853ec6904fcdffc6d260316523ea473da6
Opcode Fuzzy Hash: 25709804b3995bbef4a86c1d52cd5e04a75833db619aed84ef13a320eff52a55
Instruction Fuzzy Hash: A5C13471608305AFD700DF68C98492BBBE9FF89744F14491DF98A9B220DB71EE45CB62

Function 00D27A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D27AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00D27B8F
SHGetDesktopFolder.SHELL32(?), ref: 00D27BA3
CoCreateInstance.OLE32(00D4FD08,00000000,00000001,00D76E6C,?), ref: 00D27BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00D27C74
CoTaskMemFree.OLE32(?,?), ref: 00D27CCC
SHBrowseForFolderW.SHELL32(?), ref: 00D27D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00D27D7A
CoTaskMemFree.OLE32(00000000), ref: 00D27D81
CoTaskMemFree.OLE32(00000000), ref: 00D27DD6
CoUninitialize.OLE32 ref: 00D27DDC

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: c8e642595543715b085b04e2df4dfcdf5c7b13f47f7a87e992fb5e0ac5e16adc
Instruction ID: 8057dc282a6142c91bbd0ad384abe888c29fe6c4e3a5451e8c9037df17a9c9f3
Opcode Fuzzy Hash: c8e642595543715b085b04e2df4dfcdf5c7b13f47f7a87e992fb5e0ac5e16adc
Instruction Fuzzy Hash: 12C12B75A04219AFCB14DF64D884DAEBBF9FF48304B148499E81ADB361D730ED45CBA0

Function 00D4541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D45504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D45515
CharNextW.USER32(00000158), ref: 00D45544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D45585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D4559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D455AC

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: f07d00210e3522308b45cc048aba17bd3f1bd3d9a1c3be2d44c26962552c5111
Instruction ID: 714c303dc468e897c68bc27f3622da42ccedaa5d50dda4911ea7e19b0adde3aa
Opcode Fuzzy Hash: f07d00210e3522308b45cc048aba17bd3f1bd3d9a1c3be2d44c26962552c5111
Instruction Fuzzy Hash: E361A034905608EFDF109F64EC849FE7BB9EB0A720F148145F965AB2A6D7708A81DF70

Function 00D0FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D0FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00D0FB08
VariantInit.OLEAUT32(?), ref: 00D0FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00D0FB3A
VariantCopy.OLEAUT32(?,?), ref: 00D0FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00D0FBA1
VariantClear.OLEAUT32(?), ref: 00D0FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00D0FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D0FBCC
VariantClear.OLEAUT32(?), ref: 00D0FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D0FBE9

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 1776458e6dcec2f5b562384acd9950b68e7c92798f8cb5a927a73f199acbfe6e
Instruction ID: ef8b65470b86302b633dab752092106711e56a4e7b04171148b2dd4277c6c9e7
Opcode Fuzzy Hash: 1776458e6dcec2f5b562384acd9950b68e7c92798f8cb5a927a73f199acbfe6e
Instruction Fuzzy Hash: 82413E35A012199FCB10DFA8D854AAEBBB9EF48354F148069E959E7261CB30E945CFB0

Function 00D19C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00D19CA1
GetAsyncKeyState.USER32(000000A0), ref: 00D19D22
GetKeyState.USER32(000000A0), ref: 00D19D3D
GetAsyncKeyState.USER32(000000A1), ref: 00D19D57
GetKeyState.USER32(000000A1), ref: 00D19D6C
GetAsyncKeyState.USER32(00000011), ref: 00D19D84
GetKeyState.USER32(00000011), ref: 00D19D96
GetAsyncKeyState.USER32(00000012), ref: 00D19DAE
GetKeyState.USER32(00000012), ref: 00D19DC0
GetAsyncKeyState.USER32(0000005B), ref: 00D19DD8
GetKeyState.USER32(0000005B), ref: 00D19DEA

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6ff86bfb853843af8c3dbc75718e52afd12cd94f67808203d0893d6c24aba327
Instruction ID: 224aa9230a41b4c1121d6111e1f3bb72e46899e50344177b04f7fdb005abad1d
Opcode Fuzzy Hash: 6ff86bfb853843af8c3dbc75718e52afd12cd94f67808203d0893d6c24aba327
Instruction Fuzzy Hash: B341C5346047C97AFF708A64F8343E5FEA16B12344F0C805ADAC6566C2DFA499C8C7B2

Function 00D3055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D305BC
inet_addr.WSOCK32(?), ref: 00D3061C
gethostbyname.WSOCK32(?), ref: 00D30628
IcmpCreateFile.IPHLPAPI ref: 00D30636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00D307B9
WSACleanup.WSOCK32 ref: 00D307BF

Strings

Ping, xrefs: 00D30676

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 497e442c5ea7c4222603ea4b107c8cc33c2d2cb71a1a6eb06d7a8dd9af08275d
Instruction ID: 4f5a2df860237127ceed41eb502770a56d4a8f8d4f2fe80b608073bb24aee0cf
Opcode Fuzzy Hash: 497e442c5ea7c4222603ea4b107c8cc33c2d2cb71a1a6eb06d7a8dd9af08275d
Instruction Fuzzy Hash: E1918B756043019FD320DF15C899F1ABBE0AF44318F1885A9F4AA9B7A2C770ED45CFA1

Function 00D38CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00D38CF3

Part of subcall function 00D18E54: _wcslen.LIBCMT ref: 00D18E77

_wcslen.LIBCMT ref: 00D38D4E
_wcslen.LIBCMT ref: 00D38D9C
_wcslen.LIBCMT ref: 00D38DDC
_wcslen.LIBCMT ref: 00D38E6E

Strings

none, xrefs: 00D38E65, 00D38E6A
winapi, xrefs: 00D38D96, 00D38D9B
stdcall, xrefs: 00D38DD6, 00D38DDB
cdecl, xrefs: 00D38D48, 00D38D4D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5be5dd4b05c260ebd314d6ca9ebe49ac915b43c1500647f60d97cf08881739ba
Instruction ID: f8b6cf717e7e6af4e5a5a2b2a64ca6454701d035523e4ba9f75eb728f25d4a25
Opcode Fuzzy Hash: 5be5dd4b05c260ebd314d6ca9ebe49ac915b43c1500647f60d97cf08881739ba
Instruction Fuzzy Hash: 31519131A002169BCF14DF68C9509BEB7A5BF64720F244229F566E73C4EB35DD40E7A0

Function 00D3372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00D33774
CoUninitialize.OLE32 ref: 00D3377F
CoCreateInstance.OLE32(?,00000000,00000017,00D4FB78,?), ref: 00D337D9
IIDFromString.OLE32(?,?), ref: 00D3384C
VariantInit.OLEAUT32(?), ref: 00D338E4
VariantClear.OLEAUT32(?), ref: 00D33936

Strings

Failed to create object, xrefs: 00D337E4, 00D3389A
NULL Pointer assignment, xrefs: 00D3381E
Invalid parameter, xrefs: 00D33865

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 35f1ff04c545e755cd58239515510cec32fe55ea1a41ceb47aff981638218298
Instruction ID: f273899231eb19a7212c1a3254140daae43cd354b8ac5319fdb03443991608f7
Opcode Fuzzy Hash: 35f1ff04c545e755cd58239515510cec32fe55ea1a41ceb47aff981638218298
Instruction Fuzzy Hash: 8361ADB4608301AFD310DF54C989F6ABBE8EF49714F044919F9859B2A1D770EE48CBB2

Function 00D23388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00D233CF

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00D233F0

Strings

^ ERROR , xrefs: 00D2349E
Incorrect parameters to object property !, xrefs: 00D234AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00D23504
Line %d (File "%s"):, xrefs: 00D23443, 00D2345C
"%s" (%d) : ==> %s:, xrefs: 00D23522
Error: , xrefs: 00D234D1

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: d543d293105d074fb4e6e6b4be14734048804b3e9f936b3a359557e7cb89fd66
Instruction ID: 2356ef8c611b8ddac2a95e4f419505c23a5122b079c40b8c696a57a24ecf21eb
Opcode Fuzzy Hash: d543d293105d074fb4e6e6b4be14734048804b3e9f936b3a359557e7cb89fd66
Instruction Fuzzy Hash: AC517D31900219ABDB14EBE0DD52EEEB7B8EF14344F244065F509721A2EB356F99EB70

Function 00D1B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D1B5FC
_wcslen.LIBCMT ref: 00D1B608
_wcslen.LIBCMT ref: 00D1B64D
_wcslen.LIBCMT ref: 00D1B68C
_wcslen.LIBCMT ref: 00D1B6C7

Strings

REMOVE, xrefs: 00D1B602, 00D1B607
KEYS, xrefs: 00D1B647, 00D1B64C
APPEND, xrefs: 00D1B6C1, 00D1B6C6
EXISTS, xrefs: 00D1B686, 00D1B68B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: dac53eec56faad73b46484b4d0ef7e8b2811a6f48775b9cdf5d8ca371a5df82d
Instruction ID: dc3178d17be63c4dac58cf1906adb6c751b81f02bd523a4bd63f83d4021232ae
Opcode Fuzzy Hash: dac53eec56faad73b46484b4d0ef7e8b2811a6f48775b9cdf5d8ca371a5df82d
Instruction Fuzzy Hash: ED41B732A00126ABCB105F7D99905FE77A5AB70774B28412BE565DB284FB31CDC1C7B0

Function 00D25393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00D25416
GetLastError.KERNEL32 ref: 00D25420
SetErrorMode.KERNEL32(00000000,READY), ref: 00D254A7

Strings

NOTREADY, xrefs: 00D2544B
UNKNOWN, xrefs: 00D25444
INVALID, xrefs: 00D25459
READY, xrefs: 00D25460, 00D25468
READONLY, xrefs: 00D25452

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0b82946586646caa5ace7b887b688cefb37c0e1e777d67bf8ac20c8c5c0f146b
Instruction ID: 8372173f2bf9ad85532fe17d7e072c17c5c3fb7664c6d8f28df4a259b9343631
Opcode Fuzzy Hash: 0b82946586646caa5ace7b887b688cefb37c0e1e777d67bf8ac20c8c5c0f146b
Instruction Fuzzy Hash: B2319335A006149FD710EF68E484EA9BBB4EF55309F188056E505CB396E771DD87CBB0

Function 00D43C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00D43C79
SetMenu.USER32(?,00000000), ref: 00D43C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D43D10
IsMenu.USER32(?), ref: 00D43D24
CreatePopupMenu.USER32 ref: 00D43D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D43D5B
DrawMenuBar.USER32 ref: 00D43D63

Strings

F, xrefs: 00D43D4E
0, xrefs: 00D43C54

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 9fa399a68c01c4ff844785f3430e357f922943bd549c5229f3a5c24b5f888b20
Instruction ID: 142856d162905e6829e5378a2a0e8ab874b270eb074c0da00f04e0e9c8893fe7
Opcode Fuzzy Hash: 9fa399a68c01c4ff844785f3430e357f922943bd549c5229f3a5c24b5f888b20
Instruction Fuzzy Hash: A4416B79A01309AFDF14DF68D884AAE7BB9FF49350F180029F95697360D730AA11CFA0

Function 00D11EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00D11F64
GetDlgCtrlID.USER32 ref: 00D11F6F
GetParent.USER32 ref: 00D11F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D11F8E
GetDlgCtrlID.USER32(?), ref: 00D11F97
GetParent.USER32(?), ref: 00D11FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D11FAE

Strings

ComboBox, xrefs: 00D11EEC
ListBox, xrefs: 00D11F21

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 54995216f6a2e9885c6448295fb0815080a0b0ae3ff19fc039147e130bf21f5b
Instruction ID: 63a94988198a6f1da3fa6d77f27dba770fbc5a03c3fdede02d2446ca338d4132
Opcode Fuzzy Hash: 54995216f6a2e9885c6448295fb0815080a0b0ae3ff19fc039147e130bf21f5b
Instruction Fuzzy Hash: E721B079A00214BFCF04AFA0DC85AEEBBB8EF06310F104115BA65A72A1DB7599499B70

Function 00D11FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00D12043
GetDlgCtrlID.USER32 ref: 00D1204E
GetParent.USER32 ref: 00D1206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D1206D
GetDlgCtrlID.USER32(?), ref: 00D12076
GetParent.USER32(?), ref: 00D1208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D1208D

Strings

ComboBox, xrefs: 00D11FCD
ListBox, xrefs: 00D12002

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b93767fe8c348fd76f988db8e7a809751b821d2f0029523503acd324149aed98
Instruction ID: 88f8046f6ba1b60c6379e30548b84b90b462e417f5b9bebbacd8b5202ac8d255
Opcode Fuzzy Hash: b93767fe8c348fd76f988db8e7a809751b821d2f0029523503acd324149aed98
Instruction Fuzzy Hash: C721A475A01218BFCF14AFA0DC85EFEBBB8EF09340F104115B955A72A1DA768958DB70

Function 00D43A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D43A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D43AA0
GetWindowLongW.USER32(?,000000F0), ref: 00D43AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D43AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D43B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00D43BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00D43BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00D43BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00D43BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00D43C13

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 73d5001202a4d91f4f5667cca2b496b2e63fc71673136977786a52fc06c8c13a
Instruction ID: ac39b5229bc76e6128e5cbcf1bc153b92a26abb14667dae8d3b0848c75d3bf70
Opcode Fuzzy Hash: 73d5001202a4d91f4f5667cca2b496b2e63fc71673136977786a52fc06c8c13a
Instruction Fuzzy Hash: EA613A75A00248AFDB10DFA8CC81EEE77B8EB09710F144199FA15E72A1D774AE46DF60

Function 00D1B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D1B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B165
GetWindowThreadProcessId.USER32(00000000), ref: 00D1B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D1B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00D1A1E1,?,00000001), ref: 00D1B21D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 9267f6b4c3c0e9be87f942b44a3be6483376bc9a33860ce4b4525081f9c6e22f
Instruction ID: 4d421f20ed26680e4416d9f3af2ced3d0e477da1f4d58553b4abf2c790a31571
Opcode Fuzzy Hash: 9267f6b4c3c0e9be87f942b44a3be6483376bc9a33860ce4b4525081f9c6e22f
Instruction Fuzzy Hash: 2931F2B5220304BFDB109F64EC58FAD7BA9BB11721F159006FA04D63A0CBB49E808F34

Function 00CE2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE2C94

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

_free.LIBCMT ref: 00CE2CA0
_free.LIBCMT ref: 00CE2CAB
_free.LIBCMT ref: 00CE2CB6
_free.LIBCMT ref: 00CE2CC1
_free.LIBCMT ref: 00CE2CCC
_free.LIBCMT ref: 00CE2CD7
_free.LIBCMT ref: 00CE2CE2
_free.LIBCMT ref: 00CE2CED
_free.LIBCMT ref: 00CE2CFB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: eeff270471242c5e031148705a292a8ccce6335dfe2e1fc014b869517a8a2a01
Instruction ID: cff6f595574dc6d4d9d69e191dff322ccf858c6bfcf8edaccc7b937ee07e356a
Opcode Fuzzy Hash: eeff270471242c5e031148705a292a8ccce6335dfe2e1fc014b869517a8a2a01
Instruction Fuzzy Hash: 8F11B67610014CBFCB02EF56D882EDD3BA9FF05350F5254A5FA489F222DA35EE50AB90

Function 00D27DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D27FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00D27FC1
GetFileAttributesW.KERNEL32(?), ref: 00D27FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00D28005
SetCurrentDirectoryW.KERNEL32(?), ref: 00D28017
SetCurrentDirectoryW.KERNEL32(?), ref: 00D28060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00D280B0

Strings

*.*, xrefs: 00D28066

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e7d25d035af883e1871f5cf671c19f0e04b6c1188a20c957bf2a9778b70708b3
Instruction ID: d781388701cdb6f49fec73cb54fbd9d7d052620a46df99e81929f697c6dc0e6c
Opcode Fuzzy Hash: e7d25d035af883e1871f5cf671c19f0e04b6c1188a20c957bf2a9778b70708b3
Instruction Fuzzy Hash: B681C1715083129BCB30EF54D4849AAB3E8BFA9318F19485EF885C7250EB35DD489B72

Function 00CB5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00CB5C7A

Part of subcall function 00CB5D0A: GetClientRect.USER32(?,?), ref: 00CB5D30
Part of subcall function 00CB5D0A: GetWindowRect.USER32(?,?), ref: 00CB5D71
Part of subcall function 00CB5D0A: ScreenToClient.USER32(?,?), ref: 00CB5D99

GetDC.USER32 ref: 00CF46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CF4708
SelectObject.GDI32(00000000,00000000), ref: 00CF4716
SelectObject.GDI32(00000000,00000000), ref: 00CF472B
ReleaseDC.USER32(?,00000000), ref: 00CF4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CF47C4

Strings

U, xrefs: 00CF4693

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 069de3592bcf47d06cd09cb69dc13f1f23d0448aae9dcb7bc84c81211e9461e2
Instruction ID: ec0a25c4970848dc4116c3cce15315f4ce8d0ff3dea67ddf1494ee91f8ca6ddc
Opcode Fuzzy Hash: 069de3592bcf47d06cd09cb69dc13f1f23d0448aae9dcb7bc84c81211e9461e2
Instruction Fuzzy Hash: 8971E334400209DFCF699F64C984AFB7BB6FF4A350F14426AFE659A2A6C3318941DF61

Function 00D2359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00D235E4

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

LoadStringW.USER32(00D82390,?,00000FFF,?), ref: 00D2360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00D23724
Line %d (File "%s"):, xrefs: 00D2366B
"%s" (%d) : ==> %s:, xrefs: 00D23742
Error: , xrefs: 00D236EF
^ ERROR, xrefs: 00D236C9

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 7dcac3ac82b75e80c323e19deb46df1dc447836f2fe2e88d3523d80627af45b5
Instruction ID: a4b85128671f88c5d0f15fa2fa54233843aa73046a39061bada4a592047e81e2
Opcode Fuzzy Hash: 7dcac3ac82b75e80c323e19deb46df1dc447836f2fe2e88d3523d80627af45b5
Instruction Fuzzy Hash: 0F515A71800219BBCF14EBA0DC92EEEBB78EF14305F144165F605721A1EB356A99EFB0

Function 00D2C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D2C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D2C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D2C2CA
GetLastError.KERNEL32 ref: 00D2C322
SetEvent.KERNEL32(?), ref: 00D2C336
InternetCloseHandle.WININET(00000000), ref: 00D2C341

Strings

, xrefs: 00D2C2BB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 108757c90d8ec9efe6d3e6de947fce2a583d9e86202c29c94990f21034af8b1e
Instruction ID: ef986373f250d35c0cb4775dd6964729a5f81b8d30d591f0c61e6be135811d21
Opcode Fuzzy Hash: 108757c90d8ec9efe6d3e6de947fce2a583d9e86202c29c94990f21034af8b1e
Instruction Fuzzy Hash: 45319E71511714AFD721DF64A888AAF7AFCEB6A748B149919F486D2210DB70DD048B70

Function 00D1989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00CF3AAF,?,?,Bad directive syntax error,00D4CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00D198BC
LoadStringW.USER32(00000000,?,00CF3AAF,?), ref: 00D198C3

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00D19987

Strings

Line %d (File "%s"):, xrefs: 00D1992D
., xrefs: 00D1996D
%s (%d) : ==> %s.: %s %s, xrefs: 00D198F1
Line %d:, xrefs: 00D19912
Error: , xrefs: 00D19955

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 3c9c0fcf99dba84adb1687cb79334b2d017d95a77a551f389d49b204e34e5f18
Instruction ID: 04d00a53ce95f88fa5b987a252dfb5745ec55aa1d0f81b453e5c2cceaaa59979
Opcode Fuzzy Hash: 3c9c0fcf99dba84adb1687cb79334b2d017d95a77a551f389d49b204e34e5f18
Instruction Fuzzy Hash: 17217E3194021ABBCF15AF90CC56EEE7B75FF18304F045459F519660A2EB319A58EB20

Function 00D1209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00D120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D1214D

Strings

largeicons, xrefs: 00D120E1
smallicons, xrefs: 00D12115
SHELLDLL_DefView, xrefs: 00D120CC
list, xrefs: 00D1212F
details, xrefs: 00D120FB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: ab0d257f0d723da69c66b90a75d1d9193e7582b45f4938e14814b45a1c58ac6f
Instruction ID: 453e6acb082e28998726556d3320c32965f643d16f44318b6ce9959f6aa7d6f9
Opcode Fuzzy Hash: ab0d257f0d723da69c66b90a75d1d9193e7582b45f4938e14814b45a1c58ac6f
Instruction Fuzzy Hash: 8B113A7A684706BAF605A620FC07DFB339CCB05324B205016FB4CA41E6FEB298D56634

