Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1540376
MD5:	4bd898f7538e346e91e4c83e0c11ad2a
SHA1:	f582f982b3adbdb5eb1baeedbfff063fbc90cbc4
SHA256:	e3356f3e1f7ab9698f237f04f492a90900f37d1e4b4682c0d9c1f810108c9cf6
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 5016 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4BD898F7538E346E91E4C83E0C11AD2A)

taskkill.exe (PID: 6104 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4120 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1488 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1396 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1120 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7116 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5652 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7104 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2472 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2108 -prefMapHandle 2100 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0db7204-06d3-428f-bcd4-2897346120bd} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223ab870d10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2300 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -parentBuildID 20230927232528 -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a70b601-fc0d-4b95-b580-7725ca6cdc50} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223bdd2b510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7620 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 4976 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {349d6966-eb71-4eb8-a0f9-1297aa39e4f0} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223ab870310 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 5016	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0092EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0092EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0092ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0092ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0092EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0091AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0091AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00949576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00949576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2040964883.0000000000972000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_71566724-2
Source: file.exe, 00000000.00000000.2040964883.0000000000972000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_98f76143-1
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dcae639c-4
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b77d9512-f

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002ABBAACAD37 NtQuerySystemInformation,		17_2_000002ABBAACAD37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002ABBAAE8FF2 NtQuerySystemInformation,		17_2_000002ABBAAE8FF2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0091D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0091D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00911201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00911201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0091E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0091E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00922046	0_2_00922046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B8060	0_2_008B8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00918298	0_2_00918298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EE4FF	0_2_008EE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E676B	0_2_008E676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00944873	0_2_00944873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DCAA0	0_2_008DCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008BCAF0	0_2_008BCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CCC39	0_2_008CCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E6DD9	0_2_008E6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B91C0	0_2_008B91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CB119	0_2_008CB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D1394	0_2_008D1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D1706	0_2_008D1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D781B	0_2_008D781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D19B0	0_2_008D19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B7920	0_2_008B7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C997D	0_2_008C997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D7A4A	0_2_008D7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D7CA7	0_2_008D7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D1C77	0_2_008D1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E9EEE	0_2_008E9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093BE44	0_2_0093BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D1F32	0_2_008D1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002ABBAACAD37	17_2_000002ABBAACAD37
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002ABBAAE8FF2	17_2_000002ABBAAE8FF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002ABBAAE9032	17_2_000002ABBAAE9032
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002ABBAAE971C	17_2_000002ABBAAE971C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008B9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008CF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008D0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/41@71/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009237B5 GetLastError,FormatMessageW,

0_2_009237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009110BF AdjustTokenPrivileges,CloseHandle,		0_2_009110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0091D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0091D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0092648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0092648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008B42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2243497496.00000223C421F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222380048.00000223C428D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2243497496.00000223C421F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2243497496.00000223C421F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2243497496.00000223C421F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2222380048.00000223C42A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2243497496.00000223C421F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2243497496.00000223C421F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2243497496.00000223C421F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2243497496.00000223C421F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2243497496.00000223C421F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2108 -prefMapHandle 2100 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0db7204-06d3-428f-bcd4-2897346120bd} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223ab870d10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -parentBuildID 20230927232528 -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a70b601-fc0d-4b95-b580-7725ca6cdc50} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223bdd2b510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 4976 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {349d6966-eb71-4eb8-a0f9-1297aa39e4f0} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223ab870310 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2108 -prefMapHandle 2100 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0db7204-06d3-428f-bcd4-2897346120bd} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223ab870d10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -parentBuildID 20230927232528 -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a70b601-fc0d-4b95-b580-7725ca6cdc50} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223bdd2b510 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 4976 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {349d6966-eb71-4eb8-a0f9-1297aa39e4f0} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223ab870310 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000E.00000003.2168491420.00000223C7281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.2173855604.00000223BB6C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2172455447.00000223BB6C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.2173855604.00000223BB6C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.2173855604.00000223BB6C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2172455447.00000223BB6C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdbUGP source: firefox.exe, 0000000E.00000003.2167861509.00000223BB67F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2167501538.00000223BB657000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2172816789.00000223BB6B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000E.00000003.2168491420.00000223C7281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.2173855604.00000223BB6C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2172816789.00000223BB6B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: firefox.exe, 0000000E.00000003.2167861509.00000223BB67F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2167501538.00000223BB657000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008B42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D0A76 push ecx; ret

0_2_008D0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008CF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00941C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00941C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97572

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002ABBAACAD37 rdtsc

17_2_000002ABBAACAD37

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0091DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EC2A2 FindFirstFileExW,	0_2_008EC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009268EE FindFirstFileW,FindClose,	0_2_009268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0092698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0091D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0091D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00929642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00929642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0092979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00929B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00929B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00925C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00925C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008B42DE

Source: firefox.exe, 00000011.00000002.3906850524.000002ABBA25A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPh
Source: firefox.exe, 00000010.00000002.3907860408.000001268B2B6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3907860408.000001268B28A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3912001052.000002ABBAB00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3907001782.000001D1116AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3908266492.000001D111720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3912006103.000001268B814000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3912001052.000002ABBAB00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllif
Source: firefox.exe, 00000010.00000002.3912639580.000001268B900000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3912001052.000002ABBAB00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002ABBAACAD37 rdtsc

17_2_000002ABBAACAD37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0092EAA2 BlockInput,

0_2_0092EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008E2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008B42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D4CE8 mov eax, dword ptr fs:[00000030h]

0_2_008D4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00910B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00910B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008E2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008D083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D09D5 SetUnhandledExceptionFilter,	0_2_008D09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008D0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00911201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_008F2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0091B226 SendInput,keybd_event,

0_2_0091B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009322DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00910B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00911663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00911663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.2170421469.00000223C7281000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008D0698 cpuid

0_2_008D0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00928195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00928195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0090D27A GetUserNameW,

0_2_0090D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008EB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_008EB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008B42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5016, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 5016, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00931204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00931806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://screenshots.firefox.com	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://fpn.firefox.com	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	unknown
services.addons.mozilla.org	151.101.1.91	true	false	unknown
dyna.wikimedia.org	185.15.59.224	true	false	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	unknown
contile.services.mozilla.com	34.117.188.166	true	false	unknown
youtube.com	142.250.181.238	true	false	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
youtube-ui.l.google.com	142.250.185.110	true	false	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	unknown
reddit.map.fastly.net	151.101.1.140	true	false	unknown
ipv4only.arpa	192.0.0.171	true	false	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	unknown
push.services.mozilla.com	34.107.243.93	true	false	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	unknown
www.reddit.com	unknown	unknown	false	unknown
spocs.getpocket.com	unknown	unknown	false	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	unknown
support.mozilla.org	unknown	unknown	false	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	unknown
www.youtube.com	unknown	unknown	false	unknown
www.facebook.com	unknown	unknown	false	unknown
detectportal.firefox.com	unknown	unknown	false	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	unknown
shavar.services.mozilla.com	unknown	unknown	false	unknown
www.wikipedia.org	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3909382128.000001D111AC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl3.di	firefox.exe, 0000000E.00000003.2174042782.00000223BB67D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2168605415.00000223BB685000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2169189703.00000223BB67D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2256620474.00000223BD413000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsJ	firefox.exe, 0000000E.00000003.2167861509.00000223BB67F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2167501538.00000223BB657000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2266977770.00000223C4FC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222023911.00000223C4FC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222023911.00000223C4FD0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3909825771.000001268B7E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3908748512.000002ABBA5E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3911736485.000001D111B03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3908748512.000002ABBA586000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909382128.000001D111A8E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2257394917.00000223BD27B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2269068154.00000223C3BBA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com	firefox.exe, 0000000E.00000003.2265077230.00000223B96C5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2259425047.00000223BCD1E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2227287959.00000223BF067000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2090358836.00000223BBA38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2090575547.00000223BBA53000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2274206484.00000223BE4D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258040254.00000223BCD85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2116827186.00000223BCD5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2258040254.00000223BCDBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2228886727.00000223BE4D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259016114.00000223BCD56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248012648.00000223BE4D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2116827186.00000223BCDBF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2272883662.00000223BE6CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2244511218.00000223BE6CA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000E.00000003.2244511218.00000223BE658000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272883662.00000223BE68A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2091762883.00000223BBA8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089333601.00000223BB800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2210571336.00000223C6914000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2091227741.00000223BBA6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089565926.00000223BBA1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2090358836.00000223BBA38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2128290202.00000223C6914000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2117325385.00000223BCD34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2251407617.00000223BD4C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2090575547.00000223BBA53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2127422748.00000223C6914000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com/	firefox.exe, 0000000E.00000003.2314612204.00000223BB490000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2112129904.00000223BD7B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277213770.00000223BD7B7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2089333601.00000223BB800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2091227741.00000223BBA6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2089565926.00000223BBA1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2090358836.00000223BBA38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2090575547.00000223BBA53000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2315532345.00000223BAFD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2253474771.00000223C3797000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245699414.00000223BDDE3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2264106991.00000223BC210000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2257394917.00000223BD27B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://exslt.org/dates-and-times4	firefox.exe, 0000000E.00000003.2319197769.00000223B7061000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.digicez	firefox.exe, 0000000E.00000003.2174042782.00000223BB657000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2168605415.00000223BB657000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2167501538.00000223BB657000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2169189703.00000223BB657000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2223589483.00000223C3B80000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://fpn.firefox.com	firefox.exe, 0000000E.00000003.2261997297.00000223BB4D7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.2244511218.00000223BE658000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272883662.00000223BE68A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3908748512.000002ABBA503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909382128.000001D111A0C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2132410690.00000223BE16A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2131786535.00000223BE16B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2264106991.00000223BC21F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2266977770.00000223C4FD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222023911.00000223C4FD0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3909382128.000001D111AC3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2312042044.00000223BB75F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309704148.00000223C357F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2271324281.00000223C357F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2132410690.00000223BE16A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2131786535.00000223BE16B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2126551202.00000223BD6C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2128448034.00000223BD6D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216142952.00000223BD6D5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2267378958.00000223C4F75000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2116827186.00000223BCD5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2256620474.00000223BD413000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259016114.00000223BCD56000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2264612647.00000223BB46B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	firefox.exe, 0000000E.00000003.2222380048.00000223C424C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3909825771.000001268B7E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3908748512.000002ABBA5E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3911736485.000001D111B03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3909825771.000001268B7E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3908748512.000002ABBA5E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3911736485.000001D111B03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.2244511218.00000223BE658000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272883662.00000223BE68A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272883662.00000223BE6BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2269068154.00000223C3BBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3908748512.000002ABBA512000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909382128.000001D111A13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3908391681.000001D111840000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2282891792.00000223C3C68000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.inbox.lv/rfc2368/?value=%su	firefox.exe, 0000000E.00000003.2241955201.00000223C71E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261997297.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313953608.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264612647.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2112129904.00000223BD7DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2110124642.00000223C39CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2261055798.00000223BBCE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275764357.00000223BDEB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259917262.00000223BC263000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316041053.00000223BAF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216142952.00000223BD6D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2216142952.00000223BD6CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2185790588.00000223BD5B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275764357.00000223BDEE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2223369095.00000223C3BDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273304611.00000223BE594000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2116827186.00000223BCDBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2185790588.00000223BD5BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2245322694.00000223BDEE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2186291653.00000223BD594000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111081780.00000223C385E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252672533.00000223BCA7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2238973901.00000223BD5DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2225343419.00000223BF149000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2253627032.00000223BE594000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2112129904.00000223BD7B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277213770.00000223BD7B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2112129904.00000223BD7B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2277213770.00000223BD7B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2245053004.00000223BE0B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2275235510.00000223BE0B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2111780397.00000223BE0B4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2282891792.00000223C3C68000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2244511218.00000223BE658000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272883662.00000223BE68A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2290407269.00000223C3C40000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.2244511218.00000223BE658000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2272883662.00000223BE68A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2261997297.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313953608.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264612647.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2132410690.00000223BE16A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2263550089.00000223BC2D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259495155.00000223BC2D6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2285648956.00000223BD79F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2112129904.00000223BD79B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2132410690.00000223BE16A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2131786535.00000223BE16B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2261997297.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313953608.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264612647.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2266977770.00000223C4FD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222023911.00000223C4FD0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2269068154.00000223C3BBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3909177798.000001268B410000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3911362003.000002ABBAA60000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3909066626.000001D111890000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.2222023911.00000223C4FC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.238	youtube.com	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540376
Start date and time:	2024-10-23 17:59:02 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/41@71/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 95% Number of executed functions: 37 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.208.54.237, 44.231.229.39, 52.13.186.250, 2.18.121.79, 2.18.121.73, 2.22.61.56, 2.22.61.59, 142.250.186.174, 142.250.186.142, 142.250.185.106, 142.250.186.170
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 7104 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	AcrobatAvj.7z	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Unknown	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	https://u47792559.ct.sendgrid.net/ls/click?upn=u001.MTqDMK6JtN7-2FTdEWJaqfzKd0v6-2F2UOuEVy1BEbPOuF5keILEyv5G4zc7bYwMOjtQyDtk5ATinrPUw-2BgvaOWXHUf0WlANxRqRsC5bgIMsz92EI66c0h8LCsmVnWVsmrPpI9KQ1Av0wtymoWWp-2BKFae4c01wwTj4-2Bc4-2FShOuIMz-2FF27tFVz2F5x4MDQuxXoA4x-2Fcu5H-2Fg77L7jEH4g0Omwq5aK4Y93In2x8xkZN6RxAIHUAnsHSbv9dNDyMDxCYBpt8R83TA5F1J7zglSD-2FSW-2Fd0a8tRp-2BNOUEOuA6djXly5D90m0euJkmiQYtQdEfHSvFPkVrrFqe1nEZHhVloJzR8g5hLEAmRxDgSEFZK-2FqXqnJbl-2BhglFaTEl1wDvxHLUD1uO-2BTuQv6sNuFEeqs2cPheEWcAIXIzMhwOblNbCnyhCV7uIXv-2BFvLbplDjtKpe4BajklPEPnUOiLZHOZLqihj5rKl5QPX7eEc-2FNLKdxSbgeN6u9b-2FwUFYOEhm9BI4B0QB15u2_3kQhj-2Fx94AB656OfV1IXWVEpnawaSuVFYzZeIwKhrRxgV074ZsGZajrnF1U9GVvs6wJ3XBbA3C0q1Y56Q0AQRaWXh1LuzRLTE6iprhcEL7NrcuYjYDUm4vP90-2Bbj-2FhImYDtdIzFtzpuFA5WHpxfUL2yud9dV-2BDWDKpQXCYbpaPnNLCBzkbwUPBcNlUhkSGcYZOYh0eM13-2FQcBNO5FowRb8IXahZEeipzh9UlrLYhGMMEnA7-2FXj615c7jkys6xxIys08fJcymaARJFIlGVEZZIF-2BOZauL7nzVYt76SvvMjlOZShNBXavLnj35TUiU94p3hnTyULCHEKTNYpJWZhAYDMS7oO-2F1YN-2BGIX9GshP8SzvBn7iRk-2BEuMHNjQZSKm5nguAu4ENmR5Hg1doZby47RzA35RD-2BbHOJrasEoXA41le9LsvYyvJEzgXJ-2FiCTBWNoB2BfMGl-2BNVHQi18yc3h-2FOJYtN4eiiAdtc4eggH10ZDuSCfZ49kUepPeatorVmepe7HyIFRvSaHufZxfuRde01mg-3D-3D	Get hash	malicious	Unknown	Browse	157.240.253.35
	file.exe	Get hash	malicious	Unknown	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	https://wetransfer.com/downloads/21820466a51be0cc0de4ef5fd28415d320241023112541/61ecbec42424c68f99ca983cd530758a20241023112545/5d3030?t_exp=1729941941&t_lsid=761fb8c4-59e5-4423-a2fe-24d132de0406&t_network=email&t_rid=YXV0aDB8NjcxMjZmN2QzOGFjMDNkYThkOGJmMDM3&t_s=download_link&t_ts=1729682745&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01	Get hash	malicious	Unknown	Browse	157.240.251.35
	https://k6t.utackhepr.com/WE76L1u/	Get hash	malicious	Tycoon2FA	Browse	157.240.251.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Unknown	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://github.com/Matty77o/malware-samples-m-h/raw/refs/heads/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	https://github.com/Matty77o/malware-samples-m-h/raw/refs/heads/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://api-restauration.basiic.net/fWmcv/	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://1drv.ms/o/c/6c73e1f3356d6c81/EvfBo1LISVpEg8JGFA7u8GsBL0LmooIAfd5Q39ROhQ0Lhw?e=ZTugWV	Get hash	malicious	HtmlDropper	Browse	151.101.66.137
	roquette October.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	https://us-west-2.protection.sophos.com/?d=site.pro&u=aHR0cHM6Ly9jbGF1ZGlha3J1ZWdlci5zaXRlLnByby8=&i=NThlN2NjYzYyOTljZjkxNGY4YmM1Njkz&t=QTRyTlRXbysvd3IyNERLT1pJYVNuNlAvU0FLMVAyb2pCN053UGFJSWtBST0=&h=dd65eaa7298b4ffebbd13b01dcbd3434&s=AVNPUEhUT0NFTkNSWVBUSVYfWTd0VrJEAZ1PFPx8UNdDDkWk4HVuGeVZrBnJzV7Ifg	Get hash	malicious	Unknown	Browse	34.117.239.71
	file.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://us-west-2.protection.sophos.com/?d=site.pro&u=aHR0cHM6Ly9jbGF1ZGlha3J1ZWdlci5zaXRlLnByby8=&i=NThlN2NjYzYyOTljZjkxNGY4YmM1Njkz&t=QTRyTlRXbysvd3IyNERLT1pJYVNuNlAvU0FLMVAyb2pCN053UGFJSWtBST0=&h=dd65eaa7298b4ffebbd13b01dcbd3434&s=AVNPUEhUT0NFTkNSWVBUSVYfWTd0VrJEAZ1PFPx8UNdDDkWk4HVuGeVZrBnJzV7Ifg	Get hash	malicious	Unknown	Browse	57.129.39.243
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	3cb770h94r.elf	Get hash	malicious	Okiru	Browse	48.79.238.206
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	https://us-west-2.protection.sophos.com/?d=site.pro&u=aHR0cHM6Ly9jbGF1ZGlha3J1ZWdlci5zaXRlLnByby8=&i=NThlN2NjYzYyOTljZjkxNGY4YmM1Njkz&t=QTRyTlRXbysvd3IyNERLT1pJYVNuNlAvU0FLMVAyb2pCN053UGFJSWtBST0=&h=dd65eaa7298b4ffebbd13b01dcbd3434&s=AVNPUEhUT0NFTkNSWVBUSVYfWTd0VrJEAZ1PFPx8UNdDDkWk4HVuGeVZrBnJzV7Ifg	Get hash	malicious	Unknown	Browse	57.129.39.243
	file.exe	Get hash	malicious	Unknown	Browse	34.160.144.191
	3cb770h94r.elf	Get hash	malicious	Okiru	Browse	48.79.238.206