Function 00CE8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815a14e6ad4aad3e9da7eb7496a8119af194e116816f323321c266c8009c86ef
Instruction ID: c2fe8555bcd3fdd857421f4f610ecd864708575968eb26119def1612ea508bd9
Opcode Fuzzy Hash: 815a14e6ad4aad3e9da7eb7496a8119af194e116816f323321c266c8009c86ef
Instruction Fuzzy Hash: 86C1F274904389AFCB11DFAAC845BADBFB0FF0D310F444199E529AB392C7349A46DB61

Function 00CECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00CECEB7
_free.LIBCMT ref: 00CECF22
_free.LIBCMT ref: 00CECF48
_free.LIBCMT ref: 00CECF71
_free.LIBCMT ref: 00CECFA9
_free.LIBCMT ref: 00CECFDA
_free.LIBCMT ref: 00CED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00CED09C
_free.LIBCMT ref: 00CED0B5

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 660e09018820d01442cdad1d61f22b9cdaf0d322f87cd66dd5ef9e47012f367c
Instruction ID: 6914b4104a7788f1e1708de871da77770febdc7b654b34e71c079b27cf157cda
Opcode Fuzzy Hash: 660e09018820d01442cdad1d61f22b9cdaf0d322f87cd66dd5ef9e47012f367c
Instruction Fuzzy Hash: 186156729043C4AFDB25AFF798C2B697BA9AF05320F08416DF951D7382D6359E0297A0

Function 00D450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00D45186
ShowWindow.USER32(?,00000000), ref: 00D451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00D451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00D451D1

Part of subcall function 00D46FBA: DeleteObject.GDI32(00000000), ref: 00D46FE6

GetWindowLongW.USER32(?,000000F0), ref: 00D4520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D4521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D4524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00D45287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00D45296

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 7af32ad21f54eaeb18222a43a212ceec80ac0ebf72d696351237a40fba0c853a
Instruction ID: 141b34b5fa3721ea9830a6a6023a594e2f282495e3aae508ab4282c308acf3a6
Opcode Fuzzy Hash: 7af32ad21f54eaeb18222a43a212ceec80ac0ebf72d696351237a40fba0c853a
Instruction Fuzzy Hash: 3E51C534A51B08FFEF209F24EC89BD93B65FB05320F184012F619962E6C3B59980DB70

Function 00CC8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00D06890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00D068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00D068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00D06901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D0691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00CC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00D0692D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 72d9a4fd952b34427a9c333e9ff10e2ba4569618d46d35e7cc99d90088e90855
Instruction ID: 6c41bf2480e2f3c46b6c3df29de65aa63b39b247c00f7db59bfb69ac4e77c4c6
Opcode Fuzzy Hash: 72d9a4fd952b34427a9c333e9ff10e2ba4569618d46d35e7cc99d90088e90855
Instruction Fuzzy Hash: 79518574600309AFDB208F25CC65FAA7BB5EB48710F144518F916D62E0DB70EE94DB60

Function 00D2C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D2C182
GetLastError.KERNEL32 ref: 00D2C195
SetEvent.KERNEL32(?), ref: 00D2C1A9

Part of subcall function 00D2C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D2C272
Part of subcall function 00D2C253: GetLastError.KERNEL32 ref: 00D2C322
Part of subcall function 00D2C253: SetEvent.KERNEL32(?), ref: 00D2C336
Part of subcall function 00D2C253: InternetCloseHandle.WININET(00000000), ref: 00D2C341

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ad64aa913bdf95300a7186c364a07a4d71ef5440f2dba0696c51679fca74f375
Instruction ID: 9be1efb55b5411406aeba24644ada04f3d2db0bd16076fc4e3bbc548b33de8c7
Opcode Fuzzy Hash: ad64aa913bdf95300a7186c364a07a4d71ef5440f2dba0696c51679fca74f375
Instruction Fuzzy Hash: CB318B75221711EFDB219FA5AC44A6ABBE8FF29308B04641DF956C6620DB31EC109BB0

Function 00D125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D13A57
Part of subcall function 00D13A3D: GetCurrentThreadId.KERNEL32 ref: 00D13A5E
Part of subcall function 00D13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D125B3), ref: 00D13A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00D125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00D125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D12601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00D12605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D1260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D12623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00D12627

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: edcbe5cf0b4a9b250d894e66b6db9912a4fecf4f77da2474f7813de58d027b69
Instruction ID: 360b4fcf5fe00df64d6d2ec85a3a1aa15585d298612e92bf74feb8aca8b39c37
Opcode Fuzzy Hash: edcbe5cf0b4a9b250d894e66b6db9912a4fecf4f77da2474f7813de58d027b69
Instruction Fuzzy Hash: 5B01B1303A1310BBFB106B689C8AF993E59DF5AB12F101001F358EE1E1CDE264848AB9

Function 00D11803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00D11449,?,?,00000000), ref: 00D1180C
HeapAlloc.KERNEL32(00000000,?,00D11449,?,?,00000000), ref: 00D11813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D11449,?,?,00000000), ref: 00D11828
GetCurrentProcess.KERNEL32(?,00000000,?,00D11449,?,?,00000000), ref: 00D11830
DuplicateHandle.KERNEL32(00000000,?,00D11449,?,?,00000000), ref: 00D11833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D11449,?,?,00000000), ref: 00D11843
GetCurrentProcess.KERNEL32(00D11449,00000000,?,00D11449,?,?,00000000), ref: 00D1184B
DuplicateHandle.KERNEL32(00000000,?,00D11449,?,?,00000000), ref: 00D1184E
CreateThread.KERNEL32(00000000,00000000,00D11874,00000000,00000000,00000000), ref: 00D11868

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 81c3d5534cffba6ebcd8d126b9cb270137ede3a034a095abb341fabd02a801d2
Instruction ID: a9a198952ec2684c1a7ff9ddbc89ff67192e3c1b12d62acfd172d8ca71dfd185
Opcode Fuzzy Hash: 81c3d5534cffba6ebcd8d126b9cb270137ede3a034a095abb341fabd02a801d2
Instruction Fuzzy Hash: 2401AC79351304BFE650AFA5DC4DF573B6CEB8AB11F045411FA05DB291CA7098008B30

Function 00D3A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00D1D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00D1D501
Part of subcall function 00D1D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00D1D50F
Part of subcall function 00D1D4DC: CloseHandle.KERNELBASE(00000000), ref: 00D1D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D3A16D
GetLastError.KERNEL32 ref: 00D3A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D3A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D3A268
GetLastError.KERNEL32(00000000), ref: 00D3A273
CloseHandle.KERNEL32(00000000), ref: 00D3A2C4

Strings

SeDebugPrivilege, xrefs: 00D3A18F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 254aa5508a36841f8a0f802662db317330f0014f71fc2c155caa9385f2e7182b
Instruction ID: b3813525038a7c73b9fec517cdf0c34d8b71c61d1c69bc4ee41d319994715743
Opcode Fuzzy Hash: 254aa5508a36841f8a0f802662db317330f0014f71fc2c155caa9385f2e7182b
Instruction Fuzzy Hash: 05619034205342AFD720DF18C494F66BBE1AF44318F18849CE4A68B7A3C776ED45CBA6

Function 00D43886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D43925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00D4393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D43954
_wcslen.LIBCMT ref: 00D43999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D439F4

Strings

SysListView32, xrefs: 00D438F7

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 5f7adef2ccb757f3e88b13f7be14d78b9f1dee77e146d45f40f9d14e2a56075e
Instruction ID: 3d806abd1ac4f79d0eae3020d1ade630e28b83ff80b767edd5fa463dab10edca
Opcode Fuzzy Hash: 5f7adef2ccb757f3e88b13f7be14d78b9f1dee77e146d45f40f9d14e2a56075e
Instruction Fuzzy Hash: C9418371A00319ABEF219F68CC45BEA7BA9EF08350F150526F958E7291D771DE84CBA0

Function 00D1BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D1BCFD
IsMenu.USER32(00000000), ref: 00D1BD1D
CreatePopupMenu.USER32 ref: 00D1BD53
GetMenuItemCount.USER32(01445CB8), ref: 00D1BDA4
InsertMenuItemW.USER32(01445CB8,?,00000001,00000030), ref: 00D1BDCC

Strings

2, xrefs: 00D1BD37
0, xrefs: 00D1BCA8

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: edb0d1afbe86c2ceac6676dca14e82fc64e019d321d573f21b6f6b6e2d2e0c8a
Instruction ID: d16716771abf9ca8bf58bbc6eeb03bc0316eb2dc007ea6ac330fadd6555ffc7d
Opcode Fuzzy Hash: edb0d1afbe86c2ceac6676dca14e82fc64e019d321d573f21b6f6b6e2d2e0c8a
Instruction Fuzzy Hash: 42518E70600205ABDB18CFA8F884BEEBBF5EF55324F18415AE452D7291EB709981CB71

Function 00D1C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00D1C913

Strings

question, xrefs: 00D1C8CC
info, xrefs: 00D1C8B4
warning, xrefs: 00D1C8FC
stop, xrefs: 00D1C8E4
blank, xrefs: 00D1C895

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: aa7245b669d6e2268614b85c0e1fcaa92c3b53c74a907bf15ee1912f4b8994e0
Instruction ID: d1ff9a7acb9cf219e811e4be9f51a40ee78f31bf626c7afa6cffb1c809702095
Opcode Fuzzy Hash: aa7245b669d6e2268614b85c0e1fcaa92c3b53c74a907bf15ee1912f4b8994e0
Instruction Fuzzy Hash: B81108716D9706BFA7085B54ACC3CEF279CDF15365B20602BF608AA282FB709D806674

Function 00D1DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D1DE42
gethostname.WSOCK32(?,00000100), ref: 00D1DE5C
gethostbyname.WSOCK32(?), ref: 00D1DE69
inet_ntoa.WSOCK32(?), ref: 00D1DEAB
_strcat.LIBCMT ref: 00D1DEB9
WSACleanup.WSOCK32 ref: 00D1DEDE

Strings

0.0.0.0, xrefs: 00D1DE87

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: eadb17b434eb671394bf850a48b7cacdc7a6eae8fe8e93882405ea5225dc0b08
Instruction ID: a4a4cb60b40d8d6e581cd4bd3a9a4bfcf57b21f45464657f0f014a090e43dae9
Opcode Fuzzy Hash: eadb17b434eb671394bf850a48b7cacdc7a6eae8fe8e93882405ea5225dc0b08
Instruction Fuzzy Hash: 3211E471904204BFCB24AB70AC4AEEE77ADDB11711F04016AF685D6291EF708AC19AB0

Function 00D49F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

GetSystemMetrics.USER32(0000000F), ref: 00D49FC7
GetSystemMetrics.USER32(0000000F), ref: 00D49FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D4A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D4A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D4A263
ShowWindow.USER32(00000003,00000000), ref: 00D4A282
InvalidateRect.USER32(?,00000000,00000001), ref: 00D4A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00D4A2CA

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: c2b9207919ec0bd2173b675e737820fc05c60954e4320bee67d994b401faa5c7
Instruction ID: 1508969247a736f09a19f5d7172f503f646cf784811179192bdc3eeb4107677b
Opcode Fuzzy Hash: c2b9207919ec0bd2173b675e737820fc05c60954e4320bee67d994b401faa5c7
Instruction Fuzzy Hash: 50B1B835640215AFDF14CF6CC9C57AE7BB2BF48701F088069EC89AF299D771AA40DB61

Function 00D1ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00D1ED2A
_wcslen.LIBCMT ref: 00D1ED3B
_wcslen.LIBCMT ref: 00D1ED79
_wcslen.LIBCMT ref: 00D1EDAF
_wcslen.LIBCMT ref: 00D1EDDF
_wcslen.LIBCMT ref: 00D1EDEF
_wcslen.LIBCMT ref: 00D1EE2B
_wcslen.LIBCMT ref: 00D1EE5A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: bf151425219456becf12d39d20e83f097efc65a9727b61ac7a0e094dcc024e0e
Instruction ID: f0b918afdb648e51ab3c6a48008a7fa724a2386abf581813cca01d1d7046c6b1
Opcode Fuzzy Hash: bf151425219456becf12d39d20e83f097efc65a9727b61ac7a0e094dcc024e0e
Instruction Fuzzy Hash: A4418F65C1021876CB11EBB4DC8A9CFB7ACAF45710F508463FA18E3221EB34E695C7E5

Function 00CCF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D0682C,00000004,00000000,00000000), ref: 00CCF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00D0682C,00000004,00000000,00000000), ref: 00D0F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D0682C,00000004,00000000,00000000), ref: 00D0F454

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c528af36ea08c4d41667f14d549d245c69c289c1444b2aaa23e010f13055d2ad
Instruction ID: 2f6446737b44a65244027bbefae1e55d200402f54498e3e256b20e14b8dbdb08
Opcode Fuzzy Hash: c528af36ea08c4d41667f14d549d245c69c289c1444b2aaa23e010f13055d2ad
Instruction Fuzzy Hash: 84415234614740BBCF789F29C888F2E7B93AB47310F14503CE49B96AA0C631E982CB31

Function 00D42D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D42D1B
GetDC.USER32(00000000), ref: 00D42D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D42D2E
ReleaseDC.USER32(00000000,00000000), ref: 00D42D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D42D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D42D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D45A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00D42DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D42DE1

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5b37696a208a96b4019d599a28da18794859235835a01fd67a234e6a166fbbbf
Instruction ID: 2223ffd15be2fae5d498ae43639a602ec96a997167a84fbfff60c95ae45272a9
Opcode Fuzzy Hash: 5b37696a208a96b4019d599a28da18794859235835a01fd67a234e6a166fbbbf
Instruction Fuzzy Hash: 89316D76212614BBEB214F508C89FFB3BA9EB0A715F084055FE08DA2A1D6759C50CBB4

Function 00D15622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D15637
_memcmp.LIBVCRUNTIME ref: 00D15659
_memcmp.LIBVCRUNTIME ref: 00D15671
_memcmp.LIBVCRUNTIME ref: 00D15684
_memcmp.LIBVCRUNTIME ref: 00D1569E
_memcmp.LIBVCRUNTIME ref: 00D156B1
_memcmp.LIBVCRUNTIME ref: 00D156C9
_memcmp.LIBVCRUNTIME ref: 00D156E4

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 29c54ac14f4b8923bdc8dd9e36cd58ccfd7c4085218e3979f5be675408024125
Instruction ID: 7610cb4b8feb641bd681497c319ff1903fe51010768dc90072af22ede45de8cf
Opcode Fuzzy Hash: 29c54ac14f4b8923bdc8dd9e36cd58ccfd7c4085218e3979f5be675408024125
Instruction Fuzzy Hash: 6E21D761640A09FBD6145620BDC2FFA335CAFA1384F480021FE449A696FF68ED54D2F5

Function 00D34FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00D3502E, 00D35383
Not an Object type, xrefs: 00D35007

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b38a7658a7692977eaf8a41290a7993af45b19b23880fedf431510e01ec3a5a4
Instruction ID: f90af2c6e108661a3d9dfa8109a210a764855af61c7aa90c15f84ac7dfc2e91a
Opcode Fuzzy Hash: b38a7658a7692977eaf8a41290a7993af45b19b23880fedf431510e01ec3a5a4
Instruction Fuzzy Hash: F3D1AF75A0060A9FDF14CF98D880BAEB7B5FF48344F188469E915AB284E771ED45CBB0

Function 00CF1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00CF15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00CF1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CF16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00CF16FB

Part of subcall function 00CE3820: RtlAllocateHeap.NTDLL(00000000,?,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6,?,00CB1129), ref: 00CE3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CF1777
__freea.LIBCMT ref: 00CF17A2
__freea.LIBCMT ref: 00CF17AE

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 16d1943bb77f6d22ac2fb520c0a74c984bd63051c5e579a7bd95981f34d06e9f
Instruction ID: 2d0d9a5e738f10f114cbe15b865d6d594dbca7e0bca7325ae022a571bf05dda2
Opcode Fuzzy Hash: 16d1943bb77f6d22ac2fb520c0a74c984bd63051c5e579a7bd95981f34d06e9f
Instruction Fuzzy Hash: 9D91C271E0020EDADB649E75C881AFE7BB5DF49310F1C065AEE15E7281DB25DE40CB62

Function 00D34523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D34648
VariantInit.OLEAUT32(?), ref: 00D34749
VariantClear.OLEAUT32(?), ref: 00D34753
VariantClear.OLEAUT32(?), ref: 00D347B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00D3472C
Null Object assignment in FOR..IN loop, xrefs: 00D345D8, 00D34706, 00D347BE

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9392bcec64e45b5627fd7a4bf9ca1a758ef1d2272dc2369a77a63e4e28b99700
Instruction ID: c7c947e5575386b8a3b2fd7ed392f98494d88d0f7edc2e919d6f46c731821513
Opcode Fuzzy Hash: 9392bcec64e45b5627fd7a4bf9ca1a758ef1d2272dc2369a77a63e4e28b99700
Instruction Fuzzy Hash: 90919DB1A00219AFDF20CFA5C885FAEBBB8EF46714F148559F505AB280D774A945CFB0

Function 00D21187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00D2125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00D21284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00D212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D2135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00D21430

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: be2499abb0402f577732e8e0eaf8cb5865b15242542ae5ef1ec440cc6d2cdd6b
Instruction ID: cc96f1dc14c63354ac482b6e7762cb1acffac65768ce209062e6d923fb297a95
Opcode Fuzzy Hash: be2499abb0402f577732e8e0eaf8cb5865b15242542ae5ef1ec440cc6d2cdd6b
Instruction Fuzzy Hash: F4911579900228AFDB00DF98E885BBE77B5FF65318F148069E544E7291D774E942CBB0

Function 00CC948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a9ccf32609b573426624d5f3f4c08acb78279ff58341689c74409cf57223d9fb
Instruction ID: ad4e21aa67fab5a3a10152292785577e6970121f7103657bf4855d6703abb11b
Opcode Fuzzy Hash: a9ccf32609b573426624d5f3f4c08acb78279ff58341689c74409cf57223d9fb
Instruction Fuzzy Hash: D9910471D00219EFCB14CFA9CC88AEEBBB8FF49320F148559E515B7291D774AA42DB60

Function 00D33947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D3396B
CharUpperBuffW.USER32(?,?), ref: 00D33A7A
_wcslen.LIBCMT ref: 00D33A8A
VariantClear.OLEAUT32(?), ref: 00D33C1F

Part of subcall function 00D20CDF: VariantInit.OLEAUT32(00000000), ref: 00D20D1F
Part of subcall function 00D20CDF: VariantCopy.OLEAUT32(?,?), ref: 00D20D28
Part of subcall function 00D20CDF: VariantClear.OLEAUT32(?), ref: 00D20D34

Strings

Incorrect Parameter format, xrefs: 00D339A6, 00D33BA1
AUTOIT.ERROR, xrefs: 00D33A80, 00D33A85

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 90823fac4b74c74d3821780460ba832ec50c77fd849932f4217b7b17f6bd52a2
Instruction ID: 6036ba6b565b8291a2cef770e6e1f808aabfb03bca0b86080528f82568346b00
Opcode Fuzzy Hash: 90823fac4b74c74d3821780460ba832ec50c77fd849932f4217b7b17f6bd52a2
Instruction Fuzzy Hash: 9F9179756083419FC704DF28C58196ABBE4FF89314F18892DF88A9B351DB31EE45CBA2

Function 00D34BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00D1000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?,?,00D1035E), ref: 00D1002B
Part of subcall function 00D1000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?), ref: 00D10046
Part of subcall function 00D1000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?), ref: 00D10054
Part of subcall function 00D1000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?), ref: 00D10064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00D34C51
_wcslen.LIBCMT ref: 00D34D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00D34DCF
CoTaskMemFree.OLE32(?), ref: 00D34DDA

Strings

NULL Pointer assignment, xrefs: 00D34E23, 00D34E52

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: ac20f1962eb94717254eb0ea65f53284c9c7644bd7e74cfd2d25b8b9b41e0940
Instruction ID: 492b4f9b8e5a140c6aa8fe92cbd9f1aedbf6e4b477a45fe7e022daa797085343
Opcode Fuzzy Hash: ac20f1962eb94717254eb0ea65f53284c9c7644bd7e74cfd2d25b8b9b41e0940
Instruction Fuzzy Hash: 47912771D00219AFDF14DFA4D891AEEB7B8FF08310F10816AE915B7291EB34AA44DF60

Function 00D420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D42183
GetMenuItemCount.USER32(00000000), ref: 00D421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D421DD
_wcslen.LIBCMT ref: 00D42213
GetMenuItemID.USER32(?,?), ref: 00D4224D
GetSubMenu.USER32(?,?), ref: 00D4225B

Part of subcall function 00D13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D13A57
Part of subcall function 00D13A3D: GetCurrentThreadId.KERNEL32 ref: 00D13A5E
Part of subcall function 00D13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D125B3), ref: 00D13A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D422E3

Part of subcall function 00D1E97B: Sleep.KERNEL32 ref: 00D1E9F3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 970fb6393013f23e53847cdf975273788b276102c019fc514b2c2de94b236dbb
Instruction ID: a04b4acdfaa4d1a4ab581e7fc6c9b0d8acbc67c5ea674c71d97d0add8f7e07c4
Opcode Fuzzy Hash: 970fb6393013f23e53847cdf975273788b276102c019fc514b2c2de94b236dbb
Instruction Fuzzy Hash: 32717D75A00205AFCB10DFA8C885ABEB7F5EF88310F548459F956EB351DB74EE418BA0

Function 00D47E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01445D08), ref: 00D47F37
IsWindowEnabled.USER32(01445D08), ref: 00D47F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00D4801E
SendMessageW.USER32(01445D08,000000B0,?,?), ref: 00D48051
IsDlgButtonChecked.USER32(?,?), ref: 00D48089
GetWindowLongW.USER32(01445D08,000000EC), ref: 00D480AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D480C3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2b171e3363b9c0234a4084f8fcbeca432a091608795c59af49f08c977db8f59e
Instruction ID: ce3bffca2406efa18610e25f101f21020e21a447fd06f9bd4bb4aa5ffe8e8495
Opcode Fuzzy Hash: 2b171e3363b9c0234a4084f8fcbeca432a091608795c59af49f08c977db8f59e
Instruction Fuzzy Hash: F7716F38609204AFEB219F64C894FBEBBB9EF09340F18445AF95597361CB31AC49DB30

Function 00D1AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00D1AEF9
GetKeyboardState.USER32(?), ref: 00D1AF0E
SetKeyboardState.USER32(?), ref: 00D1AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00D1AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00D1AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00D1AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D1B020

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5213e7d4195ead1c89dffdbc3fbe1abb8d06645df73ca5d09849f7315bfc8dc3
Instruction ID: 63fbb30714e3462ac2d9a722ef3874740c16b6ab083fdd34f17baa26bc924027
Opcode Fuzzy Hash: 5213e7d4195ead1c89dffdbc3fbe1abb8d06645df73ca5d09849f7315bfc8dc3
Instruction Fuzzy Hash: 6051D2A06057D53DFB3682389845BFABEA95F06314F0C848AF1D9854D2CBA8ACC9D771

Function 00D1ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00D1AD19
GetKeyboardState.USER32(?), ref: 00D1AD2E
SetKeyboardState.USER32(?), ref: 00D1AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D1ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D1ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D1AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D1AE38

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1bb07b1655af419cde6ff293f10f0a33b7dddb66ff50242cd50a09fb4b7c549b
Instruction ID: acb29c75a3b131060656c612db94aae4bce9e317902d95bd34c60ef9d3d22750
Opcode Fuzzy Hash: 1bb07b1655af419cde6ff293f10f0a33b7dddb66ff50242cd50a09fb4b7c549b
Instruction Fuzzy Hash: 9951F7A06057D13DFB328378AC55BFA7EA85B46300F0C8489F0D5468C2DAA4ECD8D772

Function 00CE542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00CF3CD6,?,?,?,?,?,?,?,?,00CE5BA3,?,?,00CF3CD6,?,?), ref: 00CE5470
__fassign.LIBCMT ref: 00CE54EB
__fassign.LIBCMT ref: 00CE5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00CF3CD6,00000005,00000000,00000000), ref: 00CE552C
WriteFile.KERNEL32(?,00CF3CD6,00000000,00CE5BA3,00000000,?,?,?,?,?,?,?,?,?,00CE5BA3,?), ref: 00CE554B
WriteFile.KERNEL32(?,?,00000001,00CE5BA3,00000000,?,?,?,?,?,?,?,?,?,00CE5BA3,?), ref: 00CE5584

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bc098d716e7a8eea3afd5676663128ac55f3dbc32b9ac1af784619f47dff2588
Instruction ID: b810adf8dc8cc1ecbde271bbc4de96be568a983f663fdec04e9c2295954b8ac7
Opcode Fuzzy Hash: bc098d716e7a8eea3afd5676663128ac55f3dbc32b9ac1af784619f47dff2588
Instruction Fuzzy Hash: F951E3B1A017899FDB10CFA9D845AEEBBF9EF09304F24411AF555E7391E730AA41CB60

Function 00CD2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00CD2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00CD2D53
_ValidateLocalCookies.LIBCMT ref: 00CD2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00CD2E0C
_ValidateLocalCookies.LIBCMT ref: 00CD2E61

Strings

csm, xrefs: 00CD2DF6

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c32195aadec9fe3953016e22b2579d94aa19817728dde7882b6c436dfb6902e1
Instruction ID: bd972bea0f94eb6f0f5695bc76845e8902a9f1a9b3e76b1583adf288248bf832
Opcode Fuzzy Hash: c32195aadec9fe3953016e22b2579d94aa19817728dde7882b6c436dfb6902e1
Instruction Fuzzy Hash: FE419234A00249ABCF10DF68CC45A9EBBB5BF54325F148157EA24AB392D731EA05DBD1

Function 00D310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D3307A
Part of subcall function 00D3304E: _wcslen.LIBCMT ref: 00D3309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D31112
WSAGetLastError.WSOCK32 ref: 00D31121
WSAGetLastError.WSOCK32 ref: 00D311C9
closesocket.WSOCK32(00000000), ref: 00D311F9

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 207ac4b9d638332523a590d3addc884fb67bd87352b6270f3c00e38f441c54d4
Instruction ID: 7279ca2ae97cce234484381890cbde9aaa57726f1dcdb7ca075b33a4c2756762
Opcode Fuzzy Hash: 207ac4b9d638332523a590d3addc884fb67bd87352b6270f3c00e38f441c54d4
Instruction Fuzzy Hash: 5A41EF39600305AFDB109F64C884BEABBE9EF45324F188059FD469B291C770ED41CBB1

Function 00D1CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D1CF22,?), ref: 00D1DDFD

Part of subcall function 00D1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D1CF22,?), ref: 00D1DE16

lstrcmpiW.KERNEL32(?,?), ref: 00D1CF45
MoveFileW.KERNEL32(?,?), ref: 00D1CF7F
_wcslen.LIBCMT ref: 00D1D005
_wcslen.LIBCMT ref: 00D1D01B
SHFileOperationW.SHELL32(?), ref: 00D1D061

Strings

\*.*, xrefs: 00D1CFF3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 5b5b4cec5c0056776f99015fa6c77ef459e9be8792f707c43d22f3fbefafd5f9
Instruction ID: d5d3c92e4fe07e3159f979cfbeb0b49f89a4a076c7489280206dd4c639ecab20
Opcode Fuzzy Hash: 5b5b4cec5c0056776f99015fa6c77ef459e9be8792f707c43d22f3fbefafd5f9
Instruction Fuzzy Hash: 6B4144719462196FDF12EFA4E981ADDB7B9AF48340F1400E6E605EB141EF34A689CB60

Function 00D42DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D42E1C
GetWindowLongW.USER32(?,000000F0), ref: 00D42E4F
GetWindowLongW.USER32(?,000000F0), ref: 00D42E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D42EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D42EE0
GetWindowLongW.USER32(?,000000F0), ref: 00D42EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D42F0B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e8410dafa445dbbdddd5ad6f55d0a447a3c2f4f6f2f53f41be6efbb6ed1d9986
Instruction ID: 45abaee79f268dec1b85ef27507f0869e2b71f7bb71bc1e87765d908aaaee79c
Opcode Fuzzy Hash: e8410dafa445dbbdddd5ad6f55d0a447a3c2f4f6f2f53f41be6efbb6ed1d9986
Instruction Fuzzy Hash: D1311238615240AFEB20DF58DC84F6537E8EB8A710F9911A4F924CB2B2CB71AC45DB20

Function 00D17726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D17769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D1778F
SysAllocString.OLEAUT32(00000000), ref: 00D17792
SysAllocString.OLEAUT32(?), ref: 00D177B0
SysFreeString.OLEAUT32(?), ref: 00D177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00D177DE
SysAllocString.OLEAUT32(?), ref: 00D177EC

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dd9c4f92ee9858b71d2d9901f2179dac1a670c3f0583d2d82294f925ca516967
Instruction ID: 550aeab62ae74318528bbbd6e42a748b2ad26c46aad0a2eae8056709337f1b47
Opcode Fuzzy Hash: dd9c4f92ee9858b71d2d9901f2179dac1a670c3f0583d2d82294f925ca516967
Instruction Fuzzy Hash: E121917A605219BFDB109FA8DC84DFA73ACEB09364B088025F915DB2A1DA70DC81C770

Function 00D177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D17842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D17868
SysAllocString.OLEAUT32(00000000), ref: 00D1786B
SysAllocString.OLEAUT32 ref: 00D1788C
SysFreeString.OLEAUT32 ref: 00D17895
StringFromGUID2.OLE32(?,?,00000028), ref: 00D178AF
SysAllocString.OLEAUT32(?), ref: 00D178BD

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 11a729fd8731322f7e88e300c5f9af1c3df9d108559f58261cd63f8cc8063622
Instruction ID: 3d8128ef3bb92322886d8e0d6e118bb6a9b20e7683761923744551e6db77669b
Opcode Fuzzy Hash: 11a729fd8731322f7e88e300c5f9af1c3df9d108559f58261cd63f8cc8063622
Instruction Fuzzy Hash: 71213075609204BFDB10AFA8EC88DEA77BCEB097607148125F915CB2B1DA74EC81CB74

Function 00D204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00D204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D2052E

Strings

nul, xrefs: 00D20567

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7934b6d58348dd326f4c60530437a0d527bc722f76a57065bc44ba95ed1343ba
Instruction ID: fb03ab93cf8893a7082ceeea33ea4db42dbfe76f72feede7b982af6ee670c78a
Opcode Fuzzy Hash: 7934b6d58348dd326f4c60530437a0d527bc722f76a57065bc44ba95ed1343ba
Instruction Fuzzy Hash: 892162756003159FDB209F29EC44A5A7BF4AF65728F244A19F8A1D62E1D7B0D940CF70

Function 00D205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00D20601

Strings

nul, xrefs: 00D20639

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 07b41f7f37bbec370060445e478ed5cfa31437122324bdfb209c3f1c48a1cd98
Instruction ID: 6d79914472f3612a812790508a9d4da3ca63f85eebb66c2348292523d8fcd0fe
Opcode Fuzzy Hash: 07b41f7f37bbec370060445e478ed5cfa31437122324bdfb209c3f1c48a1cd98
Instruction Fuzzy Hash: 722195755003259FDB209F69EC44A5A7BE4FFA5729F240A19F8A1E72E1D7B09860CB30

Function 00D440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CB604C
Part of subcall function 00CB600E: GetStockObject.GDI32(00000011), ref: 00CB6060
Part of subcall function 00CB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D44112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D4411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D4412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D44139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D44145

Strings

Msctls_Progress32, xrefs: 00D440E3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0cf77ce58e5da3b981688807797951ee58cdd4ea90a4a035dca84a49d3fd1c75
Instruction ID: e20c5ed7c378757473e0aa47e25f006839e1839f444089479f75d6a997165c5f
Opcode Fuzzy Hash: 0cf77ce58e5da3b981688807797951ee58cdd4ea90a4a035dca84a49d3fd1c75
Instruction Fuzzy Hash: B51190B2150219BFEF119F64CC86EE77F6DEF08798F014111BA18A2150C6729C619BB4

Function 00CED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CED7A3: _free.LIBCMT ref: 00CED7CC

_free.LIBCMT ref: 00CED82D

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

_free.LIBCMT ref: 00CED838
_free.LIBCMT ref: 00CED843
_free.LIBCMT ref: 00CED897
_free.LIBCMT ref: 00CED8A2
_free.LIBCMT ref: 00CED8AD
_free.LIBCMT ref: 00CED8B8

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 1db384e3ea27c2d5cd41456130134e1d8d0ed70d5a9b15e3736fbd49554f67cd
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 03112E71540B88AAD621BFB2CC47FCB7BDCAF04700F404865B69AE6493DA69B505A660

Function 00D1DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D1DA74
LoadStringW.USER32(00000000), ref: 00D1DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D1DA91
LoadStringW.USER32(00000000), ref: 00D1DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D1DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00D1DAB9

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: cbf40819f617ab0baad266456cbf45f4de262a868dbc8e0d0788c7f0cb16a2e1
Instruction ID: 8ee3f44090a5ccddc3ad5a67c1d10f780e97e6267b36de10ec5431a798ae195e
Opcode Fuzzy Hash: cbf40819f617ab0baad266456cbf45f4de262a868dbc8e0d0788c7f0cb16a2e1
Instruction Fuzzy Hash: 000181F69103187FE750EBA0AD89EEB736CEB09305F405492F746E2141EA749E848F74

Function 00D2096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0143D778,0143D778), ref: 00D2097B
EnterCriticalSection.KERNEL32(0143D758,00000000), ref: 00D2098D
TerminateThread.KERNEL32(?,000001F6), ref: 00D2099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00D209A9
CloseHandle.KERNEL32(?), ref: 00D209B8
InterlockedExchange.KERNEL32(0143D778,000001F6), ref: 00D209C8
LeaveCriticalSection.KERNEL32(0143D758), ref: 00D209CF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 57b9a2f9c22a54d33f7a295596710ca4fc979f54d15fe4f7006665d5d12559b3
Instruction ID: 7c548f771091cc46bfe8600087d0b024f6e0b89bf6a870ca378ebeddf9cd2aae
Opcode Fuzzy Hash: 57b9a2f9c22a54d33f7a295596710ca4fc979f54d15fe4f7006665d5d12559b3
Instruction Fuzzy Hash: ABF01D31553A12ABDB915F94EE8CAD67A25BF06702F482015F102909A1C7B59465CFB4

Function 00CB5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00CB5D30
GetWindowRect.USER32(?,?), ref: 00CB5D71
ScreenToClient.USER32(?,?), ref: 00CB5D99
GetClientRect.USER32(?,?), ref: 00CB5ED7
GetWindowRect.USER32(?,?), ref: 00CB5EF8

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: dcf0c7f2723bf779caee3f8d63aac149bf1293e0083db4e6a26e792ca194ae9b
Instruction ID: 7db24b9d8f9612039f0f6950ff8289162d0ff6dc658af908cf298d18b261c371
Opcode Fuzzy Hash: dcf0c7f2723bf779caee3f8d63aac149bf1293e0083db4e6a26e792ca194ae9b
Instruction Fuzzy Hash: 83B16734A00A8ADBDB14CFA9C4807EAB7F1BF48310F14951AE8A9D7290DB34EA41CB55

Function 00CE01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00CE00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CE00D6
__allrem.LIBCMT ref: 00CE00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CE010B
__allrem.LIBCMT ref: 00CE0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CE0140

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 7114697d2589a9e38fcfe6d46bedd904af5c00cee1fcd18c18f42eca04109661
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: F681F8726007469BE724AF6ACC82B6F73E9AF41324F24453EF561DA381E7B0DE419790

Function 00D31D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D33149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00D3101C,00000000,?,?,00000000), ref: 00D33195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00D31DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D31DE1
WSAGetLastError.WSOCK32 ref: 00D31DF2
inet_ntoa.WSOCK32(?), ref: 00D31E8C
htons.WSOCK32(?,?,?,?,?), ref: 00D31EDB
_strlen.LIBCMT ref: 00D31F35

Part of subcall function 00D139E8: _strlen.LIBCMT ref: 00D139F2

Part of subcall function 00CB6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00CCCF58,?,?,?), ref: 00CB6DBA
Part of subcall function 00CB6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00CCCF58,?,?,?), ref: 00CB6DED

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 53800c44e0bf4baa2213a91920a997bce2be28905e93a4d03af93358be830ae1
Instruction ID: 348e37de61d4f683cce5ce2432fe31159a6237d291b14c19462de9ad5d02975b
Opcode Fuzzy Hash: 53800c44e0bf4baa2213a91920a997bce2be28905e93a4d03af93358be830ae1
Instruction Fuzzy Hash: 7AA1E335104301AFC324DF24C885F6ABBE5AF85318F58895CF5965B2E2CB71ED46CBA2

Function 00CE61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CD82D9,00CD82D9,?,?,?,00CE644F,00000001,00000001,8BE85006), ref: 00CE6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CE644F,00000001,00000001,8BE85006,?,?,?), ref: 00CE62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CE63D8
__freea.LIBCMT ref: 00CE63E5

Part of subcall function 00CE3820: RtlAllocateHeap.NTDLL(00000000,?,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6,?,00CB1129), ref: 00CE3852

__freea.LIBCMT ref: 00CE63EE
__freea.LIBCMT ref: 00CE6413

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 61e3ad09023a8aeb3dce638b8da6878f9a97ab44b1467a3278477732cfdf1989
Instruction ID: 2a2883e22c719b8bb803f573e96238c5516896f82678979db302a66f3c38291b
Opcode Fuzzy Hash: 61e3ad09023a8aeb3dce638b8da6878f9a97ab44b1467a3278477732cfdf1989
Instruction Fuzzy Hash: 55513372620286ABDB258F66CC81EBF7BA9EF50790F144229FE15D7190EB34DD40D660

Function 00D3BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D3B6AE,?,?), ref: 00D3C9B5
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3C9F1
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA68
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D3BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D3BD25
RegCloseKey.ADVAPI32(00000000), ref: 00D3BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D3BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D3BDF3
RegCloseKey.ADVAPI32(?), ref: 00D3BDFF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: db54c0516e0d70d280968905ef8470c57aa0181236dc76357ae2123ee6a95cf1
Instruction ID: a4669a1caca4000ea6c789a8fe3d5b29b9e41824e5129657ad4ab5e659f471ef
Opcode Fuzzy Hash: db54c0516e0d70d280968905ef8470c57aa0181236dc76357ae2123ee6a95cf1
Instruction Fuzzy Hash: 7A81B230218241EFC714DF24C881E6ABBE5FF84318F18855DF5968B2A2DB31ED45DBA2

Function 00D0F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00D0F7B9
SysAllocString.OLEAUT32(00000001), ref: 00D0F860
VariantCopy.OLEAUT32(00D0FA64,00000000), ref: 00D0F889
VariantClear.OLEAUT32(00D0FA64), ref: 00D0F8AD
VariantCopy.OLEAUT32(00D0FA64,00000000), ref: 00D0F8B1
VariantClear.OLEAUT32(?), ref: 00D0F8BB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: cd716bd0520c09dd2a20f112797c82e4dcd03394651bb51b3207e1e64564d474
Instruction ID: 9c0205f4452188af2bfed1ef9f0a9f5bdc1e33a2ea557e882d58d74c87b25a9a
Opcode Fuzzy Hash: cd716bd0520c09dd2a20f112797c82e4dcd03394651bb51b3207e1e64564d474
Instruction Fuzzy Hash: B551C335600310AACF34AF65E895B6DB3A4EF45310F34946AE90ADF6D1DB709C40DBB6

Function 00D2910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00CB7620: _wcslen.LIBCMT ref: 00CB7625

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00D294E5
_wcslen.LIBCMT ref: 00D29506
_wcslen.LIBCMT ref: 00D2952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00D29585

Strings

X, xrefs: 00D29412

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 2c9b4f253a94ce03fecfd5a2871624a93cc2fb1673d68ea6510eae28f34b3277
Instruction ID: e6f432c0aa8d955f6686e776d536e77708399419d063bd08f74dc8dcec045ce6
Opcode Fuzzy Hash: 2c9b4f253a94ce03fecfd5a2871624a93cc2fb1673d68ea6510eae28f34b3277
Instruction Fuzzy Hash: 10E1B331604350CFD724DF24D891AAAB7E4FF95314F18896DF8899B2A2DB31DD05CBA2

Function 00CC920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

BeginPaint.USER32(?,?,?), ref: 00CC9241
GetWindowRect.USER32(?,?), ref: 00CC92A5
ScreenToClient.USER32(?,?), ref: 00CC92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00CC92D3
EndPaint.USER32(?,?,?,?,?), ref: 00CC9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00D071EA