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Unknown	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8d1573d9-a9d4-4e58-8f0b-bfd7b73f78fb.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182104896150969
Encrypted:	false
SSDEEP:	192:GKMXkGZcbhbVbTbfbRbObtbyEl7nIrOJA6wnSrDtTkd/St:GPpcNhnzFSJortjnSrDhkd/w
MD5:	6679F6D0AF012A2AA8179303F0467FCE
SHA1:	790CD7C40B22BAD26F71208EA241FD7BB0E221BB
SHA-256:	F50123E05C3238CD6F32B881FD5BB0B7EF10728200E1956256804B32BC3F747A
SHA-512:	DB0762B9E42CD06F75FA3140015B393EEEC40DA5BD4066B5F7F67573127EB366C1592F675B58FDB61900C1830FD0F066DB2ACE197585C1005447C3B98299DE69
Malicious:	false
Preview:	{"type":"uninstall","id":"8d1573d9-a9d4-4e58-8f0b-bfd7b73f78fb","creationDate":"2024-10-23T17:13:03.995Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8d1573d9-a9d4-4e58-8f0b-bfd7b73f78fb.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182104896150969
Encrypted:	false
SSDEEP:	192:GKMXkGZcbhbVbTbfbRbObtbyEl7nIrOJA6wnSrDtTkd/St:GPpcNhnzFSJortjnSrDhkd/w
MD5:	6679F6D0AF012A2AA8179303F0467FCE
SHA1:	790CD7C40B22BAD26F71208EA241FD7BB0E221BB
SHA-256:	F50123E05C3238CD6F32B881FD5BB0B7EF10728200E1956256804B32BC3F747A
SHA-512:	DB0762B9E42CD06F75FA3140015B393EEEC40DA5BD4066B5F7F67573127EB366C1592F675B58FDB61900C1830FD0F066DB2ACE197585C1005447C3B98299DE69
Malicious:	false
Preview:	{"type":"uninstall","id":"8d1573d9-a9d4-4e58-8f0b-bfd7b73f78fb","creationDate":"2024-10-23T17:13:03.995Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.2999910657249467
Encrypted:	false
SSDEEP:	48:aK2dNtCPzUgdwzLz192dNtCPt6BdwzN1H2dNtCPNadwzP1:aKktsW9ktstHHktsNx
MD5:	601C58C3134179542935CB0D423F9C33
SHA1:	CFBD4B0AB9D4FCE6B95BB4E62FE43F9E8D79964E
SHA-256:	53465907B5BFEB770E2CECD7AC324A8745E15E86CA3EAFB09380A6DA657C94C8
SHA-512:	BED0C9F3973318AE4CC29D88E53C511FEC152CD78F3FAA5BBF1711C1FD39AE333320FE5119A44432A2ED1D660BC30650B0B2FC8B632A7605A11B92B5D02B6285
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........ ..d%..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IWY\|.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WWY\|.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WWY\|...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........Y..u.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.2999910657249467
Encrypted:	false
SSDEEP:	48:aK2dNtCPzUgdwzLz192dNtCPt6BdwzN1H2dNtCPNadwzP1:aKktsW9ktstHHktsNx
MD5:	601C58C3134179542935CB0D423F9C33
SHA1:	CFBD4B0AB9D4FCE6B95BB4E62FE43F9E8D79964E
SHA-256:	53465907B5BFEB770E2CECD7AC324A8745E15E86CA3EAFB09380A6DA657C94C8
SHA-512:	BED0C9F3973318AE4CC29D88E53C511FEC152CD78F3FAA5BBF1711C1FD39AE333320FE5119A44432A2ED1D660BC30650B0B2FC8B632A7605A11B92B5D02B6285
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........ ..d%..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IWY\|.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WWY\|.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WWY\|...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........Y..u.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8QKOYVEEOEIO44CXR8Z9.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.2999910657249467
Encrypted:	false
SSDEEP:	48:aK2dNtCPzUgdwzLz192dNtCPt6BdwzN1H2dNtCPNadwzP1:aKktsW9ktstHHktsNx
MD5:	601C58C3134179542935CB0D423F9C33
SHA1:	CFBD4B0AB9D4FCE6B95BB4E62FE43F9E8D79964E
SHA-256:	53465907B5BFEB770E2CECD7AC324A8745E15E86CA3EAFB09380A6DA657C94C8
SHA-512:	BED0C9F3973318AE4CC29D88E53C511FEC152CD78F3FAA5BBF1711C1FD39AE333320FE5119A44432A2ED1D660BC30650B0B2FC8B632A7605A11B92B5D02B6285
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........ ..d%..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IWY\|.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WWY\|.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WWY\|...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........Y..u.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B7GTJ76VNK1DMX72W6WA.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.2999910657249467
Encrypted:	false
SSDEEP:	48:aK2dNtCPzUgdwzLz192dNtCPt6BdwzN1H2dNtCPNadwzP1:aKktsW9ktstHHktsNx
MD5:	601C58C3134179542935CB0D423F9C33
SHA1:	CFBD4B0AB9D4FCE6B95BB4E62FE43F9E8D79964E
SHA-256:	53465907B5BFEB770E2CECD7AC324A8745E15E86CA3EAFB09380A6DA657C94C8
SHA-512:	BED0C9F3973318AE4CC29D88E53C511FEC152CD78F3FAA5BBF1711C1FD39AE333320FE5119A44432A2ED1D660BC30650B0B2FC8B632A7605A11B92B5D02B6285
Malicious:	false
Preview:	...................................FL..................F.@.. ...p........ ..d%..........S...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IWY\|.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WWY\|.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WWY\|...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........Y..u.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928621251005085
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNB9Jxeln:8S+OVPUFRbOdwNIOdYpjvY1Q6Lqj8P
MD5:	62954ADBFC92982E7D3811DA4940B3B1
SHA1:	F82AD976B43ED70CA351C2679AECEF4A124B3BDB
SHA-256:	70B083B44A4AFFFCC395D492CE31669ACADF001A93DF687C42310ACD970E7B5B
SHA-512:	B4DF85885D2BE166A6118BB17030481CDC7F0F896D6C9AB2ADEEF74DDDF38D30811441E340392BF06C8FC9F42EF8EE728812C13C5A3597F0981FFAE6BC887FF4
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.928621251005085
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNB9Jxeln:8S+OVPUFRbOdwNIOdYpjvY1Q6Lqj8P
MD5:	62954ADBFC92982E7D3811DA4940B3B1
SHA1:	F82AD976B43ED70CA351C2679AECEF4A124B3BDB
SHA-256:	70B083B44A4AFFFCC395D492CE31669ACADF001A93DF687C42310ACD970E7B5B
SHA-512:	B4DF85885D2BE166A6118BB17030481CDC7F0F896D6C9AB2ADEEF74DDDF38D30811441E340392BF06C8FC9F42EF8EE728812C13C5A3597F0981FFAE6BC887FF4
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07333359575325823
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiV:DLhesh7Owd4+ji
MD5:	38A839AD69B1BD27596828D3CA642C9A
SHA1:	E5315065639CF05AA2A9154A109786B5C7431604
SHA-256:	EA36F3A5CFED2FD9577DF808F83CBDDFCA4138BF1C3C993B317601F46CF9C196
SHA-512:	7380C25B1E68A06BCC95FDE8FC0028C53CD4A063E78B35DCF6E73B915617AF687BE9C2B63DCDEB0E8EBF7011F53E73856806F61E43E583EDCFBC087D8345C7A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039873451571426154
Encrypted:	false
SSDEEP:	3:GHlhVcFMI7NlWPlhVcFMI7Nl1lol8a9//Ylll4llqlyllel4lt:G7VcWYlWDVcWYl1GL9XIwlio
MD5:	1B91022E653FB369788F0D880126B5A6
SHA1:	5B7BAC554E3F16D174E6BC8AB8CC9EA3FB748132
SHA-256:	206A23FF0CA8C79A46D0DBB18DAF657FFB0422E138497B14FFAA3C03E60CCDAD
SHA-512:	EA322382004A8CF8307285F9CF1BA2C071F74130F01086339FB361BCDA247CAD66D90C44C4C428C1668569E6A3E99344129EE294A85703F85C2A55D49358938D
Malicious:	false
Preview:	..-.........................K.V....<....~..l.....-.........................K.V....<....~..l...........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.13417000503708362
Encrypted:	false
SSDEEP:	24:KUWfkH3LxsZ+m2zxsMlCXsMzqCFZ7pCF6C5WUCuSCCQE/HaaKCc7RCGOxsaD2vwo:EMHdQH2VJCXs4qLWeJa1VyYRZk
MD5:	0C6562D0278A55C2C0EEF080CB084886
SHA1:	2AEB472934D0D2373ACC4CC3638236616A234A93
SHA-256:	0A9950CCC2DCC1C9B2267691C49C553EB0B047E8411EBE9C038FBC558D02231C
SHA-512:	69C305198D55120127DE0580B5D8733C7ADF12572812E7F976D1C5CC34813549B2C2BB0605DCA8608C316388F9DFC769FE851B7E45D9E6773CECE207D981FA62
Malicious:	false
Preview:	7....-.............<.......................<.....`.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.4794669596529015
Encrypted:	false
SSDEEP:	192:KnPOeRnLYbBp6lJ0aX+46SEXKMKNCO5RHWNBw8dqSl:4DeMJULhG5HEw50
MD5:	D7CF3E7F9A2AAA898A3912AB7C4C2015
SHA1:	891AC7C1A093ABF51AB981F6805FB825C4F91747
SHA-256:	D32C9A9FAA33AA8DB7DAA2BB3F89CFDF4CD51F71CC155DD07D0DB6F42A114FAD
SHA-512:	DCC025910289C9EDCCAE3F8FA82C7F02ED7EFBBF67F252FB36CC8D3313FA8A54D8CD9EDA7B7FEC4DD23C82E393A4127F6DE1EAC21DCA71D6FC4EC00BDC62298C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729703554);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729703554);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729703554);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172970

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.4794669596529015
Encrypted:	false
SSDEEP:	192:KnPOeRnLYbBp6lJ0aX+46SEXKMKNCO5RHWNBw8dqSl:4DeMJULhG5HEw50
MD5:	D7CF3E7F9A2AAA898A3912AB7C4C2015
SHA1:	891AC7C1A093ABF51AB981F6805FB825C4F91747
SHA-256:	D32C9A9FAA33AA8DB7DAA2BB3F89CFDF4CD51F71CC155DD07D0DB6F42A114FAD
SHA-512:	DCC025910289C9EDCCAE3F8FA82C7F02ED7EFBBF67F252FB36CC8D3313FA8A54D8CD9EDA7B7FEC4DD23C82E393A4127F6DE1EAC21DCA71D6FC4EC00BDC62298C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1729703554);..user_pref("app.update.lastUpdateTime.background-update-timer", 1729703554);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1729703554);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172970