Part of subcall function 00CC9339: BeginPath.GDI32(00000000), ref: 00CC9357

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 295952f07393b2dfa013a58b94b1253f5888ab1704bf3a9bbf4bc117bc66be50
Instruction ID: f72b82fddb87afb1801862e649147061036dff32ead0f0b0b2f92aea7248559a
Opcode Fuzzy Hash: 295952f07393b2dfa013a58b94b1253f5888ab1704bf3a9bbf4bc117bc66be50
Instruction Fuzzy Hash: 1E418D74505300AFD711DF25CC88FAA7BA8EB46320F140669F9A5CB2F1C7319846DB72

Function 00D207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00D2080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00D20847
EnterCriticalSection.KERNEL32(?), ref: 00D20863
LeaveCriticalSection.KERNEL32(?), ref: 00D208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00D208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00D20921

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: f972793d39de0fd737571d09e49cd921912c9c41abded1c9b19c9a1c22a3ae36
Instruction ID: c78711d7e0f2cb932f39f3b9d4c2552b1a54af7d6bd72612a90a42519057decd
Opcode Fuzzy Hash: f972793d39de0fd737571d09e49cd921912c9c41abded1c9b19c9a1c22a3ae36
Instruction Fuzzy Hash: 00416B71A00205EBDF14AF54DC85A6ABBB9FF04304F1480A9ED04DA297DB70DE61EBB4

Function 00D481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00D0F3AB,00000000,?,?,00000000,?,00D0682C,00000004,00000000,00000000), ref: 00D4824C
EnableWindow.USER32(?,00000000), ref: 00D48272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D482D1
ShowWindow.USER32(?,00000004), ref: 00D482E5
EnableWindow.USER32(?,00000001), ref: 00D4830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D4832F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a45dbb555626bd433e5cde44f4f0aafd35e5b034a88db8417d11cfc990b62e61
Instruction ID: 2960834c08e073d12ada8e38415066c687f0cb429c70aa5c4a6a70d3ca2bb2c4
Opcode Fuzzy Hash: a45dbb555626bd433e5cde44f4f0aafd35e5b034a88db8417d11cfc990b62e61
Instruction Fuzzy Hash: 1741B234601740AFDF11CF14C8D9BA87BE4BB0AB55F1C5268E5188B262CB71A845DF74

Function 00D14C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D14C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D14CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D14CEA
_wcslen.LIBCMT ref: 00D14D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D14D10
_wcsstr.LIBVCRUNTIME ref: 00D14D1A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: e02892bc4be6089330fac4704f38a03d6443dd3e626a12c2bda07241ce213aac
Instruction ID: 747fe4f510ca4dc50ca5c4f68b64e6c560a73ffbbe4d6cd3d9d2f28012e07653
Opcode Fuzzy Hash: e02892bc4be6089330fac4704f38a03d6443dd3e626a12c2bda07241ce213aac
Instruction Fuzzy Hash: 7721F676205200BBEB255B39FC49EBB7B9DDF45750F14802EF905CA2A2EE61DC8196B0

Function 00D2581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00CB3A97,?,?,00CB2E7F,?,?,?,00000000), ref: 00CB3AC2

_wcslen.LIBCMT ref: 00D2587B
CoInitialize.OLE32(00000000), ref: 00D25995
CoCreateInstance.OLE32(00D4FCF8,00000000,00000001,00D4FB68,?), ref: 00D259AE
CoUninitialize.OLE32 ref: 00D259CC

Strings

.lnk, xrefs: 00D25876, 00D258C1, 00D25985

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: cc7695dc2e291bffa479e4ef9f0e7c2c8fcfb693cb2a7d20789561b43e85da23
Instruction ID: 55fa6598d22be624e7f16e36031c7ea612a5776bfdecb3a0c75868702c7cec46
Opcode Fuzzy Hash: cc7695dc2e291bffa479e4ef9f0e7c2c8fcfb693cb2a7d20789561b43e85da23
Instruction Fuzzy Hash: 2AD163746087119FC714DF24E480E6ABBE1EF99318F14895DF88A9B361DB31EC45CBA2

Function 00D1175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D10FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D10FCA
Part of subcall function 00D10FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D10FD6
Part of subcall function 00D10FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D10FE5
Part of subcall function 00D10FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D10FEC
Part of subcall function 00D10FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D11002

GetLengthSid.ADVAPI32(?,00000000,00D11335), ref: 00D117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D117BA
HeapAlloc.KERNEL32(00000000), ref: 00D117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00D117DA
GetProcessHeap.KERNEL32(00000000,00000000,00D11335), ref: 00D117EE
HeapFree.KERNEL32(00000000), ref: 00D117F5

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f166591ad87be4b4258fdab54dca58c650dafdeb08a397d4693fa2419f70ee55
Instruction ID: 62658e632aecafbfac8204e072c2c6a380ac7dddcb1b42975829584adeaf6f4f
Opcode Fuzzy Hash: f166591ad87be4b4258fdab54dca58c650dafdeb08a397d4693fa2419f70ee55
Instruction Fuzzy Hash: E5118939612305FBDB109FA4EC49BEE7BA9EB42355F144018E581E7250CB35A984CB70

Function 00D114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00D11506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D11515
CloseHandle.KERNEL32(00000004), ref: 00D11520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D1154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D11563

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3278d6193c5f11276af2cee3c96cc25a3209eff594d09876fa09c3814668d7ce
Instruction ID: 44e5f44b2ed39743aad3fcc579269b740091f7dfb8f50aee40347abd07e0c0dc
Opcode Fuzzy Hash: 3278d6193c5f11276af2cee3c96cc25a3209eff594d09876fa09c3814668d7ce
Instruction Fuzzy Hash: D411177A602209BBDB118F98ED49BDE7BA9EB49744F084015FA05A2160C775CEA0DB71

Function 00CD3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CD3379,00CD2FE5), ref: 00CD3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CD339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CD33B7
SetLastError.KERNEL32(00000000,?,00CD3379,00CD2FE5), ref: 00CD3409

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b58900752ff9d7fcdf84c9bef2a93e9f0ea39b0d99367b1ee1dec5d0e57a818c
Instruction ID: 8d3a92ea271d9c5e6681f8b4e95e0f19f01ed03890dc1c95d754375ad0a6b01c
Opcode Fuzzy Hash: b58900752ff9d7fcdf84c9bef2a93e9f0ea39b0d99367b1ee1dec5d0e57a818c
Instruction Fuzzy Hash: F9012832219351BFA6142B757C8562A2A94FB05376320022FF720C03F0FF118E03A1A5

Function 00CE2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CE5686,00CF3CD6,?,00000000,?,00CE5B6A,?,?,?,?,?,00CDE6D1,?,00D78A48), ref: 00CE2D78
_free.LIBCMT ref: 00CE2DAB
_free.LIBCMT ref: 00CE2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00CDE6D1,?,00D78A48,00000010,00CB4F4A,?,?,00000000,00CF3CD6), ref: 00CE2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00CDE6D1,?,00D78A48,00000010,00CB4F4A,?,?,00000000,00CF3CD6), ref: 00CE2DEC
_abort.LIBCMT ref: 00CE2DF2

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b1deb984f377aa4cd86f18d99af0d3b94f4f12c54df0b6943d63971670f88538
Instruction ID: d52e45368a0f9661030907c9ac33d86fdc64f8794eefa97392ed084a033f4ffc
Opcode Fuzzy Hash: b1deb984f377aa4cd86f18d99af0d3b94f4f12c54df0b6943d63971670f88538
Instruction Fuzzy Hash: DEF0A9365057802BC6522B37AC0AB1A165DABC27A1F254519FA35D22D3EE249A01A170

Function 00D48A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CC9693
Part of subcall function 00CC9639: SelectObject.GDI32(?,00000000), ref: 00CC96A2
Part of subcall function 00CC9639: BeginPath.GDI32(?), ref: 00CC96B9
Part of subcall function 00CC9639: SelectObject.GDI32(?,00000000), ref: 00CC96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00D48A4E
LineTo.GDI32(?,00000003,00000000), ref: 00D48A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00D48A70
LineTo.GDI32(?,00000000,00000003), ref: 00D48A80
EndPath.GDI32(?), ref: 00D48A90
StrokePath.GDI32(?), ref: 00D48AA0

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5904e5c5770c510efcb8c937e9e8dc486247d0b4fc95843be1b1df6196a5e5de
Instruction ID: ac11f925d7585c5fd4cc22fb6946690b07915b962766820c377d2caef86cc81e
Opcode Fuzzy Hash: 5904e5c5770c510efcb8c937e9e8dc486247d0b4fc95843be1b1df6196a5e5de
Instruction Fuzzy Hash: 6711C97A001249FFDB129F94DC88EAA7F6DEB09394F048012FA199A2A1C7719D55DFB0

Function 00D151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D15218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D15229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D15230
ReleaseDC.USER32(00000000,00000000), ref: 00D15238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00D1524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00D15261

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0ce376826d1d7fb6e02e2c4bfd06c0a13a106dafa11fe73f4e4488130b4d8316
Instruction ID: 555bc87f26ddd3ae879c4ebe018542d8efeb17e2650bc9c214855e4a566bebe2
Opcode Fuzzy Hash: 0ce376826d1d7fb6e02e2c4bfd06c0a13a106dafa11fe73f4e4488130b4d8316
Instruction Fuzzy Hash: F1014F75A01719BBEB109FA59C49A5EBFB8EF49751F144065FA04E7391DA709800CBB0

Function 00CB1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CB1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00CB1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CB1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CB1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00CB1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CB1C22

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: aa31ecf07909b204b08f46b85f79a2f88520a620d32257f7f7fe86b6be7caa47
Instruction ID: ea3eb1033ea78f8f62e6d6b4cc448e0abd6248ad507e95eb4fa14c01700ac2da
Opcode Fuzzy Hash: aa31ecf07909b204b08f46b85f79a2f88520a620d32257f7f7fe86b6be7caa47
Instruction Fuzzy Hash: BD016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CFE5

Function 00D1EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D1EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D1EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00D1EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D1EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D1EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D1EB75

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9b93c4b50bb2edb175c93fef7fee4ea6c3028e9e4879a7b856be9ad941eb4ea7
Instruction ID: a8d8ba782baab223095cd337eef35022690577fa817bead8111bb1e8c3502b44
Opcode Fuzzy Hash: 9b93c4b50bb2edb175c93fef7fee4ea6c3028e9e4879a7b856be9ad941eb4ea7
Instruction Fuzzy Hash: 61F09076212258BBE7205F529C0DEEF3A7CEFCBB11F005158F601D1290D7A01A01C6B4

Function 00D07439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00D07452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00D07469
GetWindowDC.USER32(?), ref: 00D07475
GetPixel.GDI32(00000000,?,?), ref: 00D07484
ReleaseDC.USER32(?,00000000), ref: 00D07496
GetSysColor.USER32(00000005), ref: 00D074B0

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 38c194543eed299a248fddeeea081ee523c94292a621a45283de61ce21a6fb61
Instruction ID: db1ac704a84fe00c5e306f21230f368be70dd00bc36247e5a86530a2aaa0dd0d
Opcode Fuzzy Hash: 38c194543eed299a248fddeeea081ee523c94292a621a45283de61ce21a6fb61
Instruction Fuzzy Hash: A0017435811205EFEB905FA4DC08BAA7BB5FB06321F255064F91AE22B1CB312E41AB20

Function 00D11874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D1187F
UnloadUserProfile.USERENV(?,?), ref: 00D1188B
CloseHandle.KERNEL32(?), ref: 00D11894
CloseHandle.KERNEL32(?), ref: 00D1189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D118A5
HeapFree.KERNEL32(00000000), ref: 00D118AC

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 33825dbd507421d754f6f2c0d6b2becdd2f5c7294341e6dda37e369accc4d0a7
Instruction ID: fc7bdd3225be6b257a41395b350208d5f844a2acdd1586eb18d430e540311c13
Opcode Fuzzy Hash: 33825dbd507421d754f6f2c0d6b2becdd2f5c7294341e6dda37e369accc4d0a7
Instruction Fuzzy Hash: 7CE0E53A216301BBDB415FA1ED0C90ABF39FF5AB22B149220F225C1270CB329420DF60

Function 00D1C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7620: _wcslen.LIBCMT ref: 00CB7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D1C6EE
_wcslen.LIBCMT ref: 00D1C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D1C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D1C7CA

Strings

0, xrefs: 00D1C6AF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c05e16ef17b73a93fa07aff6f2e3ff8151ff8344fd296b7290fc263938e692a3
Instruction ID: 38168a2e66cd20646166b7515ac432e7f98dc0a445f71e0f4719f977745bab60
Opcode Fuzzy Hash: c05e16ef17b73a93fa07aff6f2e3ff8151ff8344fd296b7290fc263938e692a3
Instruction Fuzzy Hash: 6E51D3716A4300ABD7149F28E885BEA77E8AF45310F08292DF595D21E0DFB0D889DB72

Function 00D3AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00D3AEA3

Part of subcall function 00CB7620: _wcslen.LIBCMT ref: 00CB7625

GetProcessId.KERNEL32(00000000), ref: 00D3AF38
CloseHandle.KERNEL32(00000000), ref: 00D3AF67

Strings

@, xrefs: 00D3AE72
<, xrefs: 00D3AE6B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: bc5a119865590049c93159980757578e660e3480b8700bf7ae095cd727acea95
Instruction ID: 99783781a96098a462ddca15be231a2347b2e690a177ce6d71719fcd4b0bcce0
Opcode Fuzzy Hash: bc5a119865590049c93159980757578e660e3480b8700bf7ae095cd727acea95
Instruction Fuzzy Hash: 47716871A00215DFCB14DF58C485A9EBBF0FF08310F048499E856AB3A2CB74ED45DBA1

Function 00D1719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D17206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D1723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D1724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D172CF

Strings

DllGetClassObject, xrefs: 00D17242

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e565a34e14335dbf7897fb84319e1e84ac3541303bbed879b4c3119110e7407e
Instruction ID: 9eda9195a0feeb90aff78225db3f35847332fc9a659ace904ea79742293f9758
Opcode Fuzzy Hash: e565a34e14335dbf7897fb84319e1e84ac3541303bbed879b4c3119110e7407e
Instruction Fuzzy Hash: 6D417C71A05204EFDB15CF54D884ADA7BB9EF49310F1480A9BD09DF22ADBB1D985CBB0

Function 00D43D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D43E35
IsMenu.USER32(?), ref: 00D43E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D43E92
DrawMenuBar.USER32 ref: 00D43EA5

Strings

0, xrefs: 00D43D89

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 6eba401465b928f374e4c3d8b23224da1c6a6b040321e0ecd491fe2164ec87ed
Instruction ID: cbee48872ffda7931742c28dd8884310c14ffe2a7608bc8243d56ac3766a9c04
Opcode Fuzzy Hash: 6eba401465b928f374e4c3d8b23224da1c6a6b040321e0ecd491fe2164ec87ed
Instruction Fuzzy Hash: 5E414CB5A12249AFDB10EF58D884A9AB7B9FF49350F084229F91597350D730EE45CF60

Function 00D11DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D11E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D11E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00D11EA9

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

Strings

ComboBox, xrefs: 00D11DF0
ListBox, xrefs: 00D11E25

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: b022fa6166b9566637577e0070734a16c02a7d246d8bdf9c74d63654739dadd8
Instruction ID: 9d84655e9e55f656f756429011ea5511dd46e9dd9efd444d0beb9a71beae6090
Opcode Fuzzy Hash: b022fa6166b9566637577e0070734a16c02a7d246d8bdf9c74d63654739dadd8
Instruction Fuzzy Hash: 3B210575A00104BFDB14ABA4EC45DFFB7B9DF46350F148119F926A72E1DF34494AAA30

Function 00D3C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D3C9F1
_wcslen.LIBCMT ref: 00D3CA68
_wcslen.LIBCMT ref: 00D3CA9E
_wcslen.LIBCMT ref: 00D3CAF9
_wcslen.LIBCMT ref: 00D3CB2F
_wcslen.LIBCMT ref: 00D3CB7F

Strings

HKLM, xrefs: 00D3CA98, 00D3CA9D
HKEY_LOCAL_MACHINE, xrefs: 00D3CA62, 00D3CA67

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: bb044e71b3697965c1e3bd47f043597d5a2b42e74889d8f0f2e602c539c3b188
Instruction ID: 144de1479fc48bbacc11f78454d3597cbf6638d1d4f2a417edcf0d91f480a832
Opcode Fuzzy Hash: bb044e71b3697965c1e3bd47f043597d5a2b42e74889d8f0f2e602c539c3b188
Instruction Fuzzy Hash: 5F31D673A2026A4BCB20EF6D9D505BE33919BA1794F1D5029E845BB349FA71CE44E3B0

Function 00D42F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D42F8D
LoadLibraryW.KERNEL32(?), ref: 00D42F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D42FA9
DestroyWindow.USER32(?), ref: 00D42FB1

Strings

SysAnimate32, xrefs: 00D42F68

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: eaa3db5ff2a7428d11394167e99b8fd412b7fca00ca053df6a42c18cc580d071
Instruction ID: 035c911516d358d5e56531720d011b8dc3f335796490623dd00414f12616717c
Opcode Fuzzy Hash: eaa3db5ff2a7428d11394167e99b8fd412b7fca00ca053df6a42c18cc580d071
Instruction Fuzzy Hash: 7021AC71210209ABEB104F66DC80EBB37BDEF59364F944618FA50D21A0D771DC959B70

Function 00CD4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CD4D1E,00CE28E9,?,00CD4CBE,00CE28E9,00D788B8,0000000C,00CD4E15,00CE28E9,00000002), ref: 00CD4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CD4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00CD4D1E,00CE28E9,?,00CD4CBE,00CE28E9,00D788B8,0000000C,00CD4E15,00CE28E9,00000002,00000000), ref: 00CD4DC3

Strings

CorExitProcess, xrefs: 00CD4D98
mscoree.dll, xrefs: 00CD4D86

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 69d0f9e26e285e2de0f69f6ba9e17d25b14701e26d5a1f088aac634a82f42af3
Instruction ID: 85f126a30920b271f54bd852b373f3783fe667dd7a0a28005b1dceaf49c097d9
Opcode Fuzzy Hash: 69d0f9e26e285e2de0f69f6ba9e17d25b14701e26d5a1f088aac634a82f42af3
Instruction Fuzzy Hash: 43F03C35A51308ABDB559F94DC49BADBFB5EB48752F0000A9AA09E2360DB315A44DAA0

Function 00D0D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00D0D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D0D3BF
FreeLibrary.KERNEL32(00000000), ref: 00D0D3E5

Strings

X64, xrefs: 00D0D2A8
GetSystemWow64DirectoryW, xrefs: 00D0D3B9

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 0fce355a4cee2dfd57530be26665ce2fcce06bbaf8fb83805379998df8df9965
Instruction ID: 6ab3e510ade7384883871ea958919817b63ae3a21a1662e9b2ec3ed995d7c50b
Opcode Fuzzy Hash: 0fce355a4cee2dfd57530be26665ce2fcce06bbaf8fb83805379998df8df9965
Instruction Fuzzy Hash: 12F05C79406B10EBD7B01FA08C58B6D77165F01701B58911BF44EE1284D760CD44C7BA

Function 00CB4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CB4EDD,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00CB4EAE
FreeLibrary.KERNEL32(00000000,?,?,00CB4EDD,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4EC0

Strings

kernel32.dll, xrefs: 00CB4E94
Wow64DisableWow64FsRedirection, xrefs: 00CB4EA8

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 201ec6bafa3f2bfe11f9babc05010f30af70aad50214c5debe739eef5b771aea
Instruction ID: ad8ec9f6ecca1f8db3bf91f1c74b15742185bb2ddfd817a908e582d279d1fe74
Opcode Fuzzy Hash: 201ec6bafa3f2bfe11f9babc05010f30af70aad50214c5debe739eef5b771aea
Instruction Fuzzy Hash: 84E0CD39A177225FD3711F296C18B9FA554AF82F62F050115FC04D2342DB60CE0585B1

Function 00CB4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CF3CDE,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00CB4E74
FreeLibrary.KERNEL32(00000000,?,?,00CF3CDE,?,00D81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00CB4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00CB4E6E
kernel32.dll, xrefs: 00CB4E5B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f58c9a578de30be6a22215a23d79254c95bfa3be2375b164958eef03275355b4
Instruction ID: 16dc2b49f74db0d72751a4a2cef70fb55cc669f0dfe265b5717cc3352cee1772
Opcode Fuzzy Hash: f58c9a578de30be6a22215a23d79254c95bfa3be2375b164958eef03275355b4
Instruction Fuzzy Hash: 34D0C239517B615B46621F246C08DCBAB18AF82B123050110B804E2211CF20CE01C5F1

Function 00D22947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D22C05
DeleteFileW.KERNEL32(?), ref: 00D22C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00D22C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D22CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00D22CC0

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: f06031d3dcda0dc0d3d8008e649ed1c786d737890c0c93f00c3a9b4e33d697cf
Instruction ID: d5bf89979cb22656e0f3b30b314352ae4685968dc7335afdf0125cba23362230
Opcode Fuzzy Hash: f06031d3dcda0dc0d3d8008e649ed1c786d737890c0c93f00c3a9b4e33d697cf
Instruction Fuzzy Hash: DBB16F71D00229ABDF21EFA4DC85EEEB77DEF59314F0040A6F609E6241EA319A449F71

Function 00D3A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00D3A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D3A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D3A468
CloseHandle.KERNEL32(?), ref: 00D3A63D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 80c1f18d04226b4756e05f2566df64582998f1e675b40b6712a02718ed1a6032
Instruction ID: c1b935d5996e34d8a1872fa35b3511eaaee773e11262e09a3e5387f13e62232b
Opcode Fuzzy Hash: 80c1f18d04226b4756e05f2566df64582998f1e675b40b6712a02718ed1a6032
Instruction Fuzzy Hash: 8DA181716047019FD724DF28C886F2AB7E5AF84714F14885DF59A9B3D2DBB0EC418B92

Function 00D1E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D1CF22,?), ref: 00D1DDFD

Part of subcall function 00D1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D1CF22,?), ref: 00D1DE16

Part of subcall function 00D1E199: GetFileAttributesW.KERNEL32(?,00D1CF95), ref: 00D1E19A

lstrcmpiW.KERNEL32(?,?), ref: 00D1E473
MoveFileW.KERNEL32(?,?), ref: 00D1E4AC
_wcslen.LIBCMT ref: 00D1E5EB
_wcslen.LIBCMT ref: 00D1E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00D1E650

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 10b2e37e36ba1b4f8cae6e6e631ee057d46822545f996ba39a0d654dacc34e5f
Instruction ID: e0360736202a062cfd858bd81906bcb80df9e0854c549f37d93014cefd91f5a8
Opcode Fuzzy Hash: 10b2e37e36ba1b4f8cae6e6e631ee057d46822545f996ba39a0d654dacc34e5f
Instruction Fuzzy Hash: 1B5140B2508345ABD724DB90E8819DBB3ECEF85340F04491EFA89D3191EF75A6888776

Function 00D3B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D3B6AE,?,?), ref: 00D3C9B5
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3C9F1
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA68
Part of subcall function 00D3C998: _wcslen.LIBCMT ref: 00D3CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D3BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D3BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D3BB63
RegCloseKey.ADVAPI32(?,?), ref: 00D3BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00D3BBB3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 426395cd083805861da394d3080f302603ac55da2ee18572325875ae03c826a9
Instruction ID: 3a88bf9dcd25dcd7a21c46a851c1b70dd5b18781257c735af2c85a4da59c01c9
Opcode Fuzzy Hash: 426395cd083805861da394d3080f302603ac55da2ee18572325875ae03c826a9
Instruction Fuzzy Hash: CD61C331208241EFD314DF14C491E6ABBE5FF84318F18855DF5998B2A2DB31ED45DBA2

Function 00D18BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D18BCD
VariantClear.OLEAUT32 ref: 00D18C3E
VariantClear.OLEAUT32 ref: 00D18C9D
VariantClear.OLEAUT32(?), ref: 00D18D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D18D3B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 8cf506022d99440185049848ed12ba769e3eb272f69b4c28c8aa98110401df67
Instruction ID: ce19c4f9d4178330131c5577c6191e6d6a8ec584129d18275a829029d919da86
Opcode Fuzzy Hash: 8cf506022d99440185049848ed12ba769e3eb272f69b4c28c8aa98110401df67
Instruction Fuzzy Hash: 3C516AB5A00219EFCB10CF68D884AAAB7F5FF89310B158559F909DB350EB30E911CFA0

Function 00D28AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00D28BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00D28BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00D28C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00D28C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00D28C5F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5c9e80a786439ad54442dcde84435d90ad55353604238a5be073f964a1ca52cf
Instruction ID: 200804c7998d609a3c39f72b490bae06f22800b7f6a877db5f8c1111a6f86074
Opcode Fuzzy Hash: 5c9e80a786439ad54442dcde84435d90ad55353604238a5be073f964a1ca52cf
Instruction Fuzzy Hash: 78514B35A002159FCB15DF64C881EADBBF5FF49314F088498E849AB362DB31ED51EBA0

Function 00D38EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00D38F40
GetProcAddress.KERNEL32(00000000,?), ref: 00D38FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D38FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00D39032
FreeLibrary.KERNEL32(00000000), ref: 00D39052

Part of subcall function 00CCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00D21043,?,753CE610), ref: 00CCF6E6
Part of subcall function 00CCF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00D0FA64,00000000,00000000,?,?,00D21043,?,753CE610,?,00D0FA64), ref: 00CCF70D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: e7078fc5bcb1a6806fd74e6a5da74b746120fef350b7617d603e2ab1ea92e395
Instruction ID: 9c75067600df9dc37f5b39fbcebc5ac2409a2c081d983d9df025db257836b3f9
Opcode Fuzzy Hash: e7078fc5bcb1a6806fd74e6a5da74b746120fef350b7617d603e2ab1ea92e395
Instruction Fuzzy Hash: 0D512835605205DFCB15DF68C4948ADBBB1FF49314F0880A8E80A9B362DB71ED86DBA1

Function 00D46B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00D46C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00D46C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00D46C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00D2AB79,00000000,00000000), ref: 00D46C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00D46CC7

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 8f18db4f6c4030c1ef67bb59553a5dd8d68f87e1c16522b7849a97b86d524b69
Instruction ID: 281b07a4f72c29c206a4489e2f5317d0401d2037e5c95396893f4a3a3a78305a
Opcode Fuzzy Hash: 8f18db4f6c4030c1ef67bb59553a5dd8d68f87e1c16522b7849a97b86d524b69
Instruction Fuzzy Hash: 40419235A04204AFDB24DF68CC94FA97FA5EB0B350F190268F896E73A0C771ED41DA61

Function 00CE2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE20C3
_free.LIBCMT ref: 00CE20E3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5615e28dc761099249cc05cda3bdbb2bfa68a90dbab15e9acda9c0c58d3f4269
Instruction ID: 91f4cf92146f116f2bfbf5837cfd6a128105a1bb8ba3254fce78dfe8fe2020ee
Opcode Fuzzy Hash: 5615e28dc761099249cc05cda3bdbb2bfa68a90dbab15e9acda9c0c58d3f4269
Instruction Fuzzy Hash: 4741E232A002409FCB24DF79C881B5DB3A9EF89310F15456DE616EB392E731AE01DB80

Function 00CC912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CC9141
ScreenToClient.USER32(00000000,?), ref: 00CC915E
GetAsyncKeyState.USER32(00000001), ref: 00CC9183
GetAsyncKeyState.USER32(00000002), ref: 00CC919D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a5a12b924aa8272b330a9959346b76d43d50bd2e4f130edc47a8a9c62d10a3e0
Instruction ID: 23fa35ffcafd873e70cb569cb2aac3119063843b87243354f6c55b57864aa7db
Opcode Fuzzy Hash: a5a12b924aa8272b330a9959346b76d43d50bd2e4f130edc47a8a9c62d10a3e0
Instruction Fuzzy Hash: 3F415E31A0861AFBDF159F64C849BEEB775FF05320F248219E429A72E0C7746A50DBA1

Function 00D23874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00D238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00D23922
TranslateMessage.USER32(?), ref: 00D2394B
DispatchMessageW.USER32(?), ref: 00D23955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D23966

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e7ef7ab6dadc728298a93f17192dd0b1c4089b1590763ca8e4afb47a10a37b2f
Instruction ID: 1fc40a61d2616e7941ab24269b3aacbf4816abeeab07b1da9ec1c29bc8215f1d
Opcode Fuzzy Hash: e7ef7ab6dadc728298a93f17192dd0b1c4089b1590763ca8e4afb47a10a37b2f
Instruction Fuzzy Hash: 6B31D9745143519FEB35CB34E849BB677ACEB26308F08055DE4A2C6290D3B996C9CF31

Function 00D2CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00D2C21E,00000000), ref: 00D2CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00D2CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00D2C21E,00000000), ref: 00D2CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D2C21E,00000000), ref: 00D2CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00D2C21E,00000000), ref: 00D2CFF2

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 860476e053d0bec5a12667dab2de9a7b70bac4fbd7b6df26dc7cae1443489b84
Instruction ID: 4acfabed2ca1348788bca2d9d668de276387f7edcdc93314e63062f7fac5e16f
Opcode Fuzzy Hash: 860476e053d0bec5a12667dab2de9a7b70bac4fbd7b6df26dc7cae1443489b84
Instruction Fuzzy Hash: CC31AB71511315EFDB20CFA5E984AAEBBFAEF24308B14502EF106D2200EB30EE019B70

Function 00D11901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D11915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00D119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00D119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00D119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00D119E2

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6c732311bb188fb8e5c3135baff34e6f08f3a51e8e732f5870c691905557fdde
Instruction ID: 98a77cc5802c6d93dc7a18fd4e8dd75618fdc9264d82edc41bc331034e3bc102
Opcode Fuzzy Hash: 6c732311bb188fb8e5c3135baff34e6f08f3a51e8e732f5870c691905557fdde
Instruction Fuzzy Hash: 4031AF75A00219EFCB00CFA8D999ADE3BB5EB05315F148225FA71E72D1C7709984CFA0

Function 00D45706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D45745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D4579D
_wcslen.LIBCMT ref: 00D457AF
_wcslen.LIBCMT ref: 00D457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D45816

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: c03a04db8e3e81901d78e7f48d9599b5858519889a19da9505b0b265452f68f8
Instruction ID: 8bd44de9366f75341a237ac44d4c68e19c03f367f79756726c8ddfc8e0544f93
Opcode Fuzzy Hash: c03a04db8e3e81901d78e7f48d9599b5858519889a19da9505b0b265452f68f8
Instruction Fuzzy Hash: DA21A575904618EBDB209F60DC85AED77BCFF05320F148216EA19EA285D770C985CF60

Function 00D30930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00D30951
GetForegroundWindow.USER32 ref: 00D30968
GetDC.USER32(00000000), ref: 00D309A4
GetPixel.GDI32(00000000,?,00000003), ref: 00D309B0
ReleaseDC.USER32(00000000,00000003), ref: 00D309E8

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9f5f78c10b586cfa8576ac328e80295ba77412d23cdba6c24269f55cbb00e1dc
Instruction ID: 33d06a0758820cf9e6f550756c962897b1e41b81643830cc9fd1f43310ebfc18
Opcode Fuzzy Hash: 9f5f78c10b586cfa8576ac328e80295ba77412d23cdba6c24269f55cbb00e1dc
Instruction Fuzzy Hash: D4218139600214AFD754EF69D894AAEBBF9EF45710F058068F84AE7362CB70AD04DB70

Function 00CECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00CECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CECDE9

Part of subcall function 00CE3820: RtlAllocateHeap.NTDLL(00000000,?,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6,?,00CB1129), ref: 00CE3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CECE0F
_free.LIBCMT ref: 00CECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CECE31

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: bc639b658cada3d254ef2d6e0f73f786284f08889399edfe57da4fc5ffca3e08
Instruction ID: b5946188b8a5431c6b7b95eb452a83dea32f0f8b1ef8e5bd7451a762cad204fd
Opcode Fuzzy Hash: bc639b658cada3d254ef2d6e0f73f786284f08889399edfe57da4fc5ffca3e08
Instruction Fuzzy Hash: 2B01DF726023957F23211ABB6CCCD7B6A6DEEC7BA13150129F905D7201EA618E0291B0

Function 00CC9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CC9693
SelectObject.GDI32(?,00000000), ref: 00CC96A2
BeginPath.GDI32(?), ref: 00CC96B9
SelectObject.GDI32(?,00000000), ref: 00CC96E2

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 16da468717bd79f74d2b3ea2797889284b474433128d48623092b0af10bc2eec
Instruction ID: e5baae8b0143c3f2f46c9e97161e5d380f1186e91a1436d8acea05221d5396f6
Opcode Fuzzy Hash: 16da468717bd79f74d2b3ea2797889284b474433128d48623092b0af10bc2eec
Instruction Fuzzy Hash: 29218374822305EBDB51AF65EC08BA93B68FB01315F100219F430E62F0D370995ACFB4

Function 00D15711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D15726
_memcmp.LIBVCRUNTIME ref: 00D15744
_memcmp.LIBVCRUNTIME ref: 00D15757
_memcmp.LIBVCRUNTIME ref: 00D1576F
_memcmp.LIBVCRUNTIME ref: 00D15787

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 111207279c382eb0327cce995124cac23879f3d22cdbf7a48a29e6453ac3c8dd
Instruction ID: 18c1728d6e09b6377dc3c26c16e1d5650be196a3e117dcfca4897204537765cb
Opcode Fuzzy Hash: 111207279c382eb0327cce995124cac23879f3d22cdbf7a48a29e6453ac3c8dd
Instruction Fuzzy Hash: 2801B5A5641609FFE2085610BD83FFB735C9BA13A4F184021FE049A2D6FB64ED54D6B0

Function 00CE2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00CDF2DE,00CE3863,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6), ref: 00CE2DFD
_free.LIBCMT ref: 00CE2E32
_free.LIBCMT ref: 00CE2E59
SetLastError.KERNEL32(00000000,00CB1129), ref: 00CE2E66
SetLastError.KERNEL32(00000000,00CB1129), ref: 00CE2E6F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4b33548016a7efdcb2cc768e96908074de37a7b373e709a5f52f7c27161fd522
Instruction ID: 36c65f7e7bba029e04d03902e22af05a23683eb60856383c585b9cd09d014436
Opcode Fuzzy Hash: 4b33548016a7efdcb2cc768e96908074de37a7b373e709a5f52f7c27161fd522
Instruction Fuzzy Hash: 0001F4362067D06BC6122B776C4AF2B265DABC27A6B214028F865E3393EB248D015130

Function 00D1000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?,?,00D1035E), ref: 00D1002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?), ref: 00D10046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?), ref: 00D10054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?), ref: 00D10064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D0FF41,80070057,?,?), ref: 00D10070

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: a26c4e72a87b9fad3eab7430717ed63d4db4326af390f1610bf1f0ea03160e91
Instruction ID: 76ac71e5e813aa24788a99398817e91351b808f1d138eae6100a9d990b327804
Opcode Fuzzy Hash: a26c4e72a87b9fad3eab7430717ed63d4db4326af390f1610bf1f0ea03160e91
Instruction Fuzzy Hash: 22018F7A611304BFDB505F68EC04BEA7EADEB48792F145124F905E2210EBB1DE808BB0

Function 00D1E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00D1E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00D1E9A5
Sleep.KERNEL32(00000000), ref: 00D1E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00D1E9B7
Sleep.KERNEL32 ref: 00D1E9F3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 58ce4057d3a7321119c22b9e5b15c4fa301f35eaff20db540f0afabf6660f65d
Instruction ID: 650fc002972e55d354d01027d18281166f2adc2bd35cdfe258d4d5f78ce5ea9b
Opcode Fuzzy Hash: 58ce4057d3a7321119c22b9e5b15c4fa301f35eaff20db540f0afabf6660f65d
Instruction Fuzzy Hash: 84015735D0262DEBCF40AFE5E849AEDFB78BB09700F040546E902F2240DF3095908BB1

Function 00D110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D11114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D1112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D10B9B,?,?,?), ref: 00D11136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D1114D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5090781f1db0453f46af78509e448a5349f61fa8fef8a56af256732b5bbeaf65
Instruction ID: 2f1b3c78fd61411cfdaabdf331b260882ddc4b1dbdb79da8a58c4010b284b6e0
Opcode Fuzzy Hash: 5090781f1db0453f46af78509e448a5349f61fa8fef8a56af256732b5bbeaf65
Instruction Fuzzy Hash: 1E016D79201305BFDB514FA5EC49AAA3B6EEF86364B140414FA45C3360DA31DC408A70

Function 00D10FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D10FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D10FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D10FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D10FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D11002

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d48f4ba0131a2c4fd544b9fa9833c07f452ad8fe2fc7af337ad82d5ec1d77451
Instruction ID: a0fe3ca2a649c0b4b29c8e51ef421886a84832cc4e70b2d4669b71e58db81273
Opcode Fuzzy Hash: d48f4ba0131a2c4fd544b9fa9833c07f452ad8fe2fc7af337ad82d5ec1d77451
Instruction Fuzzy Hash: C5F04F39612301BBDB214FA4AC4DF963B6DEF8A761F144414FA45C6351CA70DC808A70

Function 00D11014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D1102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D11036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D11045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D1104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D11062

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5d6cd300a4a94e6d9d49f04591f7aff6717c66b4e98493d3b4d5d78cd60168c9
Instruction ID: a0f11b7a7cae2b14cf04e34d733f5b88212b2c265378c9d7837668b1f66f9e51
Opcode Fuzzy Hash: 5d6cd300a4a94e6d9d49f04591f7aff6717c66b4e98493d3b4d5d78cd60168c9
Instruction Fuzzy Hash: 3FF04939612301BBDB215FA5EC4AF963BADEF8A761F140414FA45C6360CA70D880CA70

Function 00D2030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D20324
CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D20331
CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D2033E
CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D2034B
CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D20358
CloseHandle.KERNEL32(?,?,?,?,00D2017D,?,00D232FC,?,00000001,00CF2592,?), ref: 00D20365

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 49e1b0a2e538a49e839d1ea9c3ccb9ec495e44c2df1a34faa2acd7ad97106e68
Instruction ID: 3f1d3457b8e3636c3a0ca90f0057496672c68b47f127a50549941d8d03048a1a
Opcode Fuzzy Hash: 49e1b0a2e538a49e839d1ea9c3ccb9ec495e44c2df1a34faa2acd7ad97106e68
Instruction Fuzzy Hash: B001A272801B259FC7309F66E880412FBF9BF603193198A3FD19652932C371A954CF90

Function 00CED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CED752

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

_free.LIBCMT ref: 00CED764
_free.LIBCMT ref: 00CED776
_free.LIBCMT ref: 00CED788
_free.LIBCMT ref: 00CED79A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f8672baa51d8d5b5bc8a496a85e117e39f046ee731e4c524c27960f8a444208a
Instruction ID: 3d8731a1cf7a1376c06449ffde048933f13629d740d77a50e048071d4878e951
Opcode Fuzzy Hash: f8672baa51d8d5b5bc8a496a85e117e39f046ee731e4c524c27960f8a444208a
Instruction Fuzzy Hash: 43F09632510388AF8621EB66F9C2D1A77DDBB04310B952C09F06DE7606D734FCC08A70

Function 00D15C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D15C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D15C6F
MessageBeep.USER32(00000000), ref: 00D15C87
KillTimer.USER32(?,0000040A), ref: 00D15CA3
EndDialog.USER32(?,00000001), ref: 00D15CBD

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 4a9f91be781ef18fa2bb0b88029a428a53fa40c3934e8b968874cffe8827c769
Instruction ID: bae258d3575519fd7791b527ceb9c866a568b33c9052d00e70c4ad1e60c2c87e
Opcode Fuzzy Hash: 4a9f91be781ef18fa2bb0b88029a428a53fa40c3934e8b968874cffe8827c769
Instruction Fuzzy Hash: 6501D134601B04EBEB205F10FD4EFE677B9BB41B01F041159A683A11E0DFF8AA848AA0

Function 00CE22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CE22BE

Part of subcall function 00CE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000), ref: 00CE29DE
Part of subcall function 00CE29C8: GetLastError.KERNEL32(00000000,?,00CED7D1,00000000,00000000,00000000,00000000,?,00CED7F8,00000000,00000007,00000000,?,00CEDBF5,00000000,00000000), ref: 00CE29F0

_free.LIBCMT ref: 00CE22D0
_free.LIBCMT ref: 00CE22E3
_free.LIBCMT ref: 00CE22F4
_free.LIBCMT ref: 00CE2305