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\dfc944d6-4dc4-4e39-bed6-d50f092e1e5b (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.956648081241414
Encrypted:	false
SSDEEP:	12:YZFg9pUUZFzzeIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YPUrzeSlCOlZGV1AQIWZcy6ZXvx
MD5:	2A31D6EFBE6752483D686B3D40DC45EB
SHA1:	78DE847D9E71F2D678A4A3BF82252FB6F003E951
SHA-256:	7E949B0B8B53C8A08223C368694EB53C305E3CB1C621CA8DB7E43A41A93865D4
SHA-512:	594438D271A9E4B92EC99A7392A2BF194004E0A399594C5EB9CCCC43B8EAE0041507F1ACF914042E85214772D123F6710F4FF57A9A43AA61369ACD8E211E695E
Malicious:	false
Preview:	{"type":"health","id":"dfc944d6-4dc4-4e39-bed6-d50f092e1e5b","creationDate":"2024-10-23T17:13:04.713Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\dfc944d6-4dc4-4e39-bed6-d50f092e1e5b.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	493
Entropy (8bit):	4.956648081241414
Encrypted:	false
SSDEEP:	12:YZFg9pUUZFzzeIVHlW8cOlZGV1AQIYzvZcyBuLZGAvxn:YPUrzeSlCOlZGV1AQIWZcy6ZXvx
MD5:	2A31D6EFBE6752483D686B3D40DC45EB
SHA1:	78DE847D9E71F2D678A4A3BF82252FB6F003E951
SHA-256:	7E949B0B8B53C8A08223C368694EB53C305E3CB1C621CA8DB7E43A41A93865D4
SHA-512:	594438D271A9E4B92EC99A7392A2BF194004E0A399594C5EB9CCCC43B8EAE0041507F1ACF914042E85214772D123F6710F4FF57A9A43AA61369ACD8E211E695E
Malicious:	false
Preview:	{"type":"health","id":"dfc944d6-4dc4-4e39-bed6-d50f092e1e5b","creationDate":"2024-10-23T17:13:04.713Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eUnreachable":1}},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95"}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.348230243290256
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSHLXnIrP/pnxQwRcWT5sKmgb0W3eHVpjO+namhujJwO2c0TiVm0BtP:GUpOx2gnRcoegF3erjxn4Jwc3zBtP
MD5:	FB63F340D91CC8BD02E05274D189488E
SHA1:	7740E3E2B6DC7F5CB55EA4AE568377AFB9023F51
SHA-256:	92F207BF031FF00D717874050F4DC7CD2FD7BEA2E7F7075FEF01BDA5F3D275FA
SHA-512:	C5F45D72C6D3823C126C72686DFF8C0398FA964A1D20DAB9F7A5BA02442E31F3301EF625B7E94C276BAB01A9CE0322DC0C5977185C0F5661DFEC6A09E437BFD9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{7af053c6-b579-4b2b-ad19-1882cd5990f0}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729703558742,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..P23719...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...28221,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.348230243290256
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSHLXnIrP/pnxQwRcWT5sKmgb0W3eHVpjO+namhujJwO2c0TiVm0BtP:GUpOx2gnRcoegF3erjxn4Jwc3zBtP
MD5:	FB63F340D91CC8BD02E05274D189488E
SHA1:	7740E3E2B6DC7F5CB55EA4AE568377AFB9023F51
SHA-256:	92F207BF031FF00D717874050F4DC7CD2FD7BEA2E7F7075FEF01BDA5F3D275FA
SHA-512:	C5F45D72C6D3823C126C72686DFF8C0398FA964A1D20DAB9F7A5BA02442E31F3301EF625B7E94C276BAB01A9CE0322DC0C5977185C0F5661DFEC6A09E437BFD9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{7af053c6-b579-4b2b-ad19-1882cd5990f0}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729703558742,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..P23719...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...28221,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1563
Entropy (8bit):	6.348230243290256
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSHLXnIrP/pnxQwRcWT5sKmgb0W3eHVpjO+namhujJwO2c0TiVm0BtP:GUpOx2gnRcoegF3erjxn4Jwc3zBtP
MD5:	FB63F340D91CC8BD02E05274D189488E
SHA1:	7740E3E2B6DC7F5CB55EA4AE568377AFB9023F51
SHA-256:	92F207BF031FF00D717874050F4DC7CD2FD7BEA2E7F7075FEF01BDA5F3D275FA
SHA-512:	C5F45D72C6D3823C126C72686DFF8C0398FA964A1D20DAB9F7A5BA02442E31F3301EF625B7E94C276BAB01A9CE0322DC0C5977185C0F5661DFEC6A09E437BFD9
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{7af053c6-b579-4b2b-ad19-1882cd5990f0}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1729703558742,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...3,"startTim..P23719...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...28221,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030067511489819
Encrypted:	false
SSDEEP:	96:yc+bMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:xTEr5NX0z3DhRe
MD5:	618F3B587487D23972685B8897344BD3
SHA1:	578C5612363DAF81C69605D85670188D916EDD55
SHA-256:	44DF6CDB50AA630E9CE5081A8A16FFAFAC00EEC15FA20875EEE959461B655A2A
SHA-512:	861906FA4CA33B554E4E4BFF22CB1DC4BD920D7189969CFB14FFD9A152E8B6BC976F52B167B3976A97B4721697F35FF776207137E4D554BE3DE46200ECC440B7
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-23T17:12:12.696Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.030067511489819
Encrypted:	false
SSDEEP:	96:yc+bMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:xTEr5NX0z3DhRe
MD5:	618F3B587487D23972685B8897344BD3
SHA1:	578C5612363DAF81C69605D85670188D916EDD55
SHA-256:	44DF6CDB50AA630E9CE5081A8A16FFAFAC00EEC15FA20875EEE959461B655A2A
SHA-512:	861906FA4CA33B554E4E4BFF22CB1DC4BD920D7189969CFB14FFD9A152E8B6BC976F52B167B3976A97B4721697F35FF776207137E4D554BE3DE46200ECC440B7
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-23T17:12:12.696Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584685263750239
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	4bd898f7538e346e91e4c83e0c11ad2a
SHA1:	f582f982b3adbdb5eb1baeedbfff063fbc90cbc4
SHA256:	e3356f3e1f7ab9698f237f04f492a90900f37d1e4b4682c0d9c1f810108c9cf6
SHA512:	a01e758dcc0baad1c9ed560abba051ea06a09d663cc1481012d00f1c1b87e80fe9e7972716f8004a5530443e08d521762c53fc55a16bf902aa914cb7232f8d92
SSDEEP:	12288:vqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T2:vqDEvCTbMWu7rQYlBQcBiT6rprG8ab2
TLSH:	5E159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671919A2 [Wed Oct 23 15:43:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FA94CBB7AA3h
jmp 00007FA94CBB73AFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA94CBB758Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA94CBB755Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FA94CBBA14Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FA94CBBA198h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FA94CBBA181h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	c7a50887c1bf383ca09bebb45b0b03c0	False	0.31566455696202533	data	5.373781796520225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 17:59:59.280364037 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 23, 2024 17:59:59.280402899 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 23, 2024 17:59:59.289143085 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 23, 2024 17:59:59.293431997 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 23, 2024 17:59:59.293452024 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 23, 2024 17:59:59.916465998 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 23, 2024 17:59:59.916480064 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 23, 2024 17:59:59.916553974 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 23, 2024 17:59:59.924030066 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 23, 2024 17:59:59.924040079 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 23, 2024 17:59:59.924276114 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 23, 2024 17:59:59.924339056 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 23, 2024 17:59:59.924339056 CEST	49710	443	192.168.2.5	35.190.72.216
Oct 23, 2024 17:59:59.924349070 CEST	443	49710	35.190.72.216	192.168.2.5
Oct 23, 2024 17:59:59.974073887 CEST	49711	443	192.168.2.5	142.250.181.238
Oct 23, 2024 17:59:59.974106073 CEST	443	49711	142.250.181.238	192.168.2.5
Oct 23, 2024 17:59:59.974971056 CEST	49711	443	192.168.2.5	142.250.181.238
Oct 23, 2024 17:59:59.976694107 CEST	49711	443	192.168.2.5	142.250.181.238
Oct 23, 2024 17:59:59.976706982 CEST	443	49711	142.250.181.238	192.168.2.5
Oct 23, 2024 17:59:59.995264053 CEST	49712	443	192.168.2.5	142.250.181.238
Oct 23, 2024 17:59:59.995301962 CEST	443	49712	142.250.181.238	192.168.2.5
Oct 23, 2024 17:59:59.998338938 CEST	49712	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:00.013504028 CEST	49712	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:00.013523102 CEST	443	49712	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:00.017573118 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:00.022959948 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:00.023333073 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:00.023333073 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:00.028666019 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:00.447365046 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:00.447411060 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:00.447591066 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:00.448986053 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:00.449009895 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:00.638174057 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:00.678255081 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:00.822016001 CEST	443	49711	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:00.822731972 CEST	443	49711	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:00.825522900 CEST	49711	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:00.825544119 CEST	443	49711	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:00.862395048 CEST	443	49712	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:00.863403082 CEST	443	49712	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:00.875972033 CEST	49712	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:00.876012087 CEST	443	49712	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:00.876039028 CEST	49711	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:00.936404943 CEST	49712	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.062982082 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.063086987 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.136401892 CEST	49711	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.136415005 CEST	443	49711	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:01.136486053 CEST	49711	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.136611938 CEST	49712	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.136637926 CEST	443	49712	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:01.136715889 CEST	443	49711	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:01.136884928 CEST	49712	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.136895895 CEST	443	49712	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:01.137299061 CEST	49716	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.137316942 CEST	443	49716	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:01.138434887 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.138463020 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.138513088 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.138654947 CEST	443	49714	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.139612913 CEST	49711	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.139645100 CEST	49712	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.139681101 CEST	49716	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.139681101 CEST	49714	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.140846968 CEST	49716	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.140855074 CEST	443	49716	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:01.148585081 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.148649931 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.149360895 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.150691032 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.150721073 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.153969049 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.154037952 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.157725096 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.159046888 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.159089088 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.164207935 CEST	49719	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:01.164228916 CEST	443	49719	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:01.164776087 CEST	49719	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:01.164876938 CEST	49719	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:01.164916039 CEST	443	49719	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:01.231398106 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:01.236731052 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:01.252419949 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:01.252419949 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:01.257900000 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:01.264780045 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 23, 2024 18:00:01.264842987 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 23, 2024 18:00:01.265001059 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 23, 2024 18:00:01.265180111 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 23, 2024 18:00:01.265193939 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 23, 2024 18:00:01.771538019 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.771629095 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.776813030 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.776856899 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.776915073 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.777040958 CEST	443	49717	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.777096033 CEST	49717	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.777566910 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.777633905 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.779710054 CEST	443	49719	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:01.779810905 CEST	49719	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:01.782553911 CEST	49719	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:01.782565117 CEST	443	49719	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:01.782804966 CEST	443	49719	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:01.784924030 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.784929037 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.785134077 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.785204887 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.785212040 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.785562038 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.785593987 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.785804033 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.787502050 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.787513018 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.787564993 CEST	49719	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:01.787635088 CEST	49719	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:01.787712097 CEST	443	49719	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:01.787883997 CEST	49719	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:01.851948023 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:01.856919050 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:01.858633995 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:01.862627983 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:01.864178896 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:01.875478983 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:01.875504971 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:01.898741961 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 23, 2024 18:00:01.902729988 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 23, 2024 18:00:01.914835930 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 23, 2024 18:00:01.914869070 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 23, 2024 18:00:01.915182114 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 23, 2024 18:00:01.916877031 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 23, 2024 18:00:01.916948080 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 23, 2024 18:00:01.917040110 CEST	443	49721	34.160.144.191	192.168.2.5
Oct 23, 2024 18:00:01.920203924 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 23, 2024 18:00:01.920243979 CEST	49721	443	192.168.2.5	34.160.144.191
Oct 23, 2024 18:00:01.988645077 CEST	443	49716	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:01.989373922 CEST	443	49716	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:01.989418983 CEST	49716	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.989442110 CEST	443	49716	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:01.989475012 CEST	49716	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.991343975 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:01.991445065 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:01.994010925 CEST	49716	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.994025946 CEST	443	49716	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:01.994112015 CEST	49716	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:01.994226933 CEST	443	49716	142.250.181.238	192.168.2.5
Oct 23, 2024 18:00:01.994287968 CEST	49716	443	192.168.2.5	142.250.181.238
Oct 23, 2024 18:00:02.235707998 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:02.241117001 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:02.254431009 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:02.396509886 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:02.396590948 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:02.401349068 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:02.401359081 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:02.401442051 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:02.401737928 CEST	443	49722	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:02.401792049 CEST	49722	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:02.493771076 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:02.499145985 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:02.499222994 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:02.499401093 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:02.504720926 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:02.520915985 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:02.520948887 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:02.524043083 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:02.525475025 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:02.525485992 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:02.743247986 CEST	49727	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:02.743308067 CEST	443	49727	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:02.746429920 CEST	49727	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:02.747884035 CEST	49727	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:02.747912884 CEST	443	49727	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:02.879573107 CEST	49728	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:02.879609108 CEST	443	49728	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:02.884146929 CEST	49728	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:02.888148069 CEST	49728	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:02.888164043 CEST	443	49728	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:02.902326107 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:02.902367115 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:02.903000116 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:02.903165102 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:02.903175116 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:02.945657969 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:02.945699930 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:02.946422100 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:02.947838068 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:02.947850943 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:03.119925022 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:03.138174057 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:03.138624907 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:03.142445087 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:03.142445087 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:03.142457962 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:03.142664909 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 23, 2024 18:00:03.144300938 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 23, 2024 18:00:03.175096035 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:03.235707045 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:03.241038084 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:03.255975008 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:03.576193094 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:03.576497078 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:03.579071999 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:03.579083920 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:03.579235077 CEST	443	49727	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:03.579327106 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:03.579570055 CEST	49727	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:03.580094099 CEST	443	49728	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:03.580771923 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:03.582518101 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:03.582607031 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:03.582669020 CEST	443	49729	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:03.583147049 CEST	49727	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:03.583157063 CEST	443	49727	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:03.583197117 CEST	49727	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:03.583405972 CEST	443	49727	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:03.584187031 CEST	49729	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:03.584196091 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:03.584206104 CEST	49728	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:03.585114956 CEST	49727	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:03.589822054 CEST	49728	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:03.589838028 CEST	443	49728	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:03.589884043 CEST	49728	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:03.589950085 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:03.589977980 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:03.590010881 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:03.590121984 CEST	443	49728	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:03.590171099 CEST	443	49730	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:03.590313911 CEST	49728	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:03.590435028 CEST	49730	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:05.426209927 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:05.428983927 CEST	49733	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:05.432516098 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:05.434961081 CEST	80	49733	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:05.448354006 CEST	49733	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:05.448504925 CEST	49733	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:05.455893040 CEST	80	49733	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:05.505078077 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:05.505141973 CEST	443	49734	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:05.505233049 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:05.505271912 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:05.505851984 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:05.505974054 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:05.505994081 CEST	443	49734	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:05.506061077 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:05.506182909 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:05.506197929 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:05.507680893 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:05.507723093 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:05.508342028 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:05.509689093 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:05.509708881 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:05.553947926 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:05.554645061 CEST	49733	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:05.558193922 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:05.563692093 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:05.563780069 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:05.563919067 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:05.570128918 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:05.596385956 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:05.601680040 CEST	80	49733	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:05.925517082 CEST	80	49733	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:05.929111004 CEST	49733	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:06.122535944 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.122620106 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.129420996 CEST	443	49734	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.129503012 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.131274939 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.131340027 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.152574062 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.152612925 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.153543949 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.169648886 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.169683933 CEST	443	49734	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.170084953 CEST	443	49734	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.170835018 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:06.173234940 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.173505068 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.173526049 CEST	443	49735	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.173855066 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.173855066 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.173883915 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.174093962 CEST	443	49736	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.174210072 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.174264908 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.174428940 CEST	443	49734	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.175121069 CEST	49735	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.175137043 CEST	49736	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.175357103 CEST	49734	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.176695108 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:06.179281950 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.179310083 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.179542065 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.180897951 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.180907011 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.182929039 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:06.213886023 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:06.305337906 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:06.308221102 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:06.313637972 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:06.345438004 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:06.434858084 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:06.483541012 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:06.799128056 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.799212933 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.803329945 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.803352118 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.803426981 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.803551912 CEST	443	49738	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:06.806282043 CEST	49738	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:06.807085037 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:06.812465906 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:06.934410095 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:06.946907043 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:06.952330112 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:06.984966040 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:07.073574066 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:07.116565943 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:08.663810015 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:08.669780970 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:08.669800043 CEST	80	49724	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:08.670577049 CEST	49724	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:13.463251114 CEST	49755	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:13.463284016 CEST	443	49755	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:13.465253115 CEST	49755	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:13.466851950 CEST	49755	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:13.466861010 CEST	443	49755	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:14.065587997 CEST	443	49755	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:14.065701008 CEST	49755	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:14.847060919 CEST	49755	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:14.847096920 CEST	443	49755	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:14.847176075 CEST	49755	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:14.847438097 CEST	443	49755	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:14.858871937 CEST	49755	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:15.605062962 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:15.915204048 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:16.014194012 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:16.014923096 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:16.017544985 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:16.062299967 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:17.081007004 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:17.086451054 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:17.151038885 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:17.156419039 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:17.277753115 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:17.319400072 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:25.052156925 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:25.052203894 CEST	443	49809	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:25.052400112 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:25.053881884 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:25.053900003 CEST	443	49809	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:25.674505949 CEST	443	49809	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:25.674659014 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:25.680037022 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:25.680069923 CEST	443	49809	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:25.680149078 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:25.680224895 CEST	443	49809	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:25.680282116 CEST	49809	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:25.683374882 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:25.688889980 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:25.810700893 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:25.814425945 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:25.819889069 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:25.857816935 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:25.941267967 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:25.989389896 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:27.942667007 CEST	49822	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:27.942714930 CEST	443	49822	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:27.945435047 CEST	49822	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:27.945625067 CEST	49822	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:27.945637941 CEST	443	49822	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:27.965154886 CEST	49823	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:27.965193987 CEST	443	49823	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:27.976305008 CEST	49823	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:27.976469040 CEST	49823	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:27.976490974 CEST	443	49823	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:27.977509975 CEST	49824	443	192.168.2.5	151.101.1.91
Oct 23, 2024 18:00:27.977554083 CEST	443	49824	151.101.1.91	192.168.2.5
Oct 23, 2024 18:00:27.979667902 CEST	49824	443	192.168.2.5	151.101.1.91
Oct 23, 2024 18:00:27.979860067 CEST	49824	443	192.168.2.5	151.101.1.91
Oct 23, 2024 18:00:27.979883909 CEST	443	49824	151.101.1.91	192.168.2.5
Oct 23, 2024 18:00:28.023170948 CEST	49825	443	192.168.2.5	35.190.72.216
Oct 23, 2024 18:00:28.023247957 CEST	443	49825	35.190.72.216	192.168.2.5
Oct 23, 2024 18:00:28.033143997 CEST	49825	443	192.168.2.5	35.190.72.216
Oct 23, 2024 18:00:28.035038948 CEST	49825	443	192.168.2.5	35.190.72.216
Oct 23, 2024 18:00:28.035064936 CEST	443	49825	35.190.72.216	192.168.2.5
Oct 23, 2024 18:00:28.037014008 CEST	49826	443	192.168.2.5	35.201.103.21
Oct 23, 2024 18:00:28.037048101 CEST	443	49826	35.201.103.21	192.168.2.5
Oct 23, 2024 18:00:28.039663076 CEST	49826	443	192.168.2.5	35.201.103.21
Oct 23, 2024 18:00:28.041218996 CEST	49826	443	192.168.2.5	35.201.103.21
Oct 23, 2024 18:00:28.041237116 CEST	443	49826	35.201.103.21	192.168.2.5
Oct 23, 2024 18:00:28.560565948 CEST	443	49822	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:28.560664892 CEST	49822	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.564280033 CEST	49822	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.564311981 CEST	443	49822	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:28.564754963 CEST	443	49822	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:28.567248106 CEST	49822	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.567377090 CEST	49822	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.567500114 CEST	443	49822	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:28.568065882 CEST	49822	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.571935892 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:28.577343941 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:28.584127903 CEST	443	49823	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:28.584141970 CEST	443	49823	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:28.584238052 CEST	49823	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:28.587284088 CEST	443	49824	151.101.1.91	192.168.2.5
Oct 23, 2024 18:00:28.587306023 CEST	49823	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:28.587317944 CEST	443	49823	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:28.587351084 CEST	49824	443	192.168.2.5	151.101.1.91
Oct 23, 2024 18:00:28.587608099 CEST	443	49823	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:28.590200901 CEST	49824	443	192.168.2.5	151.101.1.91
Oct 23, 2024 18:00:28.590214968 CEST	443	49824	151.101.1.91	192.168.2.5
Oct 23, 2024 18:00:28.590423107 CEST	443	49824	151.101.1.91	192.168.2.5
Oct 23, 2024 18:00:28.593142033 CEST	49823	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:28.593240023 CEST	49823	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:28.593286991 CEST	443	49823	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:28.593492031 CEST	49824	443	192.168.2.5	151.101.1.91
Oct 23, 2024 18:00:28.593545914 CEST	49824	443	192.168.2.5	151.101.1.91
Oct 23, 2024 18:00:28.593622923 CEST	443	49824	151.101.1.91	192.168.2.5
Oct 23, 2024 18:00:28.593831062 CEST	49823	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:28.593839884 CEST	49824	443	192.168.2.5	151.101.1.91
Oct 23, 2024 18:00:28.602991104 CEST	49831	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.603044033 CEST	443	49831	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:28.604487896 CEST	49832	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.604579926 CEST	443	49832	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:28.604806900 CEST	49831	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.604861021 CEST	49832	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.604937077 CEST	49831	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.604943037 CEST	443	49831	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:28.605062962 CEST	49832	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.605082035 CEST	443	49832	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:28.606550932 CEST	49833	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.606621027 CEST	443	49833	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:28.606781960 CEST	49833	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.606883049 CEST	49833	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:28.606899023 CEST	443	49833	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:28.664422035 CEST	443	49825	35.190.72.216	192.168.2.5
Oct 23, 2024 18:00:28.664444923 CEST	443	49825	35.190.72.216	192.168.2.5
Oct 23, 2024 18:00:28.664515018 CEST	49825	443	192.168.2.5	35.190.72.216
Oct 23, 2024 18:00:28.666265965 CEST	443	49826	35.201.103.21	192.168.2.5
Oct 23, 2024 18:00:28.668523073 CEST	49825	443	192.168.2.5	35.190.72.216
Oct 23, 2024 18:00:28.668540955 CEST	443	49825	35.190.72.216	192.168.2.5
Oct 23, 2024 18:00:28.668634892 CEST	49825	443	192.168.2.5	35.190.72.216
Oct 23, 2024 18:00:28.668816090 CEST	443	49825	35.190.72.216	192.168.2.5
Oct 23, 2024 18:00:28.675343037 CEST	443	49826	35.201.103.21	192.168.2.5
Oct 23, 2024 18:00:28.676124096 CEST	49826	443	192.168.2.5	35.201.103.21
Oct 23, 2024 18:00:28.676191092 CEST	49825	443	192.168.2.5	35.190.72.216
Oct 23, 2024 18:00:28.680876017 CEST	49826	443	192.168.2.5	35.201.103.21
Oct 23, 2024 18:00:28.680886984 CEST	443	49826	35.201.103.21	192.168.2.5
Oct 23, 2024 18:00:28.680982113 CEST	49826	443	192.168.2.5	35.201.103.21
Oct 23, 2024 18:00:28.681180954 CEST	443	49826	35.201.103.21	192.168.2.5
Oct 23, 2024 18:00:28.681284904 CEST	49826	443	192.168.2.5	35.201.103.21
Oct 23, 2024 18:00:28.696507931 CEST	49834	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:28.696549892 CEST	443	49834	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:28.696671963 CEST	49834	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:28.696794033 CEST	49834	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:28.696799994 CEST	443	49834	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:28.699147940 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:28.705435038 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:28.710764885 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:28.750756025 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:28.832706928 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:28.882302046 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:29.220639944 CEST	443	49831	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.220753908 CEST	49831	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.224111080 CEST	49831	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.224123001 CEST	443	49831	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.224528074 CEST	443	49831	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.226521015 CEST	49831	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.226648092 CEST	49831	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.226778984 CEST	443	49831	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.226950884 CEST	49831	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.231096983 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:29.232855082 CEST	443	49833	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.233387947 CEST	49833	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.236341953 CEST	49833	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.236378908 CEST	443	49833	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.236556053 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:29.236790895 CEST	443	49833	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.238720894 CEST	49833	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.238792896 CEST	49833	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.238920927 CEST	443	49833	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.239619017 CEST	49833	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.244980097 CEST	443	49832	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.245654106 CEST	49832	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.248246908 CEST	49832	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.248297930 CEST	443	49832	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.248572111 CEST	443	49832	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.250226021 CEST	49832	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.250317097 CEST	49832	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.250406027 CEST	443	49832	35.244.181.201	192.168.2.5
Oct 23, 2024 18:00:29.250482082 CEST	49832	443	192.168.2.5	35.244.181.201
Oct 23, 2024 18:00:29.311779976 CEST	443	49834	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:29.311979055 CEST	49834	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:29.315548897 CEST	49834	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:29.315556049 CEST	443	49834	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:29.315908909 CEST	443	49834	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:29.318203926 CEST	49834	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:29.318329096 CEST	49834	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:29.318389893 CEST	443	49834	34.149.100.209	192.168.2.5
Oct 23, 2024 18:00:29.318615913 CEST	49834	443	192.168.2.5	34.149.100.209
Oct 23, 2024 18:00:29.359436989 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:29.362802982 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:29.369596958 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:29.415276051 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:29.489975929 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:29.537574053 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:39.372803926 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:39.378267050 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:39.504352093 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:39.509691954 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:46.293797016 CEST	49922	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:46.293864965 CEST	443	49922	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:46.293958902 CEST	49922	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:46.295375109 CEST	49922	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:46.295397043 CEST	443	49922	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:46.912611961 CEST	443	49922	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:46.916656017 CEST	49922	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:46.925698042 CEST	49922	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:46.925748110 CEST	443	49922	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:46.925844908 CEST	49922	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:46.925941944 CEST	443	49922	34.107.243.93	192.168.2.5