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 17e9e419ac0f5691e7b3247b8ff09a9a0f4e518e5edcda07bf932f363e074b2b
Instruction ID: 07727a9d92b8c0c0e5a5c3d6a846b962c72d6e8dc4f0ad2b837959d4958cfdbd
Opcode Fuzzy Hash: 17e9e419ac0f5691e7b3247b8ff09a9a0f4e518e5edcda07bf932f363e074b2b
Instruction Fuzzy Hash: 25F03A758203648B8622AF55BC03A083F6CFB18760702650EF624D63B2D7340956ABB9

Function 00CC95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00CC95D4
StrokeAndFillPath.GDI32(?,?,00D071F7,00000000,?,?,?), ref: 00CC95F0
SelectObject.GDI32(?,00000000), ref: 00CC9603
DeleteObject.GDI32 ref: 00CC9616
StrokePath.GDI32(?), ref: 00CC9631

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 86334fc3653239c89eb799b0652b109de37caf43bd66f875fbf8c11425de2115
Instruction ID: b0bb640952b28d637058ebc7dafefcc4cb0797a53a64e5eb79b4d4b7955576be
Opcode Fuzzy Hash: 86334fc3653239c89eb799b0652b109de37caf43bd66f875fbf8c11425de2115
Instruction Fuzzy Hash: 47F0C939026744EBDB666F65ED1CBA43B69EB01322F048218F475D52F0D7308A9ADF35

Function 00CE0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00CE10F9
__freea.LIBCMT ref: 00CE1117

Part of subcall function 00CE1537: _free.LIBCMT ref: 00CE154F

Strings

a/p, xrefs: 00CE11DE
am/pm, xrefs: 00CE117A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 5e4805b465552792795b16e8b5285ea8e9d36e6ed0d905a08a83b46d89b26f4c
Instruction ID: c6b40113995fb332f3922d1a0c034bb9c390e9766bc127a2519b648d219314c7
Opcode Fuzzy Hash: 5e4805b465552792795b16e8b5285ea8e9d36e6ed0d905a08a83b46d89b26f4c
Instruction Fuzzy Hash: 4CD1E2719002C6CACB249F6AC845BFEB7B1FF05300F2C0159EE21AB665D3759EA0CB91

Function 00D37B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00CD0242: EnterCriticalSection.KERNEL32(00D8070C,00D81884,?,?,00CC198B,00D82518,?,?,?,00CB12F9,00000000), ref: 00CD024D
Part of subcall function 00CD0242: LeaveCriticalSection.KERNEL32(00D8070C,?,00CC198B,00D82518,?,?,?,00CB12F9,00000000), ref: 00CD028A

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00CD00A3: __onexit.LIBCMT ref: 00CD00A9

__Init_thread_footer.LIBCMT ref: 00D37BFB

Part of subcall function 00CD01F8: EnterCriticalSection.KERNEL32(00D8070C,?,?,00CC8747,00D82514), ref: 00CD0202
Part of subcall function 00CD01F8: LeaveCriticalSection.KERNEL32(00D8070C,?,00CC8747,00D82514), ref: 00CD0235

Strings

Variable must be of type 'Object'., xrefs: 00D37C3A
G, xrefs: 00D37C7F
5, xrefs: 00D37C78

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 2d83216141683d8e565525adfc2c05552a387a18d8b1682b252cb230afe077ed
Instruction ID: 9d83d1acd80e5977d50495b3119fb3d978705ab37c57cda4df2f9506be3770f1
Opcode Fuzzy Hash: 2d83216141683d8e565525adfc2c05552a387a18d8b1682b252cb230afe077ed
Instruction Fuzzy Hash: 88918CB0A04609EFCB24EF94E891DBDB7B1FF45300F148059F846AB292DB71AE45DB61

Function 00D12716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D1B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D121D0,?,?,00000034,00000800,?,00000034), ref: 00D1B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D12760

Part of subcall function 00D1B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D1B3F8

Part of subcall function 00D1B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00D1B355
Part of subcall function 00D1B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D12194,00000034,?,?,00001004,00000000,00000000), ref: 00D1B365
Part of subcall function 00D1B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D12194,00000034,?,?,00001004,00000000,00000000), ref: 00D1B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D1281A

Strings

@, xrefs: 00D12832

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c654106363771f916e30377719df5fe494c1a7da7f6c08c84eb0a7408209a79a
Instruction ID: 8a5eb1277983b8d4b153a4edc358f95394602c0a0475422ead96723d83f4721a
Opcode Fuzzy Hash: c654106363771f916e30377719df5fe494c1a7da7f6c08c84eb0a7408209a79a
Instruction Fuzzy Hash: 60412976900218BFDB10DFA4D981AEEBBB8EB09310F048095EA55B7191DA716E85CBB0

Function 00CE172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00CE1769
_free.LIBCMT ref: 00CE1834
_free.LIBCMT ref: 00CE183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00CE1760, 00CE1767, 00CE1796, 00CE17CE

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: aea3a487360f2f077adbdb5393e396b81af5c0b4fb3470abe38269a25ebba00e
Instruction ID: dd6ffbf39f470d41dc4a71ae5ed13066f4d508bc19273a3afa460396280b40a2
Opcode Fuzzy Hash: aea3a487360f2f077adbdb5393e396b81af5c0b4fb3470abe38269a25ebba00e
Instruction Fuzzy Hash: 6F31CE75A00298EFCB21DF9ADC81E9EBBFCEB85710B18416AF804D7311D6708E51DBA0

Function 00D1C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D1C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00D1C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D81990,01445CB8), ref: 00D1C395

Strings

0, xrefs: 00D1C2DF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 84b89a0e7f0ecec607dee56a4902509c307e5d43b333d18ac67f1af16ab88e79
Instruction ID: 836ee5749e5fa537374e6034ff289e707791e9a33f978eafb2efc7722fd8bed2
Opcode Fuzzy Hash: 84b89a0e7f0ecec607dee56a4902509c307e5d43b333d18ac67f1af16ab88e79
Instruction Fuzzy Hash: 6B41A031254301AFD724DF24E884B9ABBE4EF85320F04961EF9A597291DB30E945CB76

Function 00D44416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D4CC08,00000000,?,?,?,?), ref: 00D444AA
GetWindowLongW.USER32 ref: 00D444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D444D7

Strings

SysTreeView32, xrefs: 00D4447C

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: fcbe9b17dd3d1232adba7bb0d24944cbd0e5257610e5652ada79da81bfcd7f84
Instruction ID: e411ea688e053d8dae7b386ff419b6dea07b999f96babee236186308a5c0b1ec
Opcode Fuzzy Hash: fcbe9b17dd3d1232adba7bb0d24944cbd0e5257610e5652ada79da81bfcd7f84
Instruction Fuzzy Hash: AE317C32210605AFDF209E78DC45BEA77A9EB09334F248715F979A22E0D770EC909B60

Function 00D3304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D3335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00D33077,?,?), ref: 00D33378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00D3307A
_wcslen.LIBCMT ref: 00D3309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00D33106

Strings

255.255.255.255, xrefs: 00D33095, 00D3309A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 73d2a26a35dd0b7c6b43d48b1c0c2f634edc26d857785f19dba74173fde2eb33
Instruction ID: a22a291b8b04b73a39569e8f36d6345ab4a61a34040a819c20027bb8b1cf0e14
Opcode Fuzzy Hash: 73d2a26a35dd0b7c6b43d48b1c0c2f634edc26d857785f19dba74173fde2eb33
Instruction Fuzzy Hash: 0831A1396043059FCB24CF68C685EAA77E0EF55358F288059E9158B3A2DB72EE45C770

Function 00D43EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D43F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D43F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D43F78

Strings

SysMonthCal32, xrefs: 00D43F0B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c99e5be023a42b92bb87b6d441fc53f1730cf3c1cd7b6d6a1d3daeb60d137327
Instruction ID: bffe793848edda90f7cdb44319b4c336e5099da357f5e0ab2cd2c381c9447113
Opcode Fuzzy Hash: c99e5be023a42b92bb87b6d441fc53f1730cf3c1cd7b6d6a1d3daeb60d137327
Instruction Fuzzy Hash: 2F21BC32610219BFDF258F94DC46FEA3B79EF48724F150214FE55AB1D0D6B1A8548BA0

Function 00D44653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D44705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D44713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D4471A

Strings

msctls_updown32, xrefs: 00D44684

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 796d18a09842a9a0ed44c02cb405fe75c937e6a9b9482fea2fae75737a313910
Instruction ID: ac49cf6de2b78e66354a14478ae1fbf9b48ecab9079c9c4dea8c183d56612f45
Opcode Fuzzy Hash: 796d18a09842a9a0ed44c02cb405fe75c937e6a9b9482fea2fae75737a313910
Instruction Fuzzy Hash: 9C214AB5600209AFDB10DF64DC81EAA37ADEB5A3A4B050459FA14DB361CB30EC52DAB0

Function 00D195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D1961D

Strings

#OnAutoItStartRegister, xrefs: 00D195F3
#notrayicon, xrefs: 00D195B7
#requireadmin, xrefs: 00D195D9

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: d8791adce1e2fd210b36d0db0980f9d44801ecda4ab81750f356b2f85b2b2753
Instruction ID: e06671c6f391cf589feaba9771259f4400223ef3e15d7320e34c7283a304cd22
Opcode Fuzzy Hash: d8791adce1e2fd210b36d0db0980f9d44801ecda4ab81750f356b2f85b2b2753
Instruction Fuzzy Hash: 6121F67210451176E331AB24A832FE7B3D9AF91310F58402AFA49A7541EF61AD86D2B5

Function 00D437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D43840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D43850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D43876

Strings

Listbox, xrefs: 00D4380F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d070dd45d3ad66281f9d95b60528b0c27c7a4e4e62696db0d9715210d543787f
Instruction ID: d4768f21b03c2a110c7085efa47dda6f326e127165f7e7d31927379e1838b345
Opcode Fuzzy Hash: d070dd45d3ad66281f9d95b60528b0c27c7a4e4e62696db0d9715210d543787f
Instruction Fuzzy Hash: 2E21D172610218BBEF218F58CC81FBB7B6EEF89760F158124F9449B190C671DC528BB0

Function 00D249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00D24A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00D24A5C
SetErrorMode.KERNEL32(00000000,?,?,00D4CC08), ref: 00D24AD0

Strings

%lu, xrefs: 00D24A6F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: ed7bbf96430312bed346353c558fb6665eb8634c050411de92000b8eb076f9d5
Instruction ID: 82f3ef1396a141a99fd6c514a34d8e17f70c56cf13d7054d4310c0260d64ab3d
Opcode Fuzzy Hash: ed7bbf96430312bed346353c558fb6665eb8634c050411de92000b8eb076f9d5
Instruction Fuzzy Hash: DA315E75A00218AFDB10DF54C985EAA7BF8EF09308F1480A9F909DB252D771ED45CB71

Function 00D441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D4424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D44264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D44271

Strings

msctls_trackbar32, xrefs: 00D44226

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ef8b1a4c803455026666c96b4da73503cd61a6676c52c778ad509f4b11b9e384
Instruction ID: f58cd9d0142a1f92e5b4320bd2a0f1c400958125e4cb45a07aa5d1618e68bcf2
Opcode Fuzzy Hash: ef8b1a4c803455026666c96b4da73503cd61a6676c52c778ad509f4b11b9e384
Instruction Fuzzy Hash: 7411E031240208BFEF205F29CC46FAB3BACEF95B64F014624FA95E20A0D6B1D8519B34

Function 00D12F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB6B57: _wcslen.LIBCMT ref: 00CB6B6A

Part of subcall function 00D12DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D12DC5
Part of subcall function 00D12DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D12DD6
Part of subcall function 00D12DA7: GetCurrentThreadId.KERNEL32 ref: 00D12DDD
Part of subcall function 00D12DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D12DE4

GetFocus.USER32 ref: 00D12F78

Part of subcall function 00D12DEE: GetParent.USER32(00000000), ref: 00D12DF9

GetClassNameW.USER32(?,?,00000100), ref: 00D12FC3
EnumChildWindows.USER32(?,00D1303B), ref: 00D12FEB

Strings

%s%d, xrefs: 00D12FFF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: ad44ff5974066b22d0131c99257c4209edd47d17b48cf9bdad5fc30b4249b902
Instruction ID: 7b60bda3733f4eafe1dc3901cdedce46d2ebe42e734e9ea1fee168e3acfc064f
Opcode Fuzzy Hash: ad44ff5974066b22d0131c99257c4209edd47d17b48cf9bdad5fc30b4249b902
Instruction Fuzzy Hash: 2D11DF75200205ABCF547F60EC95EEE37AAEF88304F048079F9099B292DE3199899B70

Function 00D45882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D458EE
DrawMenuBar.USER32(?), ref: 00D458FD

Strings

0, xrefs: 00D4588F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 84c2769759882c07c391e6619f0cae0e097b3726c4df278d18f13711bf00ad71
Instruction ID: 6278ac024420ca6776100f6ac9f69f12bb4e0d57c3d4ee1be92c391df4ebb969
Opcode Fuzzy Hash: 84c2769759882c07c391e6619f0cae0e097b3726c4df278d18f13711bf00ad71
Instruction Fuzzy Hash: 94016D35501218EFDB619F11EC44BAEBBB5FB46760F14809DE849DA252DB308A85EF31

Function 00D1007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debeab6062b2d81cc7bb249c8786d2252e84c52628e018cb11035927e718c9dc
Instruction ID: dae27ffe118a30679ff4c88ad373e0831daafc12486bacca9640c8cdcae7021c
Opcode Fuzzy Hash: debeab6062b2d81cc7bb249c8786d2252e84c52628e018cb11035927e718c9dc
Instruction Fuzzy Hash: D4C16D75A0020AEFCB14DF94D894AAEBBB5FF48304F148598E515EB251DB71EDC1CBA0

Function 00CE3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00CE3F0B
__alldvrm.LIBCMT ref: 00CE410C
__alldvrm.LIBCMT ref: 00CE412E

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 38bb549d81f13e2a520e032f5878339fc0e2644b931af169f277c127ec89dfe3
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 49A15771D003C69FDB2ACF5AC8917AEBBF4EF65350F1841ADE5959B281C2389E81C750

Function 00D3342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D33459
CoUninitialize.OLE32 ref: 00D33463
VariantInit.OLEAUT32(?), ref: 00D3346E
VariantClear.OLEAUT32(?), ref: 00D3371B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: dca26b48cef4d5bfa4011c66cbff7a4fa585bd887c1b7769bc3b8ad0e9fa39ba
Instruction ID: 59561b2e2879d33dc7ea96bb2d46d7631f4953f5373a771b0cf8eb20d2910346
Opcode Fuzzy Hash: dca26b48cef4d5bfa4011c66cbff7a4fa585bd887c1b7769bc3b8ad0e9fa39ba
Instruction Fuzzy Hash: 91A14D756043009FC710DF28C586A6AB7E5FF89714F08895DF98A9B362DB30EE05DBA1

Function 00D10436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D4FC08,?), ref: 00D105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D4FC08,?), ref: 00D10608
CLSIDFromProgID.OLE32(?,?,00000000,00D4CC40,000000FF,?,00000000,00000800,00000000,?,00D4FC08,?), ref: 00D1062D
_memcmp.LIBVCRUNTIME ref: 00D1064E

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: b429d04338e1424f2be5f8b282a4db4f67cdd5d7217b34c9e60eb5c5b8175a56
Instruction ID: 59deaf641fa1856f1bda4bfceb1e02d5969def9b87452843f1fa55f1d6695d58
Opcode Fuzzy Hash: b429d04338e1424f2be5f8b282a4db4f67cdd5d7217b34c9e60eb5c5b8175a56
Instruction Fuzzy Hash: DE811B75A00109EFCB04DF94C984EEEBBB9FF89315F244558E506EB250DB71AE86CB60

Function 00D3A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D3A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00D3A6BA

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Process32NextW.KERNEL32(00000000,?), ref: 00D3A79C
CloseHandle.KERNEL32(00000000), ref: 00D3A7AB

Part of subcall function 00CCCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00CF3303,?), ref: 00CCCE8A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 04445cf0b5252074a986f2b8bc145db0ccb9479a6f7b2202fee82df678ceccd4
Instruction ID: 39174cc32a2c2ccba054fec66ca2677a89aea2b57d4182b551823811e7045c43
Opcode Fuzzy Hash: 04445cf0b5252074a986f2b8bc145db0ccb9479a6f7b2202fee82df678ceccd4
Instruction Fuzzy Hash: B2512B71608300AFD710EF24C886E6BBBE8FF89754F44491DF985972A1EB31D904DBA2

Function 00CF1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CF14C0

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e5c5372fe0760290d1c140e54841ee0f21b089f6979d76547673b26c36c5f54d
Instruction ID: b46f0b7afbdabc0b1a9d41fd85b0b2c3a0fa7cc7c33c852a9b1f6490abb23ff8
Opcode Fuzzy Hash: e5c5372fe0760290d1c140e54841ee0f21b089f6979d76547673b26c36c5f54d
Instruction Fuzzy Hash: 9241213150014CDBDB656BBA9C457BE3EA4FF81370F1C4225FE29D6291E63489416673

Function 00D46278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D462E2
ScreenToClient.USER32(?,?), ref: 00D46315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00D46382

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 47f2d90e6b9217e4da75b0f656a900f69443c6ac06f0c18e4120d9681a1d748c
Instruction ID: 0ed89b138966b308df2d2cdf7d3d6c1b1de1e9d954fffdbfa39eac2810da2032
Opcode Fuzzy Hash: 47f2d90e6b9217e4da75b0f656a900f69443c6ac06f0c18e4120d9681a1d748c
Instruction Fuzzy Hash: 60512C74A00249EFCF14DF64D8849AE7BB5FB46364F188159F826D72A0D730ED41CB61

Function 00D31AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D31AFD
WSAGetLastError.WSOCK32 ref: 00D31B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D31B8A
WSAGetLastError.WSOCK32 ref: 00D31B94

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 69337827a9815065c8802d6fca85d7c4fa48bb09d7c5c966d835f60e881b6377
Instruction ID: 8682a00ccaf452c4131873803e4f9d51df0d2aeaed40fd42adb2d23a0fb8ced2
Opcode Fuzzy Hash: 69337827a9815065c8802d6fca85d7c4fa48bb09d7c5c966d835f60e881b6377
Instruction Fuzzy Hash: A741C338640201AFE720EF24C886F6A77E5AB45718F58848CF91A9F3D2D772DD41DBA0

Function 00CEB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47712061d16fc450b48f1672f0a02e4303c0f9f9800b09d8f0929ead5f8c048f
Instruction ID: 7e60ba86c470280bf0c7a0f27abaa61f262397bbe50dfa5fd60ddc84b20400f9
Opcode Fuzzy Hash: 47712061d16fc450b48f1672f0a02e4303c0f9f9800b09d8f0929ead5f8c048f
Instruction Fuzzy Hash: 2541C3B1A00684AFD7249F79CC45B7BBBE9EB88710F10452EF552DB2C2D771AA019B90

Function 00D256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00D25783
GetLastError.KERNEL32(?,00000000), ref: 00D257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00D257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00D257FA

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 2dfa4f2d5aff902cf1bd905ff2f564b0ff9a47a1a362437e8ef1efc5c23700de
Instruction ID: 9647a272a284594ef1f8c9433678c7a0313634e370e45f655c6df5b5eb1f2638
Opcode Fuzzy Hash: 2dfa4f2d5aff902cf1bd905ff2f564b0ff9a47a1a362437e8ef1efc5c23700de
Instruction Fuzzy Hash: 02413C39200610DFCB20DF15D485A59BBE2EF89324F188488EC4A9B362CB70FD44DBA1

Function 00CED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00CD6D71,00000000,00000000,00CD82D9,?,00CD82D9,?,00000001,00CD6D71,8BE85006,00000001,00CD82D9,00CD82D9), ref: 00CED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CED9AB
__freea.LIBCMT ref: 00CED9B4

Part of subcall function 00CE3820: RtlAllocateHeap.NTDLL(00000000,?,00D81444,?,00CCFDF5,?,?,00CBA976,00000010,00D81440,00CB13FC,?,00CB13C6,?,00CB1129), ref: 00CE3852

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: d715e0e7bb785e527044acf4534e2bc7a372baf2a0e256dc2e965ab6a3a64da0
Instruction ID: 461c8a070cc3228f858f540c4414836e591b81bdaa900419db4a56769a1eb65f
Opcode Fuzzy Hash: d715e0e7bb785e527044acf4534e2bc7a372baf2a0e256dc2e965ab6a3a64da0
Instruction Fuzzy Hash: 76310F72A1034AABDF24CF66DC45EAE7BA5EB40310F050169FC15D7292EB35CE50CBA0

Function 00D452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00D45352
GetWindowLongW.USER32(?,000000F0), ref: 00D45375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D45382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D453A8

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f8facb0a53b958f94c9190a2ddf54c2421292b84c815c657f5127c759cdea917
Instruction ID: a1f5678ce72ed251cd0af775ff0b3fcfa53d819ef9df4ebfcdf493099b5f0dc4
Opcode Fuzzy Hash: f8facb0a53b958f94c9190a2ddf54c2421292b84c815c657f5127c759cdea917
Instruction Fuzzy Hash: 6F31E234A55A08EFEF309F14EC0DBE837A5AB05390F5C4141FA51962E6C7B1AD40DB71

Function 00D1AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00D1ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00D1AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00D1AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00D1ACC6

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7d00f5fbc356ebc06108c431ee94c0c3f5f36ccf4af0d11efdaf3e27bd57b2ea
Instruction ID: 3494b4944de7d8ddf3784728e009dac7be8eb46d0cad3e5e3a3dc5eb47758bef
Opcode Fuzzy Hash: 7d00f5fbc356ebc06108c431ee94c0c3f5f36ccf4af0d11efdaf3e27bd57b2ea
Instruction Fuzzy Hash: 3E310834A027187FEF35CB69AC147FA7BA7AB85310F08421AE485922D1DB7589C587F2

Function 00D47674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D4769A
GetWindowRect.USER32(?,?), ref: 00D47710
PtInRect.USER32(?,?,00D48B89), ref: 00D47720
MessageBeep.USER32(00000000), ref: 00D4778C

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2cb874d508c3c918fedc3d5c16d5365f293712a029e9bfb4e981318b0dbffd2d
Instruction ID: b7a61487ea70a70e045fe07e76d5e2eaa3555ea0497d294ac26ae50e3ed14033
Opcode Fuzzy Hash: 2cb874d508c3c918fedc3d5c16d5365f293712a029e9bfb4e981318b0dbffd2d
Instruction Fuzzy Hash: 63415938A052149FCB11DF58C894EA9B7F9FB49314F5981A8E864DB361C731E946CFB0

Function 00D416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D416EB

Part of subcall function 00D13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D13A57
Part of subcall function 00D13A3D: GetCurrentThreadId.KERNEL32 ref: 00D13A5E
Part of subcall function 00D13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D125B3), ref: 00D13A65

GetCaretPos.USER32(?), ref: 00D416FF
ClientToScreen.USER32(00000000,?), ref: 00D4174C
GetForegroundWindow.USER32 ref: 00D41752

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0341db2c213bea3180a9553f6fb6a842f1b822995d61ab1649d792e8b02e4755
Instruction ID: 3e978d5f54e1829e5e5e5be5d0f602de5283e1ca60707b22ba76a174fdc65a1b
Opcode Fuzzy Hash: 0341db2c213bea3180a9553f6fb6a842f1b822995d61ab1649d792e8b02e4755
Instruction Fuzzy Hash: EC311D75D00249AFCB04EFA9D8818EEBBF9EF49304B5480AAE415E7211DB35DE45CBA0

Function 00D1DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00CB7620: _wcslen.LIBCMT ref: 00CB7625

_wcslen.LIBCMT ref: 00D1DFCB
_wcslen.LIBCMT ref: 00D1DFE2
_wcslen.LIBCMT ref: 00D1E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00D1E018

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 6a533f7570c97c43fb6ccedbc8e927645aef0de3b2fd5dadf6c76a98d53fe005
Instruction ID: 457db41ec9c5e36e7516ec23bb766ada09fe2b48bd86564b43cfef7392fa9a99
Opcode Fuzzy Hash: 6a533f7570c97c43fb6ccedbc8e927645aef0de3b2fd5dadf6c76a98d53fe005
Instruction Fuzzy Hash: 99219F75D00214AFCB209FA8D982BAEB7F8EF49750F144069E905BB381DA709E418BB1

Function 00D48FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

GetCursorPos.USER32(?), ref: 00D49001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D07711,?,?,?,?,?), ref: 00D49016
GetCursorPos.USER32(?), ref: 00D4905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D07711,?,?,?), ref: 00D49094

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 73611a08499ed90d83fe1472cbce6026ecf04c402cc517d7d9f736f4b4646650
Instruction ID: 46384bc6ba16a684e3bcabdd9a9493cd0505be9df8cee7bbe24f20039006a16d
Opcode Fuzzy Hash: 73611a08499ed90d83fe1472cbce6026ecf04c402cc517d7d9f736f4b4646650
Instruction Fuzzy Hash: D821BF35601118EFDB25CF95C868EEBBBB9EB4A350F044059F94587261C7319D90DF70

Function 00D1D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00D4CB68), ref: 00D1D2FB
GetLastError.KERNEL32 ref: 00D1D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00D1D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D4CB68), ref: 00D1D376

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f71e6004b316e26808694b95e999704884a01b56d3164d405cd056c9b330e661
Instruction ID: 3bd5d36b79ac6b7404a324cbb6fc078c5f69307a217972b710075dedc24dbc61
Opcode Fuzzy Hash: f71e6004b316e26808694b95e999704884a01b56d3164d405cd056c9b330e661
Instruction Fuzzy Hash: 4121B274509301AF8710DF68D8818EE77E4EE56324F644A1DF4A9C32E1DB31D98ACBA3

Function 00D11571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D1102A
Part of subcall function 00D11014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D11036
Part of subcall function 00D11014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D11045
Part of subcall function 00D11014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D1104C
Part of subcall function 00D11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D11062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D115BE
_memcmp.LIBVCRUNTIME ref: 00D115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D11617
HeapFree.KERNEL32(00000000), ref: 00D1161E

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2a6282067ec7836a4ff5ae337f82eff61f91ce9ea5ad470947dbf5a3bb0f0a0d
Instruction ID: 5353e0cc8c4d9d85770941cbc215eb10daeb4310dcfb830079764c426c70fafe
Opcode Fuzzy Hash: 2a6282067ec7836a4ff5ae337f82eff61f91ce9ea5ad470947dbf5a3bb0f0a0d
Instruction Fuzzy Hash: D8219A75E01208FFDF10DFA4D945BEEB7B9EF84344F084459E541AB241EB31AA85CBA0

Function 00D42782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00D4280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D42824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D42832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D42840

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 699a40366eed7f014351595f009c1c2293cce2f1307bccce1e0fbe2d809316b8
Instruction ID: fc4b1e10195fc42fd4bc293595f6f3f9c34b9688de72a7e4d4b265a5d1979863
Opcode Fuzzy Hash: 699a40366eed7f014351595f009c1c2293cce2f1307bccce1e0fbe2d809316b8
Instruction Fuzzy Hash: 2D21A135205611AFD7149B24C845FBA7BA9EF46324F588158F426CB6E2CB71FC42CBB1

Function 00D178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D18D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00D1790A,?,000000FF,?,00D18754,00000000,?,0000001C,?,?), ref: 00D18D8C
Part of subcall function 00D18D7D: lstrcpyW.KERNEL32(00000000,?,?,00D1790A,?,000000FF,?,00D18754,00000000,?,0000001C,?,?,00000000), ref: 00D18DB2
Part of subcall function 00D18D7D: lstrcmpiW.KERNEL32(00000000,?,00D1790A,?,000000FF,?,00D18754,00000000,?,0000001C,?,?), ref: 00D18DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00D18754,00000000,?,0000001C,?,?,00000000), ref: 00D17923
lstrcpyW.KERNEL32(00000000,?,?,00D18754,00000000,?,0000001C,?,?,00000000), ref: 00D17949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D18754,00000000,?,0000001C,?,?,00000000), ref: 00D17984

Strings

cdecl, xrefs: 00D1797B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 89730661cd857ba7d9bae09dc0e87fc9ff0590ed5017fab14d31d0c1780371a5
Instruction ID: 8ee57907e6824d37e1f025634889dc0344eba8fb82e925dfd886ab4f3b626fbb
Opcode Fuzzy Hash: 89730661cd857ba7d9bae09dc0e87fc9ff0590ed5017fab14d31d0c1780371a5
Instruction Fuzzy Hash: 5811A23A201301BBCB159F34E845EBA77A5EF85350B50402AE946C72A4EF3198559BB1

Function 00D47CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00D47D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00D47D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D47D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D2B7AD,00000000), ref: 00D47D6B

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 7c9918559c49f2942dbd6fd733fbeac00a83b2ea87101fee9d2dd7f6cc8f3db3
Instruction ID: 39699d87feb5360a011d0284971a808240d57e5d999999e0201229b3f5ad5c96
Opcode Fuzzy Hash: 7c9918559c49f2942dbd6fd733fbeac00a83b2ea87101fee9d2dd7f6cc8f3db3
Instruction Fuzzy Hash: F9117235625615EFCB109F68CC04AAA3BA9AF46360F198724F839D72F0D7309D52DB60

Function 00D45660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00D456BB
_wcslen.LIBCMT ref: 00D456CD
_wcslen.LIBCMT ref: 00D456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D45816

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: c4751db1afadf6688a3cd6ca1b74f0ef3a849d99ffa32405e1009917cbbdf04b
Instruction ID: 551661ff61d4b7a68a136427e789ed36c1ef9de77d03836528bbe326e5d2b2c7
Opcode Fuzzy Hash: c4751db1afadf6688a3cd6ca1b74f0ef3a849d99ffa32405e1009917cbbdf04b
Instruction Fuzzy Hash: FF11D375600608A7DF209F61EC85AEE77BCEF12760B144026FA15D6186EB70CA84CF70

Function 00CE1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f39746697225b02cb6135e1380b80c6dcc15fef5cfd964b4fbaf2fcea8cb38f2
Instruction ID: a260b48b70f47173f5bf9cf5d709e7c17ac7dfc57dc63ddf20e77cdf7bdbe809
Opcode Fuzzy Hash: f39746697225b02cb6135e1380b80c6dcc15fef5cfd964b4fbaf2fcea8cb38f2
Instruction Fuzzy Hash: 8101D6B220579A3FF6121A7A6CC1F27661CDF813B8F391325F931912D2DB718E105170

Function 00D11A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D11A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D11A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D11A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D11A8A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cde2e920835876c8c38ccf6c7f26eecaed88e526295203e512ffdccd98099627
Instruction ID: 50f4b0aa5d694c4871d823c6a285e03d0467a0464f8e33b66ee431d565f7c9d8
Opcode Fuzzy Hash: cde2e920835876c8c38ccf6c7f26eecaed88e526295203e512ffdccd98099627
Instruction Fuzzy Hash: 8511FA3A901219FFEB119BA5D985FEDBB78EF04750F200091EA04B7290DA716E51DBA4

Function 00D1E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D1E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00D1E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D1E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D1E24D

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 3b2a89197ee9bfa475bc07518403af23b4a7db70453a36b8d93b4c0de14193c8
Instruction ID: 6675ac1a0a2694dc30e9ecba95024d689c787bb25db4da81868eae66296c4c96
Opcode Fuzzy Hash: 3b2a89197ee9bfa475bc07518403af23b4a7db70453a36b8d93b4c0de14193c8
Instruction Fuzzy Hash: 3111C47AA14354BBC7119FA8AC09AEE7FACAB46320F144255FD25E3391D6B0CD4487B0

Function 00CDD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00CDCFF9,00000000,00000004,00000000), ref: 00CDD218
GetLastError.KERNEL32 ref: 00CDD224
__dosmaperr.LIBCMT ref: 00CDD22B
ResumeThread.KERNEL32(00000000), ref: 00CDD249

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ee19c5340905403d55a26ab584ffb0cc09b08098c4dd660d56b5303569e9249b
Instruction ID: 6072616b102b6ab2146c6758a68c02541a9803189d7014268a0fb2937f4f8056
Opcode Fuzzy Hash: ee19c5340905403d55a26ab584ffb0cc09b08098c4dd660d56b5303569e9249b
Instruction Fuzzy Hash: 2701D676C052047BC7115FA5DC09BAE7A6DEF82331F10021EFA26923D0CB71CD41D6A0

Function 00D49EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00CC9BB2

GetClientRect.USER32(?,?), ref: 00D49F31
GetCursorPos.USER32(?), ref: 00D49F3B
ScreenToClient.USER32(?,?), ref: 00D49F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00D49F7A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 20f22448db1385d792c2d615b72ca1155ebac2c87ac8790c3f623cead431fa06
Instruction ID: 1f109ec7c708650b5ae4ccf37792f21d15fd0e5995e2838559ace8c9fe52ef7e
Opcode Fuzzy Hash: 20f22448db1385d792c2d615b72ca1155ebac2c87ac8790c3f623cead431fa06
Instruction Fuzzy Hash: 5311483690121AABDB10EF69D8599EEB7B8FF46311F040455F911E3250D730BE8ACBB1

Function 00CB600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CB604C
GetStockObject.GDI32(00000011), ref: 00CB6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB606A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 27c3f39f37abd8d17e432ad87c37161fde3cdccde012c34373141e8014864fb5
Instruction ID: 8c34ffd9b07626a507a2f7f2f5bc753d84144df11916610fdbee34bdee500482
Opcode Fuzzy Hash: 27c3f39f37abd8d17e432ad87c37161fde3cdccde012c34373141e8014864fb5
Instruction Fuzzy Hash: E111A172102608BFEF125F95DC44EFABF6DEF19364F000105FA1492120D7369D60DBA0

Function 00CD3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00CD3B56

Part of subcall function 00CD3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00CD3AD2
Part of subcall function 00CD3AA3: ___AdjustPointer.LIBCMT ref: 00CD3AED

_UnwindNestedFrames.LIBCMT ref: 00CD3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00CD3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00CD3BA4

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 4439fa5f67b8c4ef7c6d062301ac5f6c96cf94c9de516a5628bd9bd6abe9ae2d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 0501E932100189BBDF125F95CC46EEB7B6AEF58794F04401AFF5896221C732E961EBA1

Function 00CE3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00CB13C6,00000000,00000000,?,00CE301A,00CB13C6,00000000,00000000,00000000,?,00CE328B,00000006,FlsSetValue), ref: 00CE30A5
GetLastError.KERNEL32(?,00CE301A,00CB13C6,00000000,00000000,00000000,?,00CE328B,00000006,FlsSetValue,00D52290,FlsSetValue,00000000,00000364,?,00CE2E46), ref: 00CE30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CE301A,00CB13C6,00000000,00000000,00000000,?,00CE328B,00000006,FlsSetValue,00D52290,FlsSetValue,00000000), ref: 00CE30BF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1e9637159678f9dc55ed59c67ca5a8482ce1f19e931b205b6a6fec631aaf2a8b
Instruction ID: 3a4324eb115ca6ea6a07fd59131dea43ccaf2866aa55ea8a12e4dbc749d54acf
Opcode Fuzzy Hash: 1e9637159678f9dc55ed59c67ca5a8482ce1f19e931b205b6a6fec631aaf2a8b
Instruction Fuzzy Hash: EE01AC367123A2ABCB718F7B9C4C9677B989F45761B114620F915D7290D721EA01C6F0

Function 00D17464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00D1747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D17497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00D174CA

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f0ee3dd28463d8d72560f7325b2f357ce9a79daa4c113ddff70662a198ed4df8
Instruction ID: f1e3f771b6c08f8e933562bbda819c07033d58980436cb50c5b0683aaba39d4c
Opcode Fuzzy Hash: f0ee3dd28463d8d72560f7325b2f357ce9a79daa4c113ddff70662a198ed4df8
Instruction Fuzzy Hash: 1011A1B5206314ABE7208F54ED08BD27BFCEB00B00F108569A656D6161DB70E984DB70

Function 00D1B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D1ACD3,?,00008000), ref: 00D1B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D1ACD3,?,00008000), ref: 00D1B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D1ACD3,?,00008000), ref: 00D1B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D1ACD3,?,00008000), ref: 00D1B126

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7a3aee6cf2c2f673d8b9d08b14935cde320684299109309096eba264dc68cc11
Instruction ID: 6e32b50d42aa851975333f020639e75dae4d3ecde8ac74b6da616a934568c584
Opcode Fuzzy Hash: 7a3aee6cf2c2f673d8b9d08b14935cde320684299109309096eba264dc68cc11
Instruction Fuzzy Hash: 15113C31D01718F7CF009FE4E9586EEBB78FF0A721F114086D951B2241CF3095908B61

Function 00D47E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D47E33
ScreenToClient.USER32(?,?), ref: 00D47E4B
ScreenToClient.USER32(?,?), ref: 00D47E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D47E8A

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0918453c4386436ef23e3a290f72e5686d1c47ddc7e7ec81fac69c1464a67f6d
Instruction ID: e501bc3bc3d3b8f36ce9caf79520eb4d1b9aaa193db6a7ef2638eb0cfa285f44
Opcode Fuzzy Hash: 0918453c4386436ef23e3a290f72e5686d1c47ddc7e7ec81fac69c1464a67f6d
Instruction Fuzzy Hash: A21143B9D0020AAFDB41CF98C8849EEBBF5FB09310F509166E915E2210D735AA55CF60

Function 00D12DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D12DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D12DD6
GetCurrentThreadId.KERNEL32 ref: 00D12DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D12DE4

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: bbd6ef385cf912ee8a0ddd6a64c3dd4d7d8c28510bc4157664e0d10992c7255f
Instruction ID: d7429e8bf823fc81d9b192f918f1948abe16bb3f2282aa096f176b4977211624
Opcode Fuzzy Hash: bbd6ef385cf912ee8a0ddd6a64c3dd4d7d8c28510bc4157664e0d10992c7255f
Instruction Fuzzy Hash: 75E06D752123287BDB201BA2EC0DEFB3E6CEB43BA1F055015B105D11909AA5C880C6F0

Function 00D48863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00CC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00CC9693
Part of subcall function 00CC9639: SelectObject.GDI32(?,00000000), ref: 00CC96A2
Part of subcall function 00CC9639: BeginPath.GDI32(?), ref: 00CC96B9
Part of subcall function 00CC9639: SelectObject.GDI32(?,00000000), ref: 00CC96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00D48887
LineTo.GDI32(?,?,?), ref: 00D48894
EndPath.GDI32(?), ref: 00D488A4
StrokePath.GDI32(?), ref: 00D488B2

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a3823977ce82ccde06183541cf6b385ce08fafec15aeae96e28da35f65cbec05
Instruction ID: edb4c88fc3cf5044a2497aef38a3e304cba574f86b26cd4ed25a14bc7ca4f341
Opcode Fuzzy Hash: a3823977ce82ccde06183541cf6b385ce08fafec15aeae96e28da35f65cbec05
Instruction Fuzzy Hash: D3F03A3A052358BBDB126F94AC09FCE3A59AF06350F048100FA11A52E2C7755511DFF9

Function 00CC98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00CC98CC
SetTextColor.GDI32(?,?), ref: 00CC98D6
SetBkMode.GDI32(?,00000001), ref: 00CC98E9
GetStockObject.GDI32(00000005), ref: 00CC98F1

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e79b0a14a21df1df872e1daddbd7b39b1c199464ab4b204ebe585c347cfb3b3f
Instruction ID: e79f7855a489b8ee658dd672856e222fcf25e8789891277d6dfdd864487d8603
Opcode Fuzzy Hash: e79b0a14a21df1df872e1daddbd7b39b1c199464ab4b204ebe585c347cfb3b3f
Instruction Fuzzy Hash: 1EE06D35655780ABEB615F74EC0DBE83F20EB16336F089219F6FA981E1C77256409B30

Function 00D1162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D11634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D111D9), ref: 00D1163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D111D9), ref: 00D11648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D111D9), ref: 00D1164F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 72cdea850210911a402c3ad7a7dc46920cb24a278410304e7093a7c8f31ed473
Instruction ID: f1b941e9226d4b3a0d11ab82050015027f96272225f34d38c8d4cad6b55079af
Opcode Fuzzy Hash: 72cdea850210911a402c3ad7a7dc46920cb24a278410304e7093a7c8f31ed473
Instruction Fuzzy Hash: 2EE0463A612311ABD7B01FA0AE0DB863BA8AF46792F188808F245C9090EA6484808B74