Oct 23, 2024 18:00:46.926120043 CEST	49922	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:00:46.929014921 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:46.934429884 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:47.055985928 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:47.059611082 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:47.065157890 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:47.111324072 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:47.187060118 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:47.227250099 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:57.056822062 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:57.062316895 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:57.194916964 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:57.201690912 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:58.167793989 CEST	49988	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.167844057 CEST	443	49988	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.173378944 CEST	49988	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.173537016 CEST	49988	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.173548937 CEST	443	49988	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.194142103 CEST	49990	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.194197893 CEST	443	49990	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.195463896 CEST	49990	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.195463896 CEST	49990	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.195506096 CEST	443	49990	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.799616098 CEST	443	49988	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.803514957 CEST	49988	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.806802988 CEST	49988	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.806816101 CEST	443	49988	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.807279110 CEST	443	49988	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.810652018 CEST	49988	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.810765028 CEST	49988	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.810905933 CEST	443	49988	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.811311007 CEST	49988	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.811333895 CEST	49988	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.815753937 CEST	443	49990	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.820067883 CEST	49990	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.826889038 CEST	49990	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.826903105 CEST	443	49990	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.827239037 CEST	443	49990	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.828938961 CEST	49990	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.829046011 CEST	49990	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.829128981 CEST	443	49990	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:58.829201937 CEST	49990	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:58.999895096 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:59.001837015 CEST	49996	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.001883984 CEST	443	49996	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.003266096 CEST	49996	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.003447056 CEST	49996	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.003462076 CEST	443	49996	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.005409002 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:59.008142948 CEST	49997	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.008219004 CEST	443	49997	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.008994102 CEST	49997	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.009098053 CEST	49997	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.009129047 CEST	443	49997	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.052767992 CEST	49998	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.052809000 CEST	443	49998	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.053108931 CEST	49998	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.053282976 CEST	49998	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.053299904 CEST	443	49998	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.127583981 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:59.185298920 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:59.572007895 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:59.575630903 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:59.577694893 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:59.581253052 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:59.618115902 CEST	443	49997	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.618207932 CEST	49997	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.621201992 CEST	49997	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.621232986 CEST	443	49997	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.621484995 CEST	443	49997	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.623750925 CEST	443	49996	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.623805046 CEST	49997	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.623851061 CEST	49996	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.623909950 CEST	49997	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.623939037 CEST	443	49997	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.624135017 CEST	49997	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.627080917 CEST	49996	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.627095938 CEST	443	49996	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.627443075 CEST	443	49996	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.629827023 CEST	49996	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.629906893 CEST	49996	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.630017042 CEST	443	49996	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.630127907 CEST	49996	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.659138918 CEST	443	49998	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.659229040 CEST	49998	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.662273884 CEST	49998	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.662281036 CEST	443	49998	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.662945986 CEST	443	49998	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.665383101 CEST	49998	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.665482044 CEST	49998	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.665499926 CEST	443	49998	34.120.208.123	192.168.2.5
Oct 23, 2024 18:00:59.665621042 CEST	49998	443	192.168.2.5	34.120.208.123
Oct 23, 2024 18:00:59.699127913 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:59.702785969 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:59.748805046 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:59.764401913 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:59.816346884 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:59.817630053 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:00:59.821734905 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:00:59.823157072 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:00.107203960 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:00.107223988 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:00.150016069 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:00.150027037 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:00.172194004 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:00.177794933 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:00.300234079 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:00.350611925 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:10.118314028 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:10.123822927 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:10.303248882 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:10.308760881 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:20.135338068 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:20.313308001 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:20.488770962 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:20.488792896 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:26.947386026 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:01:26.947422028 CEST	443	50031	34.107.243.93	192.168.2.5
Oct 23, 2024 18:01:26.947498083 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:01:26.949095011 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:01:26.949109077 CEST	443	50031	34.107.243.93	192.168.2.5
Oct 23, 2024 18:01:27.559750080 CEST	443	50031	34.107.243.93	192.168.2.5
Oct 23, 2024 18:01:27.559830904 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:01:27.564593077 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:01:27.564604044 CEST	443	50031	34.107.243.93	192.168.2.5
Oct 23, 2024 18:01:27.564804077 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:01:27.564831972 CEST	443	50031	34.107.243.93	192.168.2.5
Oct 23, 2024 18:01:27.565886021 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:01:27.568217039 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:27.573615074 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:27.695996046 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:27.700210094 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:27.705590010 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:27.736223936 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:27.826795101 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:27.874320984 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:37.709536076 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:37.807734966 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:37.841051102 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:37.846386909 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:47.816293001 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:47.821872950 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:47.853928089 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:47.859343052 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:57.829468012 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:57.835092068 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:01:57.867366076 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:01:57.872989893 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:07.844388962 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:07.856468916 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:07.875616074 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:07.881248951 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:17.857212067 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:17.862647057 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:17.888452053 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:17.894048929 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:27.870732069 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:27.876292944 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:27.901958942 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:27.907388926 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:37.884115934 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:37.889734983 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:37.915376902 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:37.920855999 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:47.690125942 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:02:47.690176964 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 23, 2024 18:02:47.690418959 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:02:47.692701101 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:02:47.692718029 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 23, 2024 18:02:47.895745039 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:47.901547909 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:47.933607101 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:47.939071894 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:48.316657066 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 23, 2024 18:02:48.316776037 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:02:48.324045897 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:02:48.324076891 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 23, 2024 18:02:48.324193954 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:02:48.324300051 CEST	443	50032	34.107.243.93	192.168.2.5
Oct 23, 2024 18:02:48.327332020 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:48.327672958 CEST	50032	443	192.168.2.5	34.107.243.93
Oct 23, 2024 18:02:48.332734108 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:48.455079079 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:48.459237099 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:48.464601994 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:48.497716904 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:48.586297035 CEST	80	49737	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:48.635293007 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:58.474869013 CEST	49725	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:58.480842113 CEST	80	49725	34.107.221.82	192.168.2.5
Oct 23, 2024 18:02:58.590817928 CEST	49737	80	192.168.2.5	34.107.221.82
Oct 23, 2024 18:02:58.596510887 CEST	80	49737	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2024 17:59:59.280698061 CEST	53016	53	192.168.2.5	1.1.1.1
Oct 23, 2024 17:59:59.288316011 CEST	53	53016	1.1.1.1	192.168.2.5
Oct 23, 2024 17:59:59.302753925 CEST	59982	53	192.168.2.5	1.1.1.1
Oct 23, 2024 17:59:59.310101032 CEST	53	59982	1.1.1.1	192.168.2.5
Oct 23, 2024 17:59:59.950867891 CEST	49835	53	192.168.2.5	1.1.1.1
Oct 23, 2024 17:59:59.960524082 CEST	53	49835	1.1.1.1	192.168.2.5
Oct 23, 2024 17:59:59.964163065 CEST	58241	53	192.168.2.5	1.1.1.1
Oct 23, 2024 17:59:59.978465080 CEST	64560	53	192.168.2.5	1.1.1.1
Oct 23, 2024 17:59:59.980092049 CEST	64644	53	192.168.2.5	1.1.1.1
Oct 23, 2024 17:59:59.986407995 CEST	53	64560	1.1.1.1	192.168.2.5
Oct 23, 2024 17:59:59.988286018 CEST	53	64644	1.1.1.1	192.168.2.5
Oct 23, 2024 17:59:59.990349054 CEST	52819	53	192.168.2.5	1.1.1.1
Oct 23, 2024 17:59:59.991008043 CEST	61345	53	192.168.2.5	1.1.1.1
Oct 23, 2024 17:59:59.997776985 CEST	53	52819	1.1.1.1	192.168.2.5
Oct 23, 2024 17:59:59.998394966 CEST	53	61345	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:00.439151049 CEST	62219	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:00.446497917 CEST	53	62219	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:00.447531939 CEST	60124	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:00.454786062 CEST	53	60124	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:00.459929943 CEST	55330	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:00.467195988 CEST	53	55330	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:01.144659996 CEST	62015	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.152975082 CEST	53	62015	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:01.153429031 CEST	64103	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.154072046 CEST	53165	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.160918951 CEST	53	64103	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:01.161309004 CEST	53	53165	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:01.162368059 CEST	49973	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.164700985 CEST	59957	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.170577049 CEST	53	49973	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:01.182100058 CEST	62428	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.186964989 CEST	53	59957	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:01.187536955 CEST	50328	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.189954996 CEST	53	62428	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:01.195249081 CEST	53	50328	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:01.221232891 CEST	64051	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.223515034 CEST	49218	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.230957031 CEST	53	49218	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:01.266304016 CEST	58751	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.273763895 CEST	53	58751	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:01.275496960 CEST	59582	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.282876015 CEST	53	59582	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:01.853709936 CEST	56632	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:01.912719011 CEST	53	62092	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:02.529231071 CEST	58762	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:02.538012028 CEST	53	58762	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:02.541085005 CEST	65390	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:02.548216105 CEST	53	65390	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:02.555845022 CEST	61338	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:02.563369036 CEST	53	61338	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:02.860419035 CEST	62099	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:02.869326115 CEST	53	62099	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:02.880022049 CEST	55889	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:02.888267994 CEST	53	55889	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:02.904192924 CEST	60311	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:02.913170099 CEST	53	60311	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:02.945816040 CEST	65169	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:02.953931093 CEST	53	65169	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:02.978153944 CEST	49865	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:02.989950895 CEST	53	49865	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:05.441266060 CEST	50972	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:05.451778889 CEST	53	50972	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:05.466116905 CEST	58429	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:05.474448919 CEST	53	58429	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:05.476314068 CEST	55733	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:05.483889103 CEST	53	55733	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.062547922 CEST	63970	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.062547922 CEST	51350	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.062906027 CEST	55092	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.070260048 CEST	53	51350	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.070513010 CEST	53	63970	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.071338892 CEST	53	55092	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.087999105 CEST	49604	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.096765041 CEST	53	49604	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.100378990 CEST	54717	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.100603104 CEST	65338	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.107613087 CEST	49303	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.108840942 CEST	53	54717	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.108915091 CEST	53	65338	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.110910892 CEST	63321	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.113554955 CEST	49198	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.115144014 CEST	53	49303	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.119671106 CEST	53	63321	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.124531984 CEST	53	49198	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.131864071 CEST	51610	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.136693001 CEST	54178	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.140002966 CEST	53	51610	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.144764900 CEST	53	54178	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.148837090 CEST	53734	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.157272100 CEST	53	53734	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.172950029 CEST	60099	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.173634052 CEST	53176	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.182694912 CEST	53	60099	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.184339046 CEST	53	53176	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:11.187956095 CEST	49466	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:11.195422888 CEST	53	49466	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:12.518389940 CEST	54929	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:12.526207924 CEST	53	54929	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:12.528117895 CEST	58430	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:12.535970926 CEST	53	58430	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:25.043427944 CEST	58940	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:25.050898075 CEST	53	58940	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:25.051851988 CEST	55513	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:25.059874058 CEST	53	55513	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:27.943833113 CEST	51163	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:27.951842070 CEST	53	51163	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:27.965045929 CEST	57091	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:27.973151922 CEST	53	57091	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:27.977858067 CEST	61299	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:27.986774921 CEST	53	61299	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:27.987603903 CEST	54671	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:27.997793913 CEST	53	54671	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:28.023941994 CEST	53527	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:28.031836987 CEST	53	53527	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:28.037646055 CEST	50973	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:28.045820951 CEST	53	50973	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:28.050153017 CEST	60239	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:28.060204029 CEST	53	60239	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:46.284854889 CEST	61985	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:46.292511940 CEST	53	61985	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:46.293600082 CEST	52842	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:46.302203894 CEST	53	52842	1.1.1.1	192.168.2.5
Oct 23, 2024 18:00:46.929301023 CEST	55193	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:58.166572094 CEST	49907	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:00:58.174235106 CEST	53	49907	1.1.1.1	192.168.2.5
Oct 23, 2024 18:01:26.938195944 CEST	51674	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:01:26.946197987 CEST	53	51674	1.1.1.1	192.168.2.5
Oct 23, 2024 18:01:26.947344065 CEST	53256	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:01:26.956115007 CEST	53	53256	1.1.1.1	192.168.2.5
Oct 23, 2024 18:01:27.568480968 CEST	50204	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:02:47.669045925 CEST	49557	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:02:47.676728964 CEST	53	49557	1.1.1.1	192.168.2.5
Oct 23, 2024 18:02:47.678045988 CEST	63198	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:02:47.685384989 CEST	53	63198	1.1.1.1	192.168.2.5
Oct 23, 2024 18:02:47.689127922 CEST	50277	53	192.168.2.5	1.1.1.1
Oct 23, 2024 18:02:47.697041988 CEST	53	50277	1.1.1.1	192.168.2.5
Oct 23, 2024 18:02:48.327605963 CEST	49739	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 23, 2024 17:59:59.280698061 CEST	192.168.2.5	1.1.1.1	0x6b6d	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 17:59:59.302753925 CEST	192.168.2.5	1.1.1.1	0xb451	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 17:59:59.950867891 CEST	192.168.2.5	1.1.1.1	0x8cf6	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 17:59:59.964163065 CEST	192.168.2.5	1.1.1.1	0x629e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 17:59:59.978465080 CEST	192.168.2.5	1.1.1.1	0x6d44	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 17:59:59.980092049 CEST	192.168.2.5	1.1.1.1	0x6c07	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 17:59:59.990349054 CEST	192.168.2.5	1.1.1.1	0xc5	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 17:59:59.991008043 CEST	192.168.2.5	1.1.1.1	0xaf3a	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 23, 2024 18:00:00.439151049 CEST	192.168.2.5	1.1.1.1	0xb206	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:00.447531939 CEST	192.168.2.5	1.1.1.1	0x8dfd	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:00.459929943 CEST	192.168.2.5	1.1.1.1	0xbb78	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 18:00:01.144659996 CEST	192.168.2.5	1.1.1.1	0x2b83	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.153429031 CEST	192.168.2.5	1.1.1.1	0x9cb3	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.154072046 CEST	192.168.2.5	1.1.1.1	0xa282	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.162368059 CEST	192.168.2.5	1.1.1.1	0x6f7d	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.164700985 CEST	192.168.2.5	1.1.1.1	0x9ee	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.182100058 CEST	192.168.2.5	1.1.1.1	0x4b21	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 18:00:01.187536955 CEST	192.168.2.5	1.1.1.1	0x2469	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 18:00:01.221232891 CEST	192.168.2.5	1.1.1.1	0x8e22	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.223515034 CEST	192.168.2.5	1.1.1.1	0xdd44	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.266304016 CEST	192.168.2.5	1.1.1.1	0x9052	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.275496960 CEST	192.168.2.5	1.1.1.1	0x3ab8	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 18:00:01.853709936 CEST	192.168.2.5	1.1.1.1	0x5099	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.529231071 CEST	192.168.2.5	1.1.1.1	0x539a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.541085005 CEST	192.168.2.5	1.1.1.1	0xdc3f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.555845022 CEST	192.168.2.5	1.1.1.1	0x5f54	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 18:00:02.860419035 CEST	192.168.2.5	1.1.1.1	0xdfa0	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.880022049 CEST	192.168.2.5	1.1.1.1	0x4837	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.904192924 CEST	192.168.2.5	1.1.1.1	0xb5e6	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 18:00:02.945816040 CEST	192.168.2.5	1.1.1.1	0x513c	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.978153944 CEST	192.168.2.5	1.1.1.1	0x29e6	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 18:00:05.441266060 CEST	192.168.2.5	1.1.1.1	0xe6ce	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:05.466116905 CEST	192.168.2.5	1.1.1.1	0x2630	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:05.476314068 CEST	192.168.2.5	1.1.1.1	0x6f46	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 18:00:11.062547922 CEST	192.168.2.5	1.1.1.1	0x324a	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.062547922 CEST	192.168.2.5	1.1.1.1	0x5182	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.062906027 CEST	192.168.2.5	1.1.1.1	0x4a77	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.087999105 CEST	192.168.2.5	1.1.1.1	0x6a86	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.100378990 CEST	192.168.2.5	1.1.1.1	0x2128	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.100603104 CEST	192.168.2.5	1.1.1.1	0xa815	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.107613087 CEST	192.168.2.5	1.1.1.1	0x1ed7	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 23, 2024 18:00:11.110910892 CEST	192.168.2.5	1.1.1.1	0x5d5	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 23, 2024 18:00:11.113554955 CEST	192.168.2.5	1.1.1.1	0x4db1	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 23, 2024 18:00:11.131864071 CEST	192.168.2.5	1.1.1.1	0x58a9	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.136693001 CEST	192.168.2.5	1.1.1.1	0x6773	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.148837090 CEST	192.168.2.5	1.1.1.1	0x942	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.172950029 CEST	192.168.2.5	1.1.1.1	0x7964	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 23, 2024 18:00:11.173634052 CEST	192.168.2.5	1.1.1.1	0xd200	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.187956095 CEST	192.168.2.5	1.1.1.1	0x3523	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 23, 2024 18:00:12.518389940 CEST	192.168.2.5	1.1.1.1	0x6fb8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:12.528117895 CEST	192.168.2.5	1.1.1.1	0x475e	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 18:00:25.043427944 CEST	192.168.2.5	1.1.1.1	0xb59b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:25.051851988 CEST	192.168.2.5	1.1.1.1	0xb471	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 18:00:27.943833113 CEST	192.168.2.5	1.1.1.1	0x2596	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 23, 2024 18:00:27.965045929 CEST	192.168.2.5	1.1.1.1	0xf477	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:27.977858067 CEST	192.168.2.5	1.1.1.1	0xeb3c	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:27.987603903 CEST	192.168.2.5	1.1.1.1	0x5228	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 23, 2024 18:00:28.023941994 CEST	192.168.2.5	1.1.1.1	0x28a2	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:28.037646055 CEST	192.168.2.5	1.1.1.1	0xb91d	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:28.050153017 CEST	192.168.2.5	1.1.1.1	0x9a8b	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 18:00:46.284854889 CEST	192.168.2.5	1.1.1.1	0xa12b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:46.293600082 CEST	192.168.2.5	1.1.1.1	0x73d6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 18:00:46.929301023 CEST	192.168.2.5	1.1.1.1	0xc08b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:58.166572094 CEST	192.168.2.5	1.1.1.1	0x6bc	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 18:01:26.938195944 CEST	192.168.2.5	1.1.1.1	0xfd89	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:01:26.947344065 CEST	192.168.2.5	1.1.1.1	0x2af8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 18:01:27.568480968 CEST	192.168.2.5	1.1.1.1	0x8562	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:02:47.669045925 CEST	192.168.2.5	1.1.1.1	0x10e4	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:02:47.678045988 CEST	192.168.2.5	1.1.1.1	0x5511	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:02:47.689127922 CEST	192.168.2.5	1.1.1.1	0x6dd3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 23, 2024 18:02:48.327605963 CEST	192.168.2.5	1.1.1.1	0x3bb3	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 23, 2024 17:59:59.266278982 CEST	1.1.1.1	192.168.2.5	0x7f7d	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 23, 2024 17:59:59.288316011 CEST	1.1.1.1	192.168.2.5	0x6b6d	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 23, 2024 17:59:59.960524082 CEST	1.1.1.1	192.168.2.5	0x8cf6	No error (0)	youtube.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 23, 2024 17:59:59.972111940 CEST	1.1.1.1	192.168.2.5	0x629e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 17:59:59.972111940 CEST	1.1.1.1	192.168.2.5	0x629e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 23, 2024 17:59:59.986407995 CEST	1.1.1.1	192.168.2.5	0x6d44	No error (0)	youtube.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 17:59:59.988286018 CEST	1.1.1.1	192.168.2.5	0x6c07	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 23, 2024 17:59:59.997776985 CEST	1.1.1.1	192.168.2.5	0xc5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 23, 2024 17:59:59.998394966 CEST	1.1.1.1	192.168.2.5	0xaf3a	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 23, 2024 18:00:00.446497917 CEST	1.1.1.1	192.168.2.5	0xb206	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:00.454786062 CEST	1.1.1.1	192.168.2.5	0x8dfd	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.152975082 CEST	1.1.1.1	192.168.2.5	0x2b83	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:01.152975082 CEST	1.1.1.1	192.168.2.5	0x2b83	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.160918951 CEST	1.1.1.1	192.168.2.5	0x9cb3	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.161309004 CEST	1.1.1.1	192.168.2.5	0xa282	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.161309004 CEST	1.1.1.1	192.168.2.5	0xa282	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.163625002 CEST	1.1.1.1	192.168.2.5	0xdcf8	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:01.163625002 CEST	1.1.1.1	192.168.2.5	0xdcf8	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.170577049 CEST	1.1.1.1	192.168.2.5	0x6f7d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.186964989 CEST	1.1.1.1	192.168.2.5	0x9ee	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.229403019 CEST	1.1.1.1	192.168.2.5	0x8e22	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:01.229403019 CEST	1.1.1.1	192.168.2.5	0x8e22	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.230957031 CEST	1.1.1.1	192.168.2.5	0xdd44	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:01.230957031 CEST	1.1.1.1	192.168.2.5	0xdd44	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:01.230957031 CEST	1.1.1.1	192.168.2.5	0xdd44	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.273763895 CEST	1.1.1.1	192.168.2.5	0x9052	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:01.282876015 CEST	1.1.1.1	192.168.2.5	0x3ab8	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 23, 2024 18:00:01.861264944 CEST	1.1.1.1	192.168.2.5	0x5099	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:02.538012028 CEST	1.1.1.1	192.168.2.5	0x539a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.548216105 CEST	1.1.1.1	192.168.2.5	0xdc3f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.869326115 CEST	1.1.1.1	192.168.2.5	0xdfa0	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:02.869326115 CEST	1.1.1.1	192.168.2.5	0xdfa0	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.888267994 CEST	1.1.1.1	192.168.2.5	0x4837	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.897423029 CEST	1.1.1.1	192.168.2.5	0x9a9d	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:02.897423029 CEST	1.1.1.1	192.168.2.5	0x9a9d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.944849014 CEST	1.1.1.1	192.168.2.5	0x3492	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:02.953931093 CEST	1.1.1.1	192.168.2.5	0x513c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:05.451778889 CEST	1.1.1.1	192.168.2.5	0xe6ce	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:05.451778889 CEST	1.1.1.1	192.168.2.5	0xe6ce	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:05.451778889 CEST	1.1.1.1	192.168.2.5	0xe6ce	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:05.474448919 CEST	1.1.1.1	192.168.2.5	0x2630	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:05.495704889 CEST	1.1.1.1	192.168.2.5	0xac19	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070260048 CEST	1.1.1.1	192.168.2.5	0x5182	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070513010 CEST	1.1.1.1	192.168.2.5	0x324a	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:11.070513010 CEST	1.1.1.1	192.168.2.5	0x324a	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.071338892 CEST	1.1.1.1	192.168.2.5	0x4a77	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:11.071338892 CEST	1.1.1.1	192.168.2.5	0x4a77	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.096765041 CEST	1.1.1.1	192.168.2.5	0x6a86	No error (0)	youtube-ui.l.google.com		172.217.18.110	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.108840942 CEST	1.1.1.1	192.168.2.5	0x2128	No error (0)	star-mini.c10r.facebook.com		157.240.251.35	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.108915091 CEST	1.1.1.1	192.168.2.5	0xa815	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.115144014 CEST	1.1.1.1	192.168.2.5	0x1ed7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 23, 2024 18:00:11.115144014 CEST	1.1.1.1	192.168.2.5	0x1ed7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 23, 2024 18:00:11.115144014 CEST	1.1.1.1	192.168.2.5	0x1ed7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 23, 2024 18:00:11.115144014 CEST	1.1.1.1	192.168.2.5	0x1ed7	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 23, 2024 18:00:11.119671106 CEST	1.1.1.1	192.168.2.5	0x5d5	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 23, 2024 18:00:11.124531984 CEST	1.1.1.1	192.168.2.5	0x4db1	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 23, 2024 18:00:11.140002966 CEST	1.1.1.1	192.168.2.5	0x58a9	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:11.140002966 CEST	1.1.1.1	192.168.2.5	0x58a9	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.140002966 CEST	1.1.1.1	192.168.2.5	0x58a9	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.140002966 CEST	1.1.1.1	192.168.2.5	0x58a9	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.140002966 CEST	1.1.1.1	192.168.2.5	0x58a9	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.144764900 CEST	1.1.1.1	192.168.2.5	0x6773	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.157272100 CEST	1.1.1.1	192.168.2.5	0x942	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.157272100 CEST	1.1.1.1	192.168.2.5	0x942	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.157272100 CEST	1.1.1.1	192.168.2.5	0x942	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.157272100 CEST	1.1.1.1	192.168.2.5	0x942	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:11.184339046 CEST	1.1.1.1	192.168.2.5	0xd200	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:12.526207924 CEST	1.1.1.1	192.168.2.5	0x6fb8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:25.050898075 CEST	1.1.1.1	192.168.2.5	0xb59b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:27.973151922 CEST	1.1.1.1	192.168.2.5	0xf477	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:27.973151922 CEST	1.1.1.1	192.168.2.5	0xf477	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:27.973151922 CEST	1.1.1.1	192.168.2.5	0xf477	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:27.973151922 CEST	1.1.1.1	192.168.2.5	0xf477	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:27.986774921 CEST	1.1.1.1	192.168.2.5	0xeb3c	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:27.986774921 CEST	1.1.1.1	192.168.2.5	0xeb3c	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:27.986774921 CEST	1.1.1.1	192.168.2.5	0xeb3c	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:27.986774921 CEST	1.1.1.1	192.168.2.5	0xeb3c	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:28.031836987 CEST	1.1.1.1	192.168.2.5	0x28a2	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:28.031836987 CEST	1.1.1.1	192.168.2.5	0x28a2	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:28.045820951 CEST	1.1.1.1	192.168.2.5	0xb91d	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:29.244191885 CEST	1.1.1.1	192.168.2.5	0x9186	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:29.244191885 CEST	1.1.1.1	192.168.2.5	0x9186	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:46.292511940 CEST	1.1.1.1	192.168.2.5	0xa12b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:46.938431025 CEST	1.1.1.1	192.168.2.5	0xc08b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:00:46.938431025 CEST	1.1.1.1	192.168.2.5	0xc08b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:00:58.165090084 CEST	1.1.1.1	192.168.2.5	0x453b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:01:26.946197987 CEST	1.1.1.1	192.168.2.5	0xfd89	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:01:27.576152086 CEST	1.1.1.1	192.168.2.5	0x8562	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:01:27.576152086 CEST	1.1.1.1	192.168.2.5	0x8562	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:02:47.676728964 CEST	1.1.1.1	192.168.2.5	0x10e4	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:02:47.685384989 CEST	1.1.1.1	192.168.2.5	0x5511	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 23, 2024 18:02:48.335467100 CEST	1.1.1.1	192.168.2.5	0x3bb3	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 23, 2024 18:02:48.335467100 CEST	1.1.1.1	192.168.2.5	0x3bb3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	7104	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 18:00:00.023333073 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:00.638174057 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85661 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49720	34.107.221.82	80	7104	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 18:00:01.252419949 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:00:01.851948023 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85927 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49725	34.107.221.82	80	7104	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 18:00:02.499401093 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:03.119925022 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85664 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:00:05.426209927 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:05.553947926 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85666 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:00:06.176695108 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:06.305337906 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85667 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:00:06.807085037 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:06.934410095 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85667 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:00:15.605062962 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:15.915204048 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:16.014923096 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85676 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:00:25.683374882 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:25.810700893 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85686 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:00:28.571935892 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:28.699147940 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85689 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:00:29.231096983 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:29.359436989 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85690 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:00:39.372803926 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:00:46.929014921 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:47.055985928 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85707 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:00:57.056822062 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:00:58.999895096 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:59.127583981 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85720 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:00:59.575630903 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:00:59.702785969 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85720 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:00:59.817630053 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:01:00.107223988 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85720 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:01:10.118314028 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:01:20.135338068 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:01:27.568217039 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:01:27.695996046 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85748 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 23, 2024 18:01:37.709536076 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:01:47.816293001 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:01:57.829468012 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:02:07.844388962 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:02:17.857212067 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:02:27.870732069 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:02:48.327332020 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 23, 2024 18:02:48.455079079 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Tue, 22 Oct 2024 16:12:19 GMT Age: 85829 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49733	34.107.221.82	80	7104	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 18:00:05.448504925 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49737	34.107.221.82	80	7104	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 23, 2024 18:00:05.563919067 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:00:06.170835018 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85932 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:00:06.308221102 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:00:06.434858084 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85932 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:00:06.946907043 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:00:07.073574066 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85933 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:00:17.081007004 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:00:17.151038885 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:00:17.277753115 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85943 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:00:25.814425945 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:00:25.941267967 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85951 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:00:28.705435038 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:00:28.832706928 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85954 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:00:29.362802982 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:00:29.489975929 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85955 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:00:39.504352093 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:00:47.059611082 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:00:47.187060118 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85973 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:00:57.194916964 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:00:59.572007895 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:00:59.699127913 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85985 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:00:59.816346884 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:01:00.107203960 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85985 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:01:00.172194004 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:01:00.300234079 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 85986 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:01:10.303248882 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:01:20.313308001 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:01:27.700210094 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:01:27.826795101 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 86013 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 23, 2024 18:01:37.841051102 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:01:47.853928089 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:01:57.867366076 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:02:07.875616074 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:02:17.888452053 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 23, 2024 18:02:48.459237099 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 23, 2024 18:02:48.586297035 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Tue, 22 Oct 2024 16:07:54 GMT Age: 86094 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	11:59:52
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x8b0000
File size:	919'552 bytes
MD5 hash:	4BD898F7538E346E91E4C83E0C11AD2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:59:52
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xcb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:59:52
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:59:54
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xcb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:59:54
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:59:54
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xcb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:59:54
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:59:54
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xcb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:59:55
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:59:55
Start date:	23/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xcb0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:59:55
Start date:	23/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:59:55
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:59:55
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:59:55
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	11:59:56
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2108 -prefMapHandle 2100 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0db7204-06d3-428f-bcd4-2897346120bd} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223ab870d10 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	11:59:58
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2716 -parentBuildID 20230927232528 -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a70b601-fc0d-4b95-b580-7725ca6cdc50} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223bdd2b510 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	12:00:01
Start date:	23/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4980 -prefMapHandle 4976 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {349d6966-eb71-4eb8-a0f9-1297aa39e4f0} 7104 "\\.\pipe\gecko-crash-server-pipe.7104" 223ab870310 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1536
Total number of Limit Nodes:	66

Executed Functions

Function 008B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 008B430D

Part of subcall function 008B6B57: _wcslen.LIBCMT ref: 008B6B6A

GetCurrentProcess.KERNEL32(?,0094CB64,00000000,?,?), ref: 008B4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 008B4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 008B4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008B4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 008B4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 008B447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008B44A0

Strings

GetNativeSystemInfo, xrefs: 008B4460
|O, xrefs: 008F36F8
kernel32.dll, xrefs: 008B444F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 90acdaaa7c16df009e4438a4c3de3370b0d1677aed57d720cacd9723333a08ac
Instruction ID: c34fd9d4377cfe961c2d5fc2936437c6f5a2db73bf6f5041971d4efed6e9c1f0
Opcode Fuzzy Hash: 90acdaaa7c16df009e4438a4c3de3370b0d1677aed57d720cacd9723333a08ac
Instruction Fuzzy Hash: C7A1B07292E2C8DFC712D7797C415E53FACBB26704B0858ABE081D3B22D264464AFB25

Function 008B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008B50AA,?,?,00000000,00000000), ref: 008B42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008B50AA,?,?,00000000,00000000), ref: 008B42C9
LoadResource.KERNEL32(?,00000000,?,?,008B50AA,?,?,00000000,00000000,?,?,?,?,?,?,008B4F20), ref: 008F35BE
SizeofResource.KERNEL32(?,00000000,?,?,008B50AA,?,?,00000000,00000000,?,?,?,?,?,?,008B4F20), ref: 008F35D3
LockResource.KERNEL32(008B50AA,?,?,008B50AA,?,?,00000000,00000000,?,?,?,?,?,?,008B4F20,?), ref: 008F35E6

Strings

SCRIPT, xrefs: 008B42BF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 89b95b4d8def7d0cf5eff2053270040f81a10fb86ad5aa12dae6978eb7f961a9
Instruction ID: 1a2ac9bd0b84c2e242b4df0b36f9bc64ce8ac2951bbcdaefe55c5642439ddb9f
Opcode Fuzzy Hash: 89b95b4d8def7d0cf5eff2053270040f81a10fb86ad5aa12dae6978eb7f961a9
Instruction Fuzzy Hash: C3118EB4201701BFE7218FA5DC4AF677BB9FBC6B51F104169F412D6260DBB2DC00A620

Function 008F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 008B2B6B

Part of subcall function 008B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00981418,?,008B2E7F,?,?,?,00000000), ref: 008B3A78

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00972224), ref: 008F2C10
ShellExecuteW.SHELL32(00000000,?,?,00972224), ref: 008F2C17

Strings

runas, xrefs: 008F2C0B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 957430385ec7bc88c993e1f5651a8b4fdc9b7cc52bb93d9760e88c0f755e875f
Instruction ID: 0fb8db6de5f574727b70b0eba01aa9de3325dd08dcaa1329f546b2b200c7628e
Opcode Fuzzy Hash: 957430385ec7bc88c993e1f5651a8b4fdc9b7cc52bb93d9760e88c0f755e875f
Instruction Fuzzy Hash: 34119D31208305AAC714FF78D8519FE7BA8FB95310F44142DF186D23A3DF219A4A9713

Function 0091D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0091D501
Process32FirstW.KERNEL32(00000000,?), ref: 0091D50F
Process32NextW.KERNEL32(00000000,?), ref: 0091D52F
CloseHandle.KERNELBASE(00000000), ref: 0091D5DC

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: fcfa0edf7f8368b8714510d897129446303067ebbd764d53bd2e0ce193b7e7eb
Instruction ID: 4034f31885c846bbe820b6aa03bfd24807eef3fd9c90f7263d3b285c2a4da754
Opcode Fuzzy Hash: fcfa0edf7f8368b8714510d897129446303067ebbd764d53bd2e0ce193b7e7eb
Instruction Fuzzy Hash: 793170711082049FD304EF58C881AAFBBE8FF99354F14092DF585C62A1EB71A985CB93

Function 0091DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,008F5222), ref: 0091DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0091DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0091DBEE
FindClose.KERNEL32(00000000), ref: 0091DBFA

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d1db4822cdec317b2a13cd3a83ccbd881cd82ff7bbc9b82878963be41d067aff
Instruction ID: cd728be7af3149cfb3bf00c7171feb506db29763a8d89322c677235d31b50e5e
Opcode Fuzzy Hash: d1db4822cdec317b2a13cd3a83ccbd881cd82ff7bbc9b82878963be41d067aff
Instruction Fuzzy Hash: C6F0EC7442A9145B82206B7C9C0DCEA376C9E02338B104B02F575C10F0EBF09D94D5D5

Function 008D4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008E28E9,?,008D4CBE,008E28E9,009788B8,0000000C,008D4E15,008E28E9,00000002,00000000,?,008E28E9), ref: 008D4D09
TerminateProcess.KERNEL32(00000000,?,008D4CBE,008E28E9,009788B8,0000000C,008D4E15,008E28E9,00000002,00000000,?,008E28E9), ref: 008D4D10
ExitProcess.KERNEL32 ref: 008D4D22

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 72c434ec9382dd4b2241359fb70e99f0dc8d630dc066ded427e42261175b8495
Instruction ID: 69ccd541ccb9dcef78df146f19b9c2a8f40d4f6aaf5f0be1fd45498e1390523c
Opcode Fuzzy Hash: 72c434ec9382dd4b2241359fb70e99f0dc8d630dc066ded427e42261175b8495
Instruction Fuzzy Hash: C4E0B675015188AFCF61AF64DD09E583B6AFB46781F144115FC05CB232DB35DD42EB80

Function 0093AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0093B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0093B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0093B1D4
_wcslen.LIBCMT ref: 0093B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0093B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0093B236
_wcslen.LIBCMT ref: 0093B332

Part of subcall function 009205A7: GetStdHandle.KERNEL32(000000F6), ref: 009205C6

_wcslen.LIBCMT ref: 0093B34B
_wcslen.LIBCMT ref: 0093B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0093B3B6
GetLastError.KERNEL32(00000000), ref: 0093B407
CloseHandle.KERNEL32(?), ref: 0093B439
CloseHandle.KERNEL32(00000000), ref: 0093B44A
CloseHandle.KERNEL32(00000000), ref: 0093B45C
CloseHandle.KERNEL32(00000000), ref: 0093B46E
CloseHandle.KERNEL32(?), ref: 0093B4E3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5c164d822db8d79f5baf75d0a270955c77a149a60b10ee61e44383243a0a034b
Instruction ID: ba611785a07b3d55b26bed4b058263a18e13f3d3a864f35a88e78dae110125d5
Opcode Fuzzy Hash: 5c164d822db8d79f5baf75d0a270955c77a149a60b10ee61e44383243a0a034b
Instruction Fuzzy Hash: 9EF158316083009FC724EF28C895B6ABBE5FF85314F14895DF9999B2A2DB31EC44CB52

Function 008BD730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008BD807
timeGetTime.WINMM ref: 008BDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008BDB28
TranslateMessage.USER32(?), ref: 008BDB7B
DispatchMessageW.USER32(?), ref: 008BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008BDB9F
Sleep.KERNELBASE(0000000A), ref: 008BDBB1

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: d5cf8d5b14072db098416e9bf26d28164eb621a0d1a7a36b7f861ce9eb298932
Instruction ID: deae3e4280979608634befaec045a8e798ffa555abf584cf5b18d109cffa7bb1
Opcode Fuzzy Hash: d5cf8d5b14072db098416e9bf26d28164eb621a0d1a7a36b7f861ce9eb298932
Instruction Fuzzy Hash: 2242BE70608741EFD728CF24C898BAABBE5FF86314F148559E895C7391E774E844DB82

Function 008B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008B2D07
RegisterClassExW.USER32(00000030), ref: 008B2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008B2D42
InitCommonControlsEx.COMCTL32(?), ref: 008B2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008B2D6F
LoadIconW.USER32(000000A9), ref: 008B2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008B2D94

Strings

0, xrefs: 008B2CE9
AutoIt v3 GUI, xrefs: 008B2D23
+, xrefs: 008B2CF0
TaskbarCreated, xrefs: 008B2D37

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 16cdf22d539adf64b4bb1441bde44b137097c2b87a760427209dc2b69c178008
Instruction ID: aec04e399c2b3d01e5a30bfb51bb025b78f4bc5f283d3cf91967b017e0f2ec73
Opcode Fuzzy Hash: 16cdf22d539adf64b4bb1441bde44b137097c2b87a760427209dc2b69c178008
Instruction Fuzzy Hash: C521C4B5926318AFDB40DFA4EC49BDDBBB8FB09700F00411AF511A63A0D7B24545EF91

Function 008F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008F039A: CreateFileW.KERNELBASE(00000000,00000000,?,008F0704,?,?,00000000,?,008F0704,00000000,0000000C), ref: 008F03B7

GetLastError.KERNEL32 ref: 008F076F
__dosmaperr.LIBCMT ref: 008F0776
GetFileType.KERNELBASE(00000000), ref: 008F0782
GetLastError.KERNEL32 ref: 008F078C
__dosmaperr.LIBCMT ref: 008F0795
CloseHandle.KERNEL32(00000000), ref: 008F07B5
CloseHandle.KERNEL32(?), ref: 008F08FF
GetLastError.KERNEL32 ref: 008F0931
__dosmaperr.LIBCMT ref: 008F0938

Strings

H, xrefs: 008F08BD

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d563659fc22649a965edc0cb36abd8bc39416bfe10f199b2cba12d3b491b377f
Instruction ID: b88291b9029451ca535dad115d92c0eff16d58422183263a3f7fa842f2404237
Opcode Fuzzy Hash: d563659fc22649a965edc0cb36abd8bc39416bfe10f199b2cba12d3b491b377f
Instruction Fuzzy Hash: 71A11132A141088FDF19AF78D851BBE7BA0FB4A324F144159F911DF392DA319912DF92

Function 008B344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00981418,?,008B2E7F,?,?,?,00000000), ref: 008B3A78

Part of subcall function 008B3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008B3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008B356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008F318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008F31CE
RegCloseKey.ADVAPI32(?), ref: 008F3210
_wcslen.LIBCMT ref: 008F3277
_wcslen.LIBCMT ref: 008F3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 008B3560
\, xrefs: 008F328C
Include, xrefs: 008F3184, 008F31C5
\Include\, xrefs: 008B3527

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 32b5e614afa37e6b2ec571d3a4ae81d0d020afb4f24762c3c9f376576996c13e
Instruction ID: 8446209865983f3ead696e184c8c8357841280a5b7a173648233e6f9ae44bd97
Opcode Fuzzy Hash: 32b5e614afa37e6b2ec571d3a4ae81d0d020afb4f24762c3c9f376576996c13e
Instruction Fuzzy Hash: 09718E714193049EC314EF69ECA29ABBBE8FF85B40F40042EF585D7361EB349A48DB52

Function 008B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008B2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 008B2B9D
LoadIconW.USER32(00000063), ref: 008B2BB3
LoadIconW.USER32(000000A4), ref: 008B2BC5
LoadIconW.USER32(000000A2), ref: 008B2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008B2BEF
RegisterClassExW.USER32(?), ref: 008B2C40

Part of subcall function 008B2CD4: GetSysColorBrush.USER32(0000000F), ref: 008B2D07
Part of subcall function 008B2CD4: RegisterClassExW.USER32(00000030), ref: 008B2D31
Part of subcall function 008B2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008B2D42
Part of subcall function 008B2CD4: InitCommonControlsEx.COMCTL32(?), ref: 008B2D5F
Part of subcall function 008B2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008B2D6F
Part of subcall function 008B2CD4: LoadIconW.USER32(000000A9), ref: 008B2D85
Part of subcall function 008B2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008B2D94

Strings

#, xrefs: 008B2C16
AutoIt v3, xrefs: 008B2C2F
0, xrefs: 008B2C0F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5f6ad0bb38fd4db90f9b2d191cba734a843a4b0bc2fca2dc9c24f38d55412f87
Instruction ID: debe9f3db9fce2123b55f60ef094811b274f1d2c51c75e56b56cf9d1e2ba42e6
Opcode Fuzzy Hash: 5f6ad0bb38fd4db90f9b2d191cba734a843a4b0bc2fca2dc9c24f38d55412f87
Instruction Fuzzy Hash: B22118B4E29318AFDB109FA5EC55AA97FB8FB48B50F00001BF600A67A0D7B15641EF90

Function 008B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,008B316A,?,?), ref: 008B31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,008B316A,?,?), ref: 008B3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008B3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,008B316A,?,?), ref: 008B3232
CreatePopupMenu.USER32 ref: 008B3246
PostQuitMessage.USER32(00000000), ref: 008B3267

Strings

TaskbarCreated, xrefs: 008B322D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 07eef985ec78572a1f8bf4ab86c6f1c89e576bac5291ea2d4a7a1d9a4cc4c040
Instruction ID: 0c8101afb4a46e1380b63388b946b00679e9340c5d6e6172d734c88174c83b07
Opcode Fuzzy Hash: 07eef985ec78572a1f8bf4ab86c6f1c89e576bac5291ea2d4a7a1d9a4cc4c040
Instruction Fuzzy Hash: 5A412A7526820CABDB252B7CDC1EBFA3A5DFB45345F040126F512C63A2CB719E41A762

Function 008B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008B1459
CoUninitialize.COMBASE ref: 008B14F8
UnregisterHotKey.USER32(?), ref: 008B16DD
DestroyWindow.USER32(?), ref: 008F24B9
FreeLibrary.KERNEL32(?), ref: 008F251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 008F254B

Strings

close all, xrefs: 008B1454

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: cc55940110a257485e694afe8ca99fed68e68889dce7228a4f132648609b8af7
Instruction ID: 1e62ed94d2a631ce744e131223ee011b5ee1e84d2f613c426dfd7762524d1f4b
Opcode Fuzzy Hash: cc55940110a257485e694afe8ca99fed68e68889dce7228a4f132648609b8af7
Instruction Fuzzy Hash: 85D16B306022169FDB29EF28C4A9A69F7A1FF05704F5441ADE54AEB362DB30AC12CF55

Function 008B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008B2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008B2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,008B1CAD,?), ref: 008B2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,008B1CAD,?), ref: 008B2CCF

Strings

AutoIt v3, xrefs: 008B2C89, 008B2C8E, 008B2C8F
edit, xrefs: 008B2CAC

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 192842f2a4cc2040266d14c6692133edaf08b5ae52a343caf98f9130daf546c1
Instruction ID: fb4131f9bab20ab098c74245e2eec04befe43de715af6d5caa591f1379cbae5e
Opcode Fuzzy Hash: 192842f2a4cc2040266d14c6692133edaf08b5ae52a343caf98f9130daf546c1
Instruction Fuzzy Hash: 3CF0DAB95653907EEB711717AC08EB72EBDD7C7F50B00005BF900A26A0C6751852EBB0

Function 008B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,008B3B0F,SwapMouseButtons,00000004,?), ref: 008B3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,008B3B0F,SwapMouseButtons,00000004,?), ref: 008B3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,008B3B0F,SwapMouseButtons,00000004,?), ref: 008B3B83

Strings

Control Panel\Mouse, xrefs: 008B3B3E

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 91408468c246a614be1f3ea2f8b6761a406b18ee6c2c13bd1914c29f524c7bfa
Instruction ID: cdf56ac24b5ab6624a11d24e40211a8d2fd95c4fe6d0ad70ade03b5dd746764d
Opcode Fuzzy Hash: 91408468c246a614be1f3ea2f8b6761a406b18ee6c2c13bd1914c29f524c7bfa
Instruction Fuzzy Hash: 6C112AB5521208FFDF208FA5DC44EEEBBB8FF05754B104559A805D7214D6319E40A760

Function 008B3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008F33A2

Part of subcall function 008B6B57: _wcslen.LIBCMT ref: 008B6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 008B3A04

Strings

Line: , xrefs: 008F33EB

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: fb10e62d08acedd72949d65e9b899fd2a9b6617e9154ee55f47cfed970fd79b4
Instruction ID: 513b73d07684a9575e4473e7291d58035b872bf8a4e32f33f9d197a7f6ed0ebb
Opcode Fuzzy Hash: fb10e62d08acedd72949d65e9b899fd2a9b6617e9154ee55f47cfed970fd79b4
Instruction Fuzzy Hash: 7231CE71408304AAC325EB24DC45BEBBBECFB45714F104A2AF599C2391EB70AA49C7C3

Function 008B10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 008B1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008B1BF4
Part of subcall function 008B1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 008B1BFC
Part of subcall function 008B1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008B1C07
Part of subcall function 008B1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008B1C12
Part of subcall function 008B1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 008B1C1A
Part of subcall function 008B1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 008B1C22

Part of subcall function 008B1B4A: RegisterWindowMessageW.USER32(00000004,?,008B12C4), ref: 008B1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008B136A
OleInitialize.OLE32 ref: 008B1388
CloseHandle.KERNEL32(00000000,00000000), ref: 008F24AB

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3e6c570f289d3eda4a7c2dfaf7ee9aa46ba004c7b8c949234342460e12a0da8b
Instruction ID: 3107dd91c33eba30abbcbd7c9777b24aed9eef495983860a0808dd8ca335b0ab
Opcode Fuzzy Hash: 3e6c570f289d3eda4a7c2dfaf7ee9aa46ba004c7b8c949234342460e12a0da8b
Instruction Fuzzy Hash: 0D718AB49293009FC798EF79E856A953AECFB89344754822EE01AC7372EB304442AF45

Function 0091C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 008B3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0091C259
KillTimer.USER32(?,00000001,?,?), ref: 0091C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0091C270

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 17fb77f8b34321d238821134551c2a26efbd5c19e6d97f5f72e4949cf3f892ae
Instruction ID: 71281fce60fa770c6132d460107be3b5c6f9aaa6908353e2d93d196cfe9881d3
Opcode Fuzzy Hash: 17fb77f8b34321d238821134551c2a26efbd5c19e6d97f5f72e4949cf3f892ae
Instruction Fuzzy Hash: 2831D9B0A443486FEB328F648855BDBBBEC9F17304F00089ED5EA93241C7746AC5CB51

Function 008E86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,008E85CC,?,00978CC8,0000000C), ref: 008E8704
GetLastError.KERNEL32(?,008E85CC,?,00978CC8,0000000C), ref: 008E870E
__dosmaperr.LIBCMT ref: 008E8739

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: f36617987ca4e14cee2908a52e0dd0bdfa6fc3ac9a8e7f32da71cec7bc53f7c8
Instruction ID: 6b7209be6632bc9167aef41c9056b345942dba8260327d433678ce845a6dab5c
Opcode Fuzzy Hash: f36617987ca4e14cee2908a52e0dd0bdfa6fc3ac9a8e7f32da71cec7bc53f7c8
Instruction Fuzzy Hash: 8D016F326091E0B6C664623A5C49B7E6745EB93778F350119F81CCB2E2DE60CC819251

Function 008BDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 008BDB7B
DispatchMessageW.USER32(?), ref: 008BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008BDB9F
Sleep.KERNELBASE(0000000A), ref: 008BDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00901CC9

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 00517749a8940904e072d31100bde7ac930ecb077348b25d12d40c6c5da38559
Instruction ID: f860ace9bad486ccaa6c3bb982b444eb39ea76abed6305564fb73ceaa3aea81b
Opcode Fuzzy Hash: 00517749a8940904e072d31100bde7ac930ecb077348b25d12d40c6c5da38559
Instruction Fuzzy Hash: 33F05E70659340AFEB70CB608C49FEA73ACFB45310F104A28F64AD31C0EB30A4889B25

Function 008C1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008C17F6

Strings

CALL, xrefs: 008C17C6

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 56b85f94c8bede7c40aa87d3d7e3f1ba986e56056618b4f5f8873402b1bb8112
Instruction ID: 71918335b4b5a7fd3b5f9dcf61bf3915c5507373a09e93caca6627bc0a874f20
Opcode Fuzzy Hash: 56b85f94c8bede7c40aa87d3d7e3f1ba986e56056618b4f5f8873402b1bb8112
Instruction Fuzzy Hash: 3A2257706082019FCB14DF18C488F2ABBF6FF86314F14896DF5968B2A2D731E955CB92

Function 008B2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 008F2C8C

Part of subcall function 008B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008B3A97,?,?,008B2E7F,?,?,?,00000000), ref: 008B3AC2

Part of subcall function 008B2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008B2DC4

Strings

X, xrefs: 008F2C5A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: bc3788980cce69a564690e769266a2f4df799db3b1cd07df1d51b60fe993b548
Instruction ID: b1510a3727f5c6d89e2783347454f68eb66f5192c35631010785af268868451a
Opcode Fuzzy Hash: bc3788980cce69a564690e769266a2f4df799db3b1cd07df1d51b60fe993b548
Instruction Fuzzy Hash: 9B218171A1025C9ECB119F98C845BEE7BF8FF49314F00805AE509E7341DBB49A498B62

Function 008B3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 008B3908

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c937bcd93706721363b47bd7cf2934dd64e342a9adcf1640d96ff23d55be537e
Instruction ID: 6d11392b1e9911ace463b70ede51ce9e0b9a083f6a746b3973db619dfb1f4430
Opcode Fuzzy Hash: c937bcd93706721363b47bd7cf2934dd64e342a9adcf1640d96ff23d55be537e
Instruction Fuzzy Hash: 7F315AB06087019FD721DF24D885797BBE8FB49708F00092EE59AC3350E771AA44DB52

Function 008CF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008CF661

Part of subcall function 008BD730: GetInputState.USER32 ref: 008BD807

Sleep.KERNEL32(00000000), ref: 0090F2DE

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 14c5f59a521985a45565df11fcd18f65dcddc680cb2f3a81a584b6191f5391f2
Instruction ID: 5a4d415e8e4aee59bc2845cfbf59aa102f4e3ad6905bdc86d7ccee9c8515af63
Opcode Fuzzy Hash: 14c5f59a521985a45565df11fcd18f65dcddc680cb2f3a81a584b6191f5391f2
Instruction Fuzzy Hash: B6F0A7752442059FD350EF79D455F9AB7E8FF46761F000029E85AC7361DB70A800CB92

Function 008B4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008B4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008B4EDD,?,00981418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008B4E9C
Part of subcall function 008B4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008B4EAE
Part of subcall function 008B4E90: FreeLibrary.KERNEL32(00000000,?,?,008B4EDD,?,00981418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008B4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00981418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008B4EFD

Part of subcall function 008B4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008F3CDE,?,00981418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008B4E62
Part of subcall function 008B4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008B4E74
Part of subcall function 008B4E59: FreeLibrary.KERNEL32(00000000,?,?,008F3CDE,?,00981418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008B4E87

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: e71ce68141ed9dda380c2f2518a4e20495e5cc7256143bbd24196d4cf81b06f3
Instruction ID: 59c8a846e69b1788a8a265693a114bf289fc72b700d4f30c1b9f576b8a8284cf
Opcode Fuzzy Hash: e71ce68141ed9dda380c2f2518a4e20495e5cc7256143bbd24196d4cf81b06f3
Instruction Fuzzy Hash: 1B119132650205AADB14BB68DC03FED77A5FF40B14F108429F542EB3D2EEB0EA459B51

Function 008E8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 008E8440

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: e08769d5204cb8350298848331b9f07089472169ada3ec03811a2bb8339e55f8
Instruction ID: e8788a9a9a403141ef316d0fc09ce642d6affc7c69f443db2f6b61f7864fb4b9
Opcode Fuzzy Hash: e08769d5204cb8350298848331b9f07089472169ada3ec03811a2bb8339e55f8
Instruction Fuzzy Hash: 5911367190410AEFCB05DF59E94099E7BF8FF49314F104059F808EB352DA30DA118BA5

Function 008DE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 8d1a920ca49d1a042beac258678cc79a70a6396030cd7f274634b8fb385fc65a
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D1F0D132510A14A6C6313A6EAC05B5A3798FF63338F10071AF825DA3D2DA74E802C6A6

Function 008E3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00981444,?,008CFDF5,?,?,008BA976,00000010,00981440,008B13FC,?,008B13C6,?,008B1129), ref: 008E3852

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b3e7dac2fe6afa7ee879455f727dfdc02629407dfd63165d51adfc1af6291ca0
Instruction ID: c3cfa678be5d12cb00851ec96fc2be628b938ca13c1f72887f2ee36ffa0e961a
Opcode Fuzzy Hash: b3e7dac2fe6afa7ee879455f727dfdc02629407dfd63165d51adfc1af6291ca0
Instruction Fuzzy Hash: 66E0ED311052B8ABE6312AAB9C09B9A3748FB837B0F050232BC15D3691CB60DE0192E2

Function 008B4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00981418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008B4F6D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b007af9682c2ee1ee2260fcc6eff6745f1eb704415a09c6e65c2f0ff24de6140
Instruction ID: dd7957db6bfdebb324a5f239f987d91688ca16cf29f9b9ecb00c4b882e94a989
Opcode Fuzzy Hash: b007af9682c2ee1ee2260fcc6eff6745f1eb704415a09c6e65c2f0ff24de6140
Instruction Fuzzy Hash: 49F01C71505752CFDB349F64D491862B7E4FF14319310996EE1DAC3712CB31A844DF10

Function 00942A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00942A66

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: b82477b25cfc3ebab5ca4749f09b6f4f3846933ee93c1dfe29907fa96ffe3401
Instruction ID: 579a43c9f5037f91def7af879f0ce74c0a7708684ded6ced02299fe882a4ef9e
Opcode Fuzzy Hash: b82477b25cfc3ebab5ca4749f09b6f4f3846933ee93c1dfe29907fa96ffe3401
Instruction Fuzzy Hash: B9E0DF3636422AAAC714EB30EC84DFA735CFBA03917004836BC26C3140EB349A9282A0

Function 008B30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 008B314E

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 10568264003dce203dd91636a6d8e9affae6c7b210480cbcd84a75665603dd3b
Instruction ID: 62e99c5f04a46529c5288d38851501a2cae61cf0394555d43a88a9a8b4e7536c
Opcode Fuzzy Hash: 10568264003dce203dd91636a6d8e9affae6c7b210480cbcd84a75665603dd3b
Instruction Fuzzy Hash: FEF037709243149FE7569B24DC467D57BBCB701708F0001E6A548D6391D7745789DF51

Function 008B2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008B2DC4

Part of subcall function 008B6B57: _wcslen.LIBCMT ref: 008B6B6A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: b61eb366f310654ce7a6d6c6ed155d786e52718514f946f07d353827a687f8c2
Instruction ID: 9b4d5fe384d81f338a34521a2d8b3c5b4406f328feeeaa4fff24a95ba717f823
Opcode Fuzzy Hash: b61eb366f310654ce7a6d6c6ed155d786e52718514f946f07d353827a687f8c2
Instruction Fuzzy Hash: A9E0CD766051245BCB10925C9C05FEA77EDEFC8790F040071FD09D7248D9A4ED808551

Function 008B2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008B3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008B3908

Part of subcall function 008BD730: GetInputState.USER32 ref: 008BD807

SetCurrentDirectoryW.KERNEL32(?), ref: 008B2B6B

Part of subcall function 008B30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 008B314E

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: d381a07e277932ddb63ac2df6b520675f667b71e69e24190af1667db7f91aa0a
Instruction ID: f00ee985780d636edb202a658f2333f117b6196d6a8d4b4bbe15c6b4352774e3
Opcode Fuzzy Hash: d381a07e277932ddb63ac2df6b520675f667b71e69e24190af1667db7f91aa0a
Instruction Fuzzy Hash: B5E0862130424416C604BB7C98529FDA759FBD5351F40153EF142C3373DE2445464353

Function 008F039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,008F0704,?,?,00000000,?,008F0704,00000000,0000000C), ref: 008F03B7

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2a7555d43bd9e7d8b4410848e2dd832c54a45b4d4d85123f3d044fa58d503487
Instruction ID: 1fcda24f632130f45dc50fc02f76f197a73e3d94b9ac61775277742caebd60af
Opcode Fuzzy Hash: 2a7555d43bd9e7d8b4410848e2dd832c54a45b4d4d85123f3d044fa58d503487
Instruction Fuzzy Hash: 35D06C3205410DBFDF028F84DD06EDA3BAAFB4C714F014000BE1856020C732E821AB90

Function 008B1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 008B1CBC

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 46cc259963a02ca52271e7c0896530796c022af12c3e34cc56a0e2550589ba19
Instruction ID: b97246f6543aa5c9fc26615d5317e4090febd8bb4651be304727aa3af6a37111
Opcode Fuzzy Hash: 46cc259963a02ca52271e7c0896530796c022af12c3e34cc56a0e2550589ba19
Instruction Fuzzy Hash: B1C0923A2EC304AFF3148B80FC4AF547768A348B00F048002F709A97E3C3A22820FB50

Non-executed Functions

Function 00949576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008C9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0094961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0094965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0094969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009496C9
SendMessageW.USER32 ref: 009496F2
GetKeyState.USER32(00000011), ref: 0094978B
GetKeyState.USER32(00000009), ref: 00949798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009497AE
GetKeyState.USER32(00000010), ref: 009497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009497E9
SendMessageW.USER32 ref: 00949810
SendMessageW.USER32(?,00001030,?,00947E95), ref: 00949918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0094992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00949941
SetCapture.USER32(?), ref: 0094994A
ClientToScreen.USER32(?,?), ref: 009499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009499D6
ReleaseCapture.USER32 ref: 009499E1
GetCursorPos.USER32(?), ref: 00949A19
ScreenToClient.USER32(?,?), ref: 00949A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00949A80
SendMessageW.USER32 ref: 00949AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00949AEB
SendMessageW.USER32 ref: 00949B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00949B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00949B4A
GetCursorPos.USER32(?), ref: 00949B68
ScreenToClient.USER32(?,?), ref: 00949B75
GetParent.USER32(?), ref: 00949B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00949BFA
SendMessageW.USER32 ref: 00949C2B
ClientToScreen.USER32(?,?), ref: 00949C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00949CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00949CDE
SendMessageW.USER32 ref: 00949D01
ClientToScreen.USER32(?,?), ref: 00949D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00949D82

Part of subcall function 008C9944: GetWindowLongW.USER32(?,000000EB), ref: 008C9952

GetWindowLongW.USER32(?,000000F0), ref: 00949E05

Strings

@GUI_DRAGID, xrefs: 0094997D
F, xrefs: 00949D07

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 6c89216e273b945f7714924293ba9b456cc87df6b273bfd4ce60f9d1a7cd6d1e
Instruction ID: d4564b17e7f950c3d85434ae5cfff463d6a7ce21e0bfedd48593cb3d975eeb5a
Opcode Fuzzy Hash: 6c89216e273b945f7714924293ba9b456cc87df6b273bfd4ce60f9d1a7cd6d1e
Instruction Fuzzy Hash: B242AD74218201AFDB24CF28CC44EABBBE9FF49314F114A19FA99872A1D731E850DF52

Function 00944873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00944908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00944927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0094494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0094495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0094497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00944A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00944A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00944A7E
IsMenu.USER32(?), ref: 00944A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00944AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00944B20
GetWindowLongW.USER32(?,000000F0), ref: 00944B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00944BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00944C82
wsprintfW.USER32 ref: 00944CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00944CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00944CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00944D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00944D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00944D5A

Strings

%d/%02d/%02d, xrefs: 00944CA8

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 8c797640261f35896ae417cade4cb9cbaf1aa7924b0c9abe673a30ac37745639
Instruction ID: f549c6bf27f7b2cfff19ee40429213ed6b4edcc44220811d8ef8d77c3613df25
Opcode Fuzzy Hash: 8c797640261f35896ae417cade4cb9cbaf1aa7924b0c9abe673a30ac37745639
Instruction Fuzzy Hash: EF12DC71A00215AFEB248F28CC49FAE7BF8FF85710F104569F916EA2E1DB789941DB50

Function 008CF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 008CF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0090F474
IsIconic.USER32(00000000), ref: 0090F47D
ShowWindow.USER32(00000000,00000009), ref: 0090F48A
SetForegroundWindow.USER32(00000000), ref: 0090F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0090F4AA
GetCurrentThreadId.KERNEL32 ref: 0090F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0090F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0090F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0090F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0090F4DE
SetForegroundWindow.USER32(00000000), ref: 0090F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090F4F6
keybd_event.USER32(00000012,00000000), ref: 0090F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090F50B
keybd_event.USER32(00000012,00000000), ref: 0090F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090F519
keybd_event.USER32(00000012,00000000), ref: 0090F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0090F528
keybd_event.USER32(00000012,00000000), ref: 0090F52D
SetForegroundWindow.USER32(00000000), ref: 0090F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0090F557

Strings

Shell_TrayWnd, xrefs: 0090F46F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d348a1a0c7abafc793a0e0308babb2d1b32276b1cc00d3be1eb3996c1cd876df
Instruction ID: d8c7b15feed0c08932a4c42983af364bcf1d12e02ffd011180f9fe50eec03f3b
Opcode Fuzzy Hash: d348a1a0c7abafc793a0e0308babb2d1b32276b1cc00d3be1eb3996c1cd876df
Instruction Fuzzy Hash: 553170B5A55318BFEB306BB55C4AFBF7E6CEB45B50F100025FA00E61D1C6B06E00BAA0

Function 00911201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0091170D
Part of subcall function 009116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0091173A
Part of subcall function 009116C3: GetLastError.KERNEL32 ref: 0091174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00911286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009112A8
CloseHandle.KERNEL32(?), ref: 009112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009112D1
GetProcessWindowStation.USER32 ref: 009112EA
SetProcessWindowStation.USER32(00000000), ref: 009112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00911310

Part of subcall function 009110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009111FC), ref: 009110D4
Part of subcall function 009110BF: CloseHandle.KERNEL32(?,?,009111FC), ref: 009110E9

Strings

, xrefs: 0091125A
default, xrefs: 0091130B
winsta0, xrefs: 009112CC

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: bdb07d804221317628c48728013004900284d60887891985d3ca0021263ac62a
Instruction ID: 968c1cee2c28132bbd7977ac20f826cc55458fef830c09cb39d1b17342aab0c0
Opcode Fuzzy Hash: bdb07d804221317628c48728013004900284d60887891985d3ca0021263ac62a
Instruction Fuzzy Hash: BE818DB1A00209BFDF219FA4DC49FEE7BBDEF05704F144129FA10A62A0D7718984DB25

Function 00910B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00911114
Part of subcall function 009110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00910B9B,?,?,?), ref: 00911120
Part of subcall function 009110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00910B9B,?,?,?), ref: 0091112F
Part of subcall function 009110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00910B9B,?,?,?), ref: 00911136
Part of subcall function 009110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0091114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00910BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00910C00
GetLengthSid.ADVAPI32(?), ref: 00910C17
GetAce.ADVAPI32(?,00000000,?), ref: 00910C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00910C6D
GetLengthSid.ADVAPI32(?), ref: 00910C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00910C8C
HeapAlloc.KERNEL32(00000000), ref: 00910C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00910CB4
CopySid.ADVAPI32(00000000), ref: 00910CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00910CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00910D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00910D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00910D45
HeapFree.KERNEL32(00000000), ref: 00910D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00910D55
HeapFree.KERNEL32(00000000), ref: 00910D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00910D65
HeapFree.KERNEL32(00000000), ref: 00910D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00910D78
HeapFree.KERNEL32(00000000), ref: 00910D7F

Part of subcall function 00911193: GetProcessHeap.KERNEL32(00000008,00910BB1,?,00000000,?,00910BB1,?), ref: 009111A1
Part of subcall function 00911193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00910BB1,?), ref: 009111A8
Part of subcall function 00911193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00910BB1,?), ref: 009111B7

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 80b46e92f3ded57d6b17de3162b22441b8d23444e587f34a8adbe36d08f0f894
Instruction ID: 5f689df02076ac5296f69166dd708e17062fcba848d97073b79e2bcbb978e1c6
Opcode Fuzzy Hash: 80b46e92f3ded57d6b17de3162b22441b8d23444e587f34a8adbe36d08f0f894
Instruction Fuzzy Hash: BE715CB9A0520AAFDF10DFA4EC45FEEBBBCBF45300F044515E914A7191D7B2A985CBA0

Function 0092EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0094CC08), ref: 0092EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0092EB37
GetClipboardData.USER32(0000000D), ref: 0092EB43
CloseClipboard.USER32 ref: 0092EB4F
GlobalLock.KERNEL32(00000000), ref: 0092EB87
CloseClipboard.USER32 ref: 0092EB91
GlobalUnlock.KERNEL32(00000000), ref: 0092EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0092EBC9
GetClipboardData.USER32(00000001), ref: 0092EBD1
GlobalLock.KERNEL32(00000000), ref: 0092EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0092EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0092EC38
GetClipboardData.USER32(0000000F), ref: 0092EC44
GlobalLock.KERNEL32(00000000), ref: 0092EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0092EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0092EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0092ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0092ECF3
CountClipboardFormats.USER32 ref: 0092ED14
CloseClipboard.USER32 ref: 0092ED59

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 198a3c94111acbf8cae0ec35508cd2bd1ea3f3f1a46dda2e3a5052c3d35d0edb
Instruction ID: 57aa39cb1f3500c51c729f7acb39c48c23c65243c15d1890f31898b7a2880ffc
Opcode Fuzzy Hash: 198a3c94111acbf8cae0ec35508cd2bd1ea3f3f1a46dda2e3a5052c3d35d0edb
Instruction Fuzzy Hash: BB61EF78208202AFD300EF24E888F6A7BE8FF85714F184519F496C72A6DB71DD05DB62

Function 0092698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009269BE
FindClose.KERNEL32(00000000), ref: 00926A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00926A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00926A75

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00926AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00926ADF

Strings

%4d, xrefs: 00926BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00926B32
%4d%02d%02d%02d%02d%02d, xrefs: 00926B6A
%02d, xrefs: 00926C00, 00926C0A, 00926C5A, 00926CAA, 00926CFA, 00926D4A
%03d, xrefs: 00926DA2

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 3f62621daf50b823bf79442ebd354a4c8c694cdf0d0393bb08c866a392347be0
Instruction ID: 9f43f377d31d77c3c8ae8709224b2a7f0a5ed988f2db1f8f1783cb86c56d9032
Opcode Fuzzy Hash: 3f62621daf50b823bf79442ebd354a4c8c694cdf0d0393bb08c866a392347be0
Instruction Fuzzy Hash: 78D11F72508300AEC714EBA4D891EABB7ECFF88704F44491DF589D6291EB74DA44CB63

Function 00929642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00929663
GetFileAttributesW.KERNEL32(?), ref: 009296A1
SetFileAttributesW.KERNEL32(?,?), ref: 009296BB
FindNextFileW.KERNEL32(00000000,?), ref: 009296D3
FindClose.KERNEL32(00000000), ref: 009296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0092974A
SetCurrentDirectoryW.KERNEL32(00976B7C), ref: 00929768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00929772
FindClose.KERNEL32(00000000), ref: 0092977F
FindClose.KERNEL32(00000000), ref: 0092978F

Strings

*.*, xrefs: 009296F5

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 407b8e2e542505fb856b12b141974cceff9e086ef6745824c8fe3ea4957fb70a
Instruction ID: c88057ce312c12cb0d547e03dc3e9f10c95ead2afffb6b540b6619610e9d3b5a
Opcode Fuzzy Hash: 407b8e2e542505fb856b12b141974cceff9e086ef6745824c8fe3ea4957fb70a
Instruction Fuzzy Hash: B93102765056296FDF20EFB4EC48EDE37ACAF4A324F104156F914E21A0DB70DE848E64

Function 0092979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00929819
FindClose.KERNEL32(00000000), ref: 00929824
FindFirstFileW.KERNEL32(*.*,?), ref: 00929840
SetCurrentDirectoryW.KERNEL32(?), ref: 00929890
SetCurrentDirectoryW.KERNEL32(00976B7C), ref: 009298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009298B8
FindClose.KERNEL32(00000000), ref: 009298C5
FindClose.KERNEL32(00000000), ref: 009298D5

Part of subcall function 0091DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0091DB00

Strings

*.*, xrefs: 0092983B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 6c37c53f2682cc1e60dd28979c5648b8b067ae214922129c1ae577f6bd1d61d0
Instruction ID: 87d02726576503d17af3004c96ae115c839b07a1fdb2f606170ce3cbd79571aa
Opcode Fuzzy Hash: 6c37c53f2682cc1e60dd28979c5648b8b067ae214922129c1ae577f6bd1d61d0
Instruction Fuzzy Hash: 8231F4725056296FDB14EFB4EC48EDE37BCEF46324F184156E814E2194DB70D944CA20

Function 0093BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0093C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0093B6AE,?,?), ref: 0093C9B5
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093C9F1
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093CA68
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0093BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0093BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0093BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0093C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0093C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0093C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0093C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0093C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0093C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0093C382
RegCloseKey.ADVAPI32(00000000), ref: 0093C38F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 65ae53ab86530261dab2455a1dab072546394d3549d5078dfd7129f8653d9629
Instruction ID: e655f1d61ebf58f02acd649bc17959c86806d3c1bbf8741514cd19d926505ebb
Opcode Fuzzy Hash: 65ae53ab86530261dab2455a1dab072546394d3549d5078dfd7129f8653d9629
Instruction Fuzzy Hash: E9021BB16046009FD714DF28C895E2ABBE5EF89314F18849DF84ADB2A2DB31ED45CF52

Function 00928195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00928257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00928267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00928273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00928310
SetCurrentDirectoryW.KERNEL32(?), ref: 00928324
SetCurrentDirectoryW.KERNEL32(?), ref: 00928356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0092838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00928395

Strings

*.*, xrefs: 0092839B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: fc405808ecf0982d450abfe419baa7da1d60cea17cb9d6f70a9a180a51dbc53f
Instruction ID: a8fdb3670f0a3b70f268716afafd5dd687d0ed9bc67c5aba1a24aef52403a633
Opcode Fuzzy Hash: fc405808ecf0982d450abfe419baa7da1d60cea17cb9d6f70a9a180a51dbc53f
Instruction Fuzzy Hash: 886146B25083159FCB10EF64D8409AFB3E8FF89314F04892AF999C7251EB75E945CB92

Function 0091D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008B3A97,?,?,008B2E7F,?,?,?,00000000), ref: 008B3AC2

Part of subcall function 0091E199: GetFileAttributesW.KERNEL32(?,0091CF95), ref: 0091E19A

FindFirstFileW.KERNEL32(?,?), ref: 0091D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0091D1DD
MoveFileW.KERNEL32(?,?), ref: 0091D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0091D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0091D237

Part of subcall function 0091D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0091D21C,?,?), ref: 0091D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0091D253
FindClose.KERNEL32(00000000), ref: 0091D264

Strings

\*.*, xrefs: 0091D0CD, 0091D0D6, 0091D0EB

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 62e708d75e6747dbd21cc4ef24fea28029e99a1dd55af187ebbb04927f33dee5
Instruction ID: 08fc6620f44141a159f92431e9dded334ec77b408447a6f366c99ed10bf78390
Opcode Fuzzy Hash: 62e708d75e6747dbd21cc4ef24fea28029e99a1dd55af187ebbb04927f33dee5
Instruction Fuzzy Hash: D6617C3190610DAFCF05EBA4C9929EDBBB9FF55300F204065E412B3292EB30AF49DB61

Function 0092ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0092ED91
EmptyClipboard.USER32 ref: 0092ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0092EDAC
CloseClipboard.USER32 ref: 0092EEA3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0a62561796f4ca623414cd5a861d77c70207998044d34870ee9bc53e7f26bdf1
Instruction ID: 8a214ba76b2c739ced84c0a210d6d5a4974f4abf8ecdf6cced4cf59f991a6887
Opcode Fuzzy Hash: 0a62561796f4ca623414cd5a861d77c70207998044d34870ee9bc53e7f26bdf1
Instruction Fuzzy Hash: A0411375208221AFD320CF15E888F29BBE4FF44318F15C099E4168B7A2C775EC41CB90

Function 0091E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0091170D
Part of subcall function 009116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0091173A
Part of subcall function 009116C3: GetLastError.KERNEL32 ref: 0091174A

ExitWindowsEx.USER32(?,00000000), ref: 0091E932

Strings

, xrefs: 0091E920
, xrefs: 0091E95C
SeShutdownPrivilege, xrefs: 0091E902
@, xrefs: 0091E925

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d4437b84336e8abb937c3bb7500631c3abb398a4bd66a9d503a9f538a55e95da
Instruction ID: af1d33d0b4d01cf6cc723ad2a8eee118b232d9e1b9d5b422ae03f7c7973e724c
Opcode Fuzzy Hash: d4437b84336e8abb937c3bb7500631c3abb398a4bd66a9d503a9f538a55e95da
Instruction Fuzzy Hash: 14014973B24319BFEB5422B49C86FFF725C9B08780F140822FD13E21D1D5A55CC081A0

Function 00931204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00931276
WSAGetLastError.WSOCK32 ref: 00931283
bind.WSOCK32(00000000,?,00000010), ref: 009312BA
WSAGetLastError.WSOCK32 ref: 009312C5
closesocket.WSOCK32(00000000), ref: 009312F4
listen.WSOCK32(00000000,00000005), ref: 00931303
WSAGetLastError.WSOCK32 ref: 0093130D
closesocket.WSOCK32(00000000), ref: 0093133C

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 8ca03fb49769958f702caa7edde53eba8b3de618c528822432ced10d94b3f17d
Instruction ID: 9ff4e9a53e7685cf88cb2ebb2c2effcf4fd3502374ae26dc341503570aee4d5c
Opcode Fuzzy Hash: 8ca03fb49769958f702caa7edde53eba8b3de618c528822432ced10d94b3f17d
Instruction Fuzzy Hash: 57415F756001109FD710DF68C489B6ABBE5FF86318F188198E8669F3A6C771ED81CFA1

Function 008EB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008EB9D4
_free.LIBCMT ref: 008EB9F8
_free.LIBCMT ref: 008EBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00953700), ref: 008EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0098121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00981270,000000FF,?,0000003F,00000000,?), ref: 008EBC36
_free.LIBCMT ref: 008EBD4B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 3b184f8e03d0e08b33a4afe33f8648762583789f44814e287edf4aef2ee05b16
Instruction ID: 7f16bf76c31ce5ab66aac105b1eb78ff12be2562b5c2aa03558a70b1f2de7a66
Opcode Fuzzy Hash: 3b184f8e03d0e08b33a4afe33f8648762583789f44814e287edf4aef2ee05b16
Instruction Fuzzy Hash: F5C12971904299AFCB20DF7A9C41BAB7BF9FF47320F14416AE494D7252E7309E418751

Function 0091D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008B3A97,?,?,008B2E7F,?,?,?,00000000), ref: 008B3AC2

Part of subcall function 0091E199: GetFileAttributesW.KERNEL32(?,0091CF95), ref: 0091E19A

FindFirstFileW.KERNEL32(?,?), ref: 0091D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0091D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0091D481
FindClose.KERNEL32(00000000), ref: 0091D498
FindClose.KERNEL32(00000000), ref: 0091D4A1

Strings

\*.*, xrefs: 0091D3F2

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 507099852b4d326d58810cde09d2cc8903e4ed6bf248555f9fd8888efc48e283
Instruction ID: 11123c7de44547c47df0442ac3e163feb910012e5a93c898e4207209ade7b93e
Opcode Fuzzy Hash: 507099852b4d326d58810cde09d2cc8903e4ed6bf248555f9fd8888efc48e283
Instruction Fuzzy Hash: 40315E71019345AFC304EF68D8918EF77A8BE96304F444A2DF4E1922E1EB60AA499763

Function 008EE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008EE645

Strings

1#SNAN, xrefs: 008EF844
1#QNAN, xrefs: 008EF84B
1#IND, xrefs: 008EF83D
1#INF, xrefs: 008EF852

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 29cc0e0fc9c31c409497f7f4dcc36ae3968623fd940c6666e9639169e926a65e
Instruction ID: 24f640c1dbb08b045e964d019189a91116c074bf7cafad04120711e0b1aa486b
Opcode Fuzzy Hash: 29cc0e0fc9c31c409497f7f4dcc36ae3968623fd940c6666e9639169e926a65e
Instruction Fuzzy Hash: A1C25971E086688FDB25CE29DD407EAB7B5FB8A305F1441EAD90DE7241E774AE818F40

Function 0092648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009264DC
CoInitialize.OLE32(00000000), ref: 00926639
CoCreateInstance.OLE32(0094FCF8,00000000,00000001,0094FB68,?), ref: 00926650
CoUninitialize.OLE32 ref: 009268D4

Strings

.lnk, xrefs: 009264BA, 00926524, 009265E0

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c967843abd9681a9728b1991a7f6bd2b1c39573a6c9d81fd78432bc6fbf189e1
Instruction ID: 314ab13047b39506fe8ed80fc6aa0f39ff094fac6d4401fc5a6cfd3b24f67819
Opcode Fuzzy Hash: c967843abd9681a9728b1991a7f6bd2b1c39573a6c9d81fd78432bc6fbf189e1
Instruction Fuzzy Hash: 34D13771508611AFC304EF28D891EABB7E8FF98704F10496DF595CB2A1EB70E905CB92

Function 009322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009322E8

Part of subcall function 0092E4EC: GetWindowRect.USER32(?,?), ref: 0092E504

GetDesktopWindow.USER32 ref: 00932312
GetWindowRect.USER32(00000000), ref: 00932319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00932355
GetCursorPos.USER32(?), ref: 00932381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009323DF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d25e6463d93fcfd58326f38f8331119546f74d65c6a54d848c67a7dff486fae8
Instruction ID: a6c603ad37f056c388e185fe09b032151b91f3c8d98b36192348aa6ba74a9013
Opcode Fuzzy Hash: d25e6463d93fcfd58326f38f8331119546f74d65c6a54d848c67a7dff486fae8
Instruction Fuzzy Hash: 0D31EE72609319AFD720DF14D849F9BBBA9FF89710F000A19F98597191DB34EA08CB92

Function 00929B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00929B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00929C8B

Part of subcall function 00923874: GetInputState.USER32 ref: 009238CB
Part of subcall function 00923874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00923966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00929BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00929C75

Strings

*.*, xrefs: 00929B5D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 4df60aca23196b3fac4d6baeacb6d1e9e2df14a705fa09d8883eb630f4ce732c
Instruction ID: fc4345e010ff25a5615d14b65be81d1f0ddc9063f102d929521f5dbaae739dc3
Opcode Fuzzy Hash: 4df60aca23196b3fac4d6baeacb6d1e9e2df14a705fa09d8883eb630f4ce732c
Instruction Fuzzy Hash: 2741A471904219AFDF54DF64D885AEE7BF8FF45310F20415AE449A2295EB309E84CF61

Function 008C997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 008C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008C9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 008C9A4E
GetSysColor.USER32(0000000F), ref: 008C9B23
SetBkColor.GDI32(?,00000000), ref: 008C9B36

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: ce937752ea2d772e66f8c8f2635bfbfadb298874be07059f1f9d5c820abf4662
Instruction ID: 62ac7a45a8c3cbfe0adada56f120cb02986f97c8e7ec7711bf3a2b447ea097a7
Opcode Fuzzy Hash: ce937752ea2d772e66f8c8f2635bfbfadb298874be07059f1f9d5c820abf4662
Instruction Fuzzy Hash: B2A13971508428BEE728AA6C9C4DF7B66BDFB82364F14418DF482D66D1CA36ED01D372

Function 00931806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0093304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0093307A
Part of subcall function 0093304E: _wcslen.LIBCMT ref: 0093309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0093185D
WSAGetLastError.WSOCK32 ref: 00931884
bind.WSOCK32(00000000,?,00000010), ref: 009318DB
WSAGetLastError.WSOCK32 ref: 009318E6
closesocket.WSOCK32(00000000), ref: 00931915

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: b952312e760681fa9011dc7b0fecd4f9b9e64e8c994836fef771972880c3a699
Instruction ID: 594a426810aaa58dc648c485ca524cd361a285c4e6697f565d692bfb58831fda
Opcode Fuzzy Hash: b952312e760681fa9011dc7b0fecd4f9b9e64e8c994836fef771972880c3a699
Instruction Fuzzy Hash: 6251B575A002109FDB10AF28C886F6A77E5EB45718F08849CF9059F3D3DB75ED418BA2

Function 00941C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00941CC0
IsWindowEnabled.USER32 ref: 00941CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00941CDB
IsIconic.USER32 ref: 00941CE9
IsZoomed.USER32 ref: 00941CF7

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ef1dd5eee1f601a91cb33ab3c0cc453ad094176aeddb93846e51f593d4627f24
Instruction ID: ae91d9f737521ebd234298bbeb59e42224b990307b9e0c5236351d60aa49225e
Opcode Fuzzy Hash: ef1dd5eee1f601a91cb33ab3c0cc453ad094176aeddb93846e51f593d4627f24
Instruction Fuzzy Hash: 4221D3717412015FD7208F1ADC84F6A7BE9FF85316B198058E88ACB391DB71EC82CB90

Function 008B8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008B83FA
VUUU, xrefs: 008F5DF0
VUUU, xrefs: 008B83E8
ERCP, xrefs: 008B813C
VUUU, xrefs: 008B843C

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: df57de3d0785051e38b85384c123b7769f138c39f5c1fc7120d5f910b95b81d5
Instruction ID: 4c374f38228701f86e43e4e06ddd4560b83bd10b50edf65864492b3adeb32c3c
Opcode Fuzzy Hash: df57de3d0785051e38b85384c123b7769f138c39f5c1fc7120d5f910b95b81d5
Instruction Fuzzy Hash: 1DA23970A0061ECBDB248F68C8547FEB7B5FB54314F2482AADA15E7385EB709D91CB90

Function 0091AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0091AAAC
SetKeyboardState.USER32(00000080), ref: 0091AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0091AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0091AB88

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c2d6956c510bfb328ead72ec118fc83b5c427e2ad7e60c2853766e2b92aec5fd
Instruction ID: 747a7af2cfb287ea20396beae34ca36da65ed678bc06827058cdd065bf061f75
Opcode Fuzzy Hash: c2d6956c510bfb328ead72ec118fc83b5c427e2ad7e60c2853766e2b92aec5fd
Instruction Fuzzy Hash: 74312770B8A28CAEFB30CA65CC05BFA7BAAAF55320F04421AF081521D1D3798DC1D762

Function 0092CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0092CE89
GetLastError.KERNEL32(?,00000000), ref: 0092CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0092CEFE

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: d5704be1894ac6058414956ae74398807fc1aef6d74c743cb21f55d97f212e26
Instruction ID: e12b9c66d53e2d421ecaaa2c0153911ffacb1bf8b27b0c5e773ce4f466b0b200
Opcode Fuzzy Hash: d5704be1894ac6058414956ae74398807fc1aef6d74c743cb21f55d97f212e26
Instruction Fuzzy Hash: E821EAF1500715AFEB20DFA5E988BAAB7FCEB00318F10481EE546D2151E774EE088BA0

Function 00918298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009182AA

Strings

|, xrefs: 009182DA
(, xrefs: 009182F0

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: ca54bf9ce8ff51cce7e73b2737d3972a17c1f713f4e5725d5effb3c8736357cd
Instruction ID: 9a3e7b6103f48f123c61beb4b16f725c99744e2bf8bac871465b4209719d56dd
Opcode Fuzzy Hash: ca54bf9ce8ff51cce7e73b2737d3972a17c1f713f4e5725d5effb3c8736357cd
Instruction Fuzzy Hash: 22323775A007059FC728CF59C481AAAB7F0FF48710B15C56EE5AADB3A1EB70E981DB40

Function 00925C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00925CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00925D17
FindClose.KERNEL32(?), ref: 00925D5F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 156de51ec979177e4e46618fad13885dd2e740fd163c23f6194d2d319ecf7695
Instruction ID: 4113ec5bc070818077da8a90d3d296d8d5bd3d98a98bee329d3d47e42604840a
Opcode Fuzzy Hash: 156de51ec979177e4e46618fad13885dd2e740fd163c23f6194d2d319ecf7695
Instruction Fuzzy Hash: 0D519975604A019FC714CF28D494E9AB7E8FF49324F15855EE99A8B3A2DB30ED04CF91

Function 008E2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 008E271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008E2724
UnhandledExceptionFilter.KERNEL32(?), ref: 008E2731

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 35f615b47f1f9cd2844382ed93f22f9366050675a9beb660648108e90aebb1ae
Instruction ID: a56de78ad7036f15e78ff3834875dc5cfe995d7edb6b5125b84f9c2e8a846d6b
Opcode Fuzzy Hash: 35f615b47f1f9cd2844382ed93f22f9366050675a9beb660648108e90aebb1ae
Instruction Fuzzy Hash: AE31D5749112289BCB21DF68DC88B9CB7B8FF08310F5042EAE41CA7260E7709F818F45

Function 009251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00925238
SetErrorMode.KERNEL32(00000000), ref: 009252A1

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 89d4567ccaf1cf7ff718ed1c7c3ebcd2bc8356f9f91fdceca407859e1317978d
Instruction ID: 2d56e9582abfa7189cc9555a5c8d82fa1aa2a116a2f07d9afe7f1f1eb3be822a
Opcode Fuzzy Hash: 89d4567ccaf1cf7ff718ed1c7c3ebcd2bc8356f9f91fdceca407859e1317978d
Instruction Fuzzy Hash: 1F318F75A00518DFDB00DF54D884EEDBBB4FF49314F158099E805AB3A6DB31E845CB91

Function 009116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 008CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008D0668
Part of subcall function 008CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008D0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0091170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0091173A
GetLastError.KERNEL32 ref: 0091174A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: cc71bf2496d1fc2b1d9f28341245c74467740a852c102eabc280b4b1e5279971
Instruction ID: 70e103f3db1744a7f547401eaf22fae103e9c7e7095c39f1e2ef8156709b115e
Opcode Fuzzy Hash: cc71bf2496d1fc2b1d9f28341245c74467740a852c102eabc280b4b1e5279971
Instruction Fuzzy Hash: 3711C1B2514309BFE7189F54DC86EAAB7BDFB04754B20852EE15693291EB70FC818B20

Function 0091D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0091D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0091D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0091D650

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: dcd640addff3c1fd6ad1004d3acd26dc2d245015872d093731588ed167c94d4b
Instruction ID: e7f454cf3d880b326bfa4014a018a22ae09abdbfc81ba312a76119e394055232
Opcode Fuzzy Hash: dcd640addff3c1fd6ad1004d3acd26dc2d245015872d093731588ed167c94d4b
Instruction Fuzzy Hash: E9118EB5E06228BFDB208F94DC44FEFBBBCEB45B50F108111F904E7290C2B05A018BA1

Function 00911663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0091168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009116A1
FreeSid.ADVAPI32(?), ref: 009116B1

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 02675957fdd1a2f7c25459556cc677c680cc9205bd58f4c50c4b5f0469870073
Instruction ID: 7c0e2dcdd62fe69d9b29c44f73f9fda3bdec87d31d1395008817a04afa39543b
Opcode Fuzzy Hash: 02675957fdd1a2f7c25459556cc677c680cc9205bd58f4c50c4b5f0469870073
Instruction Fuzzy Hash: 7AF044B5A5130CFFDF00CFE08C89EAEBBBCEB08200F004860E500E2180E330AA449A50

Function 008EC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 008EC36C

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 15602c40165590a2cad98c422111afe8a8957ba971b86cc086c2b1edfec3d57e
Instruction ID: 627ca5c65ecce5418d35630241ddedd40040875b8c48ccbd14d17cb248e24220
Opcode Fuzzy Hash: 15602c40165590a2cad98c422111afe8a8957ba971b86cc086c2b1edfec3d57e
Instruction Fuzzy Hash: C5413B769002596FCB249FBACC49DBB7778FB86314F10426DF915D7280E6709D82CB50

Function 0090D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0090D28C

Strings

X64, xrefs: 0090D2A8

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 76b220eb6d8b1f7e9dec7d5bb0793e6b8b3bf50a85db9e69857153bb82b60702
Instruction ID: 5b946b33f9fb94012534d3468e9b4119fdfffbb1a9f3d62cf8221a4d14ef7853
Opcode Fuzzy Hash: 76b220eb6d8b1f7e9dec7d5bb0793e6b8b3bf50a85db9e69857153bb82b60702
Instruction Fuzzy Hash: 11D0C9B581611DEFCF90DB94DC88DD9B37CBB04305F100555F106E2040D73495489F10

Function 008DCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 8e6fe5c4ec42dd8b4c45fecb763ba8a63046ec7f99a25e2f0af9b7c0f996cdde
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 3B020D71E0121A9BDF14CFA9C9806ADFBF1FF48314F25826AD919E7384D731AA41CB94

Function 009268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00926918
FindClose.KERNEL32(00000000), ref: 00926961

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ce7cdf652ddd9ee0b2c31216af33249f46c50ec76fb887a2b64fe2462020062b
Instruction ID: e3a302307e2a7febe5d79ba4458640c9801a39b169f46897b42068cbec571879
Opcode Fuzzy Hash: ce7cdf652ddd9ee0b2c31216af33249f46c50ec76fb887a2b64fe2462020062b
Instruction Fuzzy Hash: CC11D0756042109FC710CF29D484A26BBE4FF85328F04C699F4698F7A2CB70EC45CB91

Function 009237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00934891,?,?,00000035,?), ref: 009237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00934891,?,?,00000035,?), ref: 009237F4

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 381c3cd74b361a011c2005d9367f553dfba7b21dc7b78c27bd0ee083de6920cb
Instruction ID: 12a2a2135c962ed8d5dd5dfea799b5f28b2fd9830ea68d9ae3f8554d3d339b66
Opcode Fuzzy Hash: 381c3cd74b361a011c2005d9367f553dfba7b21dc7b78c27bd0ee083de6920cb
Instruction Fuzzy Hash: 7AF05CB06052282BDB1017755C4CFEB3A5DEFC5760F000121F104D2280C9608900C7B0

Function 0091B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0091B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0091B270

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c0a47c0cdba7167a6d23c49068ae4d5a809f0dd182118b1bb41af6627aebfcb7
Instruction ID: 533fb5e858b580f2c7426fe15bcecbaf5afd02db4967875dd388a7dbefff6309
Opcode Fuzzy Hash: c0a47c0cdba7167a6d23c49068ae4d5a809f0dd182118b1bb41af6627aebfcb7
Instruction Fuzzy Hash: 2FF06D7590424DAFDB058FA0C805BEE7BB4FF04305F008409F961A5191C37982059F94

Function 009110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009111FC), ref: 009110D4
CloseHandle.KERNEL32(?,?,009111FC), ref: 009110E9

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: de929160f951e9c019edecb8c63a99e575fc17359b2122c6bf97effc230c7e72
Instruction ID: 608cdd69d9f7447bec48ea484be819966d03e1eca80150e6d0b5ac577573e5fc
Opcode Fuzzy Hash: de929160f951e9c019edecb8c63a99e575fc17359b2122c6bf97effc230c7e72
Instruction Fuzzy Hash: 37E04F72019610AEF7652B15FC05F7377A9FB04310B10882DF6A6804B2DB72AC90EB10

Function 008BCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00900C40

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 63b4de4306e047c699bb728efbde9b669d6ea7ad4155765cc4783897dfc6894d
Instruction ID: 31b8f46ac048809af197d850f7a2a3d8b0fff8baf0936af3493c4e9a8a3cb966
Opcode Fuzzy Hash: 63b4de4306e047c699bb728efbde9b669d6ea7ad4155765cc4783897dfc6894d
Instruction Fuzzy Hash: 9C325574900218DFDF14DF94C891BEDBBB9FF45308F248069E806AB392DB75AA45CB61

Function 008E676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008E6766,?,?,00000008,?,?,008EFEFE,00000000), ref: 008E6998

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 53906ffea5bfce5bf4d1e7d888ffa7f041446b60bda4d5607e546c41c4c2e875
Instruction ID: 4368fddb12cb60634fbbb977852096d35ada34e4f6f32cbbe91eee82fcaaeaec
Opcode Fuzzy Hash: 53906ffea5bfce5bf4d1e7d888ffa7f041446b60bda4d5607e546c41c4c2e875
Instruction Fuzzy Hash: BDB16E31610648DFD715CF29C486B657BE0FF163A4F258668E8D9CF2A2D335E9A1CB40

Function 008CB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0090851F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 367333c106c7169d84771adac1d34d0d73918f1f5d2a53310e3f352969ff4963
Instruction ID: 60e3d1377984c510e7e5f930deada6dc483316f72ac7d2f6149c154da809caf0
Opcode Fuzzy Hash: 367333c106c7169d84771adac1d34d0d73918f1f5d2a53310e3f352969ff4963
Instruction Fuzzy Hash: 40124F71A006299FCB14CF58C881BEEB7F5FF48710F14819AE849EB295DB349E81CB94

Function 0092EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0092EABD

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 655e0ec9569e76be819e6217c731ec4439cdd6fecd19a5151090158fa99238e5
Instruction ID: 0aabd35b745fa33cc1c76e5d0334f29173cedc56c4b65c219f2c9a1744347620
Opcode Fuzzy Hash: 655e0ec9569e76be819e6217c731ec4439cdd6fecd19a5151090158fa99238e5
Instruction Fuzzy Hash: F5E01A352102149FC710EF59E844E9AB7EDFFA9760F00841AFC4AC7351DAB0A8408B91

Function 008D09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008D03EE), ref: 008D09DA

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: dad1ad5790e307306fd0722ff8f988e812dd8784c56a3eff12d1c532b571876f
Instruction ID: 86e13c731610f01aadd537a3a1a821340c19db529ddd6eda9855364236fb65dc
Opcode Fuzzy Hash: dad1ad5790e307306fd0722ff8f988e812dd8784c56a3eff12d1c532b571876f
Instruction Fuzzy Hash:

Function 008D781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 008D798B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: bf0c5d85d4cc8f0d1e208b191bff5dcd246949f470313996d0df2de5ff19a2d4
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4E517C7260C749ABDB38452C886D7BE6795FB12304F18073BD886C7382F619DE01E35A

Function 008E6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240633ed17d4946537739c9cf218d10a5727664f13cff4b0e563ae45a7b2f75f
Instruction ID: 0994fe569f3799799186d9b27e70e4929f5e91fd612ae35f45c41e17efd8f3b6
Opcode Fuzzy Hash: 240633ed17d4946537739c9cf218d10a5727664f13cff4b0e563ae45a7b2f75f
Instruction Fuzzy Hash: 3E322421D2DF814DD7239636D8223356259EFB73C6F25C737E81AB59A5EB29C4835200

Function 008CCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f198dd25a9afb2015224dd35ad1e86a36007d5b3cfc28c308fdb54270edc4791
Instruction ID: 7505df1af976230bff12d70cf40e6794ce03cdc9b0d3a631a2d131e531c327a4
Opcode Fuzzy Hash: f198dd25a9afb2015224dd35ad1e86a36007d5b3cfc28c308fdb54270edc4791
Instruction Fuzzy Hash: 6B32F3B2A041158FDF28CB28C494B7D77B5FB45314F288A6AE89EDB2D1D234DD81EB41

Function 008B7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046b7498bbfa3c89f1b57d4fc2255442ceba1887dfc80fb191a0053f77cbb2bd
Instruction ID: a71168f8a68aaba9aaecc7da0c9e57fcbb8bec8e40a30f4ea3f9fb57750c95ca
Opcode Fuzzy Hash: 046b7498bbfa3c89f1b57d4fc2255442ceba1887dfc80fb191a0053f77cbb2bd
Instruction Fuzzy Hash: DD22B0B0A0460A9FDF14CF68D881AEEB