Function 00D0D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D0D858
GetDC.USER32(00000000), ref: 00D0D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D0D882
ReleaseDC.USER32(?), ref: 00D0D8A3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9275ec6361972a863ea74511f644f6d2c27357cff63c8484f98caf1a777ad96c
Instruction ID: 6a064a32a0d18ec292eab6c6a24ba9183f87a584916d0f630cc8e118b1dc141c
Opcode Fuzzy Hash: 9275ec6361972a863ea74511f644f6d2c27357cff63c8484f98caf1a777ad96c
Instruction Fuzzy Hash: F8E01AB8811304DFCB819FE4D808A6DBBB2FB09310F11E059F846E7360C7388901AF60

Function 00D0D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D0D86C
GetDC.USER32(00000000), ref: 00D0D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D0D882
ReleaseDC.USER32(?), ref: 00D0D8A3

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 807a84c614857b88e6f93799d526cbe660ccb722930e498f2f4b618200cfe434
Instruction ID: b00a0da656a3d6cc484f3af0b72ec70ed2e2e895f80d48b1caa8930466c5143c
Opcode Fuzzy Hash: 807a84c614857b88e6f93799d526cbe660ccb722930e498f2f4b618200cfe434
Instruction Fuzzy Hash: 73E012B8811300EFCB90AFA4D808A6DBBB1BB08310F11A048F80AE7360CB385901AF60

Function 00D24D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB7620: _wcslen.LIBCMT ref: 00CB7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00D24ED4

Strings

*, xrefs: 00D24E10
LPT, xrefs: 00D24DFB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 32f30c69f94390fbcab45b36d15ed7ce5dc67f75eb7099b8521948d4ee094004
Instruction ID: 4f7da457c2b8ec2750c4249d0e0f6f314c30e6e5662f28ff1435ec12e92c93ce
Opcode Fuzzy Hash: 32f30c69f94390fbcab45b36d15ed7ce5dc67f75eb7099b8521948d4ee094004
Instruction Fuzzy Hash: C6918275A002149FDB14DF58D584EAABBF1BF94308F198099F84A9F362D731ED85CBA0

Function 00CDE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00CDE30D

Strings

pow, xrefs: 00CDE2E5, 00CDE302

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1577f7cfa55f03d081a76b0058d075e7f4208c1673107663aa75ea3a71035aae
Instruction ID: f5396079c769926e62dac47be844b2f7ab9ede2097d3e528b625dc158f1daccc
Opcode Fuzzy Hash: 1577f7cfa55f03d081a76b0058d075e7f4208c1673107663aa75ea3a71035aae
Instruction Fuzzy Hash: 75518F61A0C34296CB157716CD0137A3BA8DF40741F304B9AE5F58B3F8EB348E85AA46

Function 00CCE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00CCE1B1

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 1a4cf1e0054adf5009210783e7f79f703af82a6fda61a843f969dcd58a2f2a2d
Instruction ID: 266eebd385c33b4ba1eae1cff37d489430c2e0e8076587d8008cf6f5e60ce40b
Opcode Fuzzy Hash: 1a4cf1e0054adf5009210783e7f79f703af82a6fda61a843f969dcd58a2f2a2d
Instruction Fuzzy Hash: FB514435A00346DFDB24DF68C081BFA7BA8EF96310F288419E8959B2D0D7349D42DBB0

Function 00CCF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00CCF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00CCF2BB

Strings

@, xrefs: 00CCF2AF

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b2bb6e38c0e8f15a2d5a8e0133fcf2e98e83c49a632af28a7fdbc6ad8c533180
Instruction ID: 9cd5931bab5a97ad9ee40c52ae0853e136f04a36bc7e7eb736b8963efe11a0c1
Opcode Fuzzy Hash: b2bb6e38c0e8f15a2d5a8e0133fcf2e98e83c49a632af28a7fdbc6ad8c533180
Instruction Fuzzy Hash: C35145714087449BD320AF54EC86BABBBF8FB84300F81885DF5D9812A5EB708529CB66

Function 00D35745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00D357E0
_wcslen.LIBCMT ref: 00D357EC

Strings

CALLARGARRAY, xrefs: 00D357E6, 00D357EB

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 2dac573ec5b96407846f9cef557f5979a22a2c92beea0f8a76ed6753789c15ab
Instruction ID: 948533c42db4b7258c38ae93744cfb54fad036a5ba1faf0608e8535d6011e2d3
Opcode Fuzzy Hash: 2dac573ec5b96407846f9cef557f5979a22a2c92beea0f8a76ed6753789c15ab
Instruction Fuzzy Hash: 32418C71A002099FCB14DFA9D8829EEBBB5EF59320F244069E505A7295EB309D81DBB0

Function 00D2D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D2D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D2D13A

Strings

|, xrefs: 00D2D10B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: abf7defbc0bf3b459fb2f70a81647a91c93856a9f74c9565c8a3b4ef857c606f
Instruction ID: 0f6b3e362e586ae798b657ea154405c32b3e646654751a99de5564b9a354e478
Opcode Fuzzy Hash: abf7defbc0bf3b459fb2f70a81647a91c93856a9f74c9565c8a3b4ef857c606f
Instruction Fuzzy Hash: FF313071D00219AFCF15EFA4DC85AEE7FBAFF14304F100019F915A61A5D735A916DB60

Function 00D4356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D43621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D4365C

Strings

static, xrefs: 00D435BC

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a250794905364a3c5a3c1b470fa0cb6792edb8e5cf7af092f6cb7c46ddeb41c9
Instruction ID: 813ce2e6d21081a52c9fccf4adb2f38dc36eca036919dddfb605c647672aed5e
Opcode Fuzzy Hash: a250794905364a3c5a3c1b470fa0cb6792edb8e5cf7af092f6cb7c46ddeb41c9
Instruction Fuzzy Hash: 1E318971110204AFDB209F68DC81EFB73A9FF88760F159619F8A5D7290DA30AD91DB70

Function 00D44537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00D4461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D44634

Strings

', xrefs: 00D4458E

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 75db0521fc92b2380e871969b6214bd83669efce4d020124e253d38d9c190146
Instruction ID: a4afbb8708c9c620d9e312276a226ca6a8ce1364a2fa3a4bb6bf0b2fc6df4617
Opcode Fuzzy Hash: 75db0521fc92b2380e871969b6214bd83669efce4d020124e253d38d9c190146
Instruction Fuzzy Hash: 31310774A013099FDF14CFA9C991BDABBB5FF49300F15406AE905AB391D770A981CFA0

Function 00D431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D4327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D43287

Strings

Combobox, xrefs: 00D43249

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 968485c69f2600c15c8d6fbd0988793e79eb2382a4e3038c95c8c5cae97bc47d
Instruction ID: 97bf74bf76d78feaea2d3f3f31d7ce68af03c51874a7f62ecefdf4a7ec901222
Opcode Fuzzy Hash: 968485c69f2600c15c8d6fbd0988793e79eb2382a4e3038c95c8c5cae97bc47d
Instruction Fuzzy Hash: BE11B2713002087FFF259F58DCC1EBB376AEB943A4F144125F91897290D6B19D519774

Function 00D43710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00CB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00CB604C
Part of subcall function 00CB600E: GetStockObject.GDI32(00000011), ref: 00CB6060
Part of subcall function 00CB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00CB606A

GetWindowRect.USER32(00000000,?), ref: 00D4377A
GetSysColor.USER32(00000012), ref: 00D43794

Strings

static, xrefs: 00D43757

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 165208e8b2a60154eb4c6fbb81407ccf0c5a128b895ce378500d6ca540d6f1d1
Instruction ID: d287596be01973a9c310a0052b63e041672f8df1064a346f4de83ba35e8364d4
Opcode Fuzzy Hash: 165208e8b2a60154eb4c6fbb81407ccf0c5a128b895ce378500d6ca540d6f1d1
Instruction Fuzzy Hash: D21126B2620209AFDF00DFA8CC46AEA7BB8EB09354F015915F995E2250E775E8519B60

Function 00D2CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D2CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D2CDA6

Strings

<local>, xrefs: 00D2CD66

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 9ad9c21deba0db392846eb03088b6b40f347f6bf0b473f7dea134e8cdde723c1
Instruction ID: d3bfa8f0c0d9ab7512de17215fbb0138a194e4be3b4f60c06221050aac5f387f
Opcode Fuzzy Hash: 9ad9c21deba0db392846eb03088b6b40f347f6bf0b473f7dea134e8cdde723c1
Instruction Fuzzy Hash: 6711C6752256317AD7344B669C45EEBBE6CEF227A8F005226B14983180D7749C45D6F0

Function 00D43429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D434BA

Strings

edit, xrefs: 00D4348F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 86260e6553f8855a0e93f8b1f311763c6b801c568920f14f857ac1f93b4b25f1
Instruction ID: 4f654776bb96b31a533681a8012952a670391c8e43aa6a311345030b38ab07d6
Opcode Fuzzy Hash: 86260e6553f8855a0e93f8b1f311763c6b801c568920f14f857ac1f93b4b25f1
Instruction Fuzzy Hash: F3118C71210208AFEB129E68DC44AEB376AEB15374F544324F969E32E0C775DD519B70

Function 00D16C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00D16CB6
_wcslen.LIBCMT ref: 00D16CC2

Strings

STOP, xrefs: 00D16CBC, 00D16CC1

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 2d30db6b2fce71a4d493c8ad259079426910f50826690a04a2d9089bf238e02b
Instruction ID: 1fb2a4451a909df1ddbb2f96f2f0bb9299f7834de4b8b76349e526b8a4f59a68
Opcode Fuzzy Hash: 2d30db6b2fce71a4d493c8ad259079426910f50826690a04a2d9089bf238e02b
Instruction Fuzzy Hash: 5801C432610526ABCB209FFDFC809FF7BA5EB61710B540524E95296294EF31D980C6B0

Function 00D11CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D11D4C

Strings

ComboBox, xrefs: 00D11CEB
ListBox, xrefs: 00D11D16

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7a06b307e5cac6251cb2f8948bc440124a1e47365505ca0d8f2e2aeeaf0d0bb1
Instruction ID: 678c60f0401de7eef64c962fdca723caf30a801caab808fe062edfd4179945cc
Opcode Fuzzy Hash: 7a06b307e5cac6251cb2f8948bc440124a1e47365505ca0d8f2e2aeeaf0d0bb1
Instruction Fuzzy Hash: 98012479601218BB8B08EBA0EC51DFE77A8EB02350F140609F972673C1EE319948D670

Function 00D11BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D11C46

Strings

ComboBox, xrefs: 00D11BE5
ListBox, xrefs: 00D11C10

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 532df29c936899d39b188cffae29729ae12433f4393114fe1f5bde968bb16856
Instruction ID: 833da89c424124d7c345f1ff55978d9669113c59f63a2a73a38f728153a4fe72
Opcode Fuzzy Hash: 532df29c936899d39b188cffae29729ae12433f4393114fe1f5bde968bb16856
Instruction Fuzzy Hash: 9501A7797811087BCB04EB90E951AFFB7A9DB12340F140019AA16672C1EE619E4C96F1

Function 00D11C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D11CC8

Strings

ComboBox, xrefs: 00D11C69
ListBox, xrefs: 00D11C94

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 44e07ceea76de9e269092a186cffacf4ac374eacee9388144a64665b5f76b43e
Instruction ID: 7056a6c5b0d638b8ccf3c18ef3a250fdaa857335af324b464f422c88972ffd0d
Opcode Fuzzy Hash: 44e07ceea76de9e269092a186cffacf4ac374eacee9388144a64665b5f76b43e
Instruction Fuzzy Hash: E501A2797811187BCF04EBA1EA41AFEB7A9DB12340F140015BA0673281EE619F4896F2

Function 00D11D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9CB3: _wcslen.LIBCMT ref: 00CB9CBD

Part of subcall function 00D13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D13CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00D11DD3

Strings

ComboBox, xrefs: 00D11D75
ListBox, xrefs: 00D11DA0

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e76d63bf31cb693284c6224f24982272499851795a71cd3f75757612e663fbee
Instruction ID: 2a411bcd7442ec67b1d65ff9bb5ffa92289ec8e1c36af2b83b243625be6d4d9f
Opcode Fuzzy Hash: e76d63bf31cb693284c6224f24982272499851795a71cd3f75757612e663fbee
Instruction Fuzzy Hash: 62F0A475B412187BDB04E7A4FC92BFE7768EB02350F140919BA66632C1EE71994C92B1

Function 00D3747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00D37493
_wcslen.LIBCMT ref: 00D374B9

Strings

3, 3, 16, 1, xrefs: 00D37483

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 8423126a4ce7589ff821ea3ec449b42bee820964ca51f75f7ef07dae67cda4ea
Instruction ID: 353e0c658da55e1ec1c669aee4aa2bfddc66dbb6e0f5f9a71bb8818db494d3c3
Opcode Fuzzy Hash: 8423126a4ce7589ff821ea3ec449b42bee820964ca51f75f7ef07dae67cda4ea
Instruction Fuzzy Hash: 0EE02B42204B20219235137ADCC197F568DCFCA750B14182BFB85C2366FAE49D91A3B0

Function 00D10B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D10B23

Strings

AutoIt, xrefs: 00D10B17
Error allocating memory., xrefs: 00D10B1C

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 474d806b67121c2b951c43b608dad16dea60414fc12cd93b4df1c1fb27f696d6
Instruction ID: 64942364531b0a28f824635443bf7fedbee1f66eeb6ff6952e4428927f03172f
Opcode Fuzzy Hash: 474d806b67121c2b951c43b608dad16dea60414fc12cd93b4df1c1fb27f696d6
Instruction Fuzzy Hash: A7E0D8312853183BD2143B94BC03FC97B848F05B11F10442EF748955C38EE124901AF9

Function 00CD0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CCF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00CD0D71,?,?,?,00CB100A), ref: 00CCF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00CB100A), ref: 00CD0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00CB100A), ref: 00CD0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CD0D7F

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 2b927400aadb4e8672b1585c4c9349d14184623f58b6ed971e3424d4d1c73b51
Instruction ID: 8909aa543e51bf730e9f62e47b94b77e3ada25af9c1ae0d8b77b202b0e599384
Opcode Fuzzy Hash: 2b927400aadb4e8672b1585c4c9349d14184623f58b6ed971e3424d4d1c73b51
Instruction Fuzzy Hash: E3E06D742007118BD3609FBCE4487427BE5AB04741F10492EE482C6761DBF0E4488BB1

Function 00D23017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00D2302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00D23044

Strings

aut, xrefs: 00D23038

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 72cfdcb96fcbca9ec8269996ab71a0d24addea9f3454d61e762e975bf6a028a8
Instruction ID: ab1089aee7aa44566b02459618f8f3a9e73a5b3523dd383210196c2c014743c3
Opcode Fuzzy Hash: 72cfdcb96fcbca9ec8269996ab71a0d24addea9f3454d61e762e975bf6a028a8
Instruction Fuzzy Hash: 17D05B7550132467DA6097949C4DFC73A6CD706750F0001517655E2191EAF0D544CAE4

Function 00D0D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D0D220

Strings

X64, xrefs: 00D0D2A8
%.3d, xrefs: 00D0D22B

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 3624a9aafb9cbe915bee6789eaa209bd41f6e1fc37696e1a49b913a1d62d2e25
Instruction ID: 11f8dc4a15803fc06d1a83173669f395aa5c1660544d126933924caf094cee91
Opcode Fuzzy Hash: 3624a9aafb9cbe915bee6789eaa209bd41f6e1fc37696e1a49b913a1d62d2e25
Instruction Fuzzy Hash: D9D01261809218FACB909BF0CC85EB9B37DAB09301F508467F84ED1080E774C5086B79

Function 00D42356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D4236C
PostMessageW.USER32(00000000), ref: 00D42373

Part of subcall function 00D1E97B: Sleep.KERNEL32 ref: 00D1E9F3

Strings

Shell_TrayWnd, xrefs: 00D42365

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c9a84c936c4148b0a4c2737105fc7d7e4b5b73d6fb57031d5fc7d7fc9f9d07c0
Instruction ID: 5eff1c076a2dbe578206acf238a8fb92f1e67249da7c3d4e8270689db0951973
Opcode Fuzzy Hash: c9a84c936c4148b0a4c2737105fc7d7e4b5b73d6fb57031d5fc7d7fc9f9d07c0
Instruction Fuzzy Hash: 68D0A9363923107BE2A8AB30AC0FFCA66149B01B00F0089027706EA2E0D8A0A8048A34

Function 00D42322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D4232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D4233F

Part of subcall function 00D1E97B: Sleep.KERNEL32 ref: 00D1E9F3

Strings

Shell_TrayWnd, xrefs: 00D42325

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0f91155498deec0016825f7aed03b0d0d15268c57fe54cd2e9d514d492386556
Instruction ID: b22c4d66bced1f7d3091b3f818b6e9dd9d4d1cf72ef2b18dd339a92be8bbdb9f
Opcode Fuzzy Hash: 0f91155498deec0016825f7aed03b0d0d15268c57fe54cd2e9d514d492386556
Instruction Fuzzy Hash: 76D0233539131077D1A4B730DC0FFC676149B00B00F0045017705D51D0D8F0A404CE30

Function 00CEBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00CEBE93
GetLastError.KERNEL32 ref: 00CEBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CEBEFC

Memory Dump Source

Source File: 00000000.00000002.1754944610.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.1754923963.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D4C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755022537.0000000000D72000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755080692.0000000000D7C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1755104300.0000000000D84000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 22cd09d92aaaf64c8e58c3491b1639e1a638e1c44b0c2f4ab7477d4b8fc40564
Instruction ID: 48806315450142e08e35c75ac8ce49c00fbf5af61138339919172172b49cb30a
Opcode Fuzzy Hash: 22cd09d92aaaf64c8e58c3491b1639e1a638e1c44b0c2f4ab7477d4b8fc40564
Instruction Fuzzy Hash: EF41EA39605286AFCF21CFE6CD54BBB7BA5EF41310F144169F969972A1DB308E01DB60

Analysis Process: firefox.exePID: 7880, Parent PID: 8000COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000024CC8D5B637 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000024CC8D5B65C

Memory Dump Source

Source File: 00000010.00000002.2956319303.0000024CC8D59000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000024CC8D59000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_24cc8d59000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: cbe9ae4b263a386d64eb49403e0ea718c14a8d56f5fb7848961dadfa84cae2f1
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 99A3E471618A498BDB6DDF2CDC856AA73D6FB95301F14422FD94BC7281DF30EA428B81

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1880298282.0000025B2D707000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889454282.0000025B20DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1895566141.0000025B2909F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1895566141.0000025B2909F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1913654149.0000025B2CDF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1927979809.0000025B225BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891755753.0000025B2CDF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1939662489.0000025B23309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1939662489.0000025B23309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1780589636.0000025B21F66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895566141.0000025B2909F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1780589636.0000025B21F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/bound onEnabledPrefChangehttps://www.facebook.com/https://www.amazon.co.uk/nimbus:enrollments-updatedoptInToExperiment/branch<main/nimbus-desktop-experimentsrs-experiment-loader-timer_validateBranches/schema<nimbus-desktop-experimentshttps://www.aliexpress.com/https://www.wikipedia.org/main/nimbus-desktop-experimentsFailed to flush browser: initEntry/entry.cancelPromise<quickactions-cmd-bookmarksCould not find experiment slug menuitem-screenshot-extensionload/actionData.commands<GeckoAndroidSpecificPropertiesWebExtensionDictionaryManifestload/actionData.commands</<quickactions-cmd-downloadsquickactions-cmd-extensionsquickactions-cmd-settingsquickactions-cmd-inspectorquickactions-cmd-screenshotquickactions.randomOrderActionsquit-application-requestedDEFAULT_REPLACEMENT_CHARACTERgoogle@search.mozilla.org__MSG_searchUrlGetParams__OptionalPermissionNoPromptOptionalPermissionOrOriginFirefoxSpecificPropertiessettings, preferences, optionsquickactions-cmd-clearhistoryWebExtensionLangpackManifest__MSG_extensionDescription__quickactions-cmd-viewsourcequickactions-clearhistory equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1895566141.0000025B2909F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.2951366567.000001D47D90C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.2951366567.000001D47D90C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.2951366567.000001D47D90C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950836431.0000024CC870A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2951366567.000001D47D90C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950836431.0000024CC870A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2951366567.000001D47D90C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1901690236.0000025B231B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2950836431.0000024CC870A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2951366567.000001D47D90C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1915734384.0000025B293EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918451638.0000025B236B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913654149.0000025B2CDF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1915734384.0000025B293EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1918451638.0000025B236B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1917778855.0000025B24374000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898128340.0000025B24374000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49801 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_134e9a86-2d53-441a-900e-4da9908ea9ec.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_134e9a86-2d53-441a-900e-4da9908ea9ec.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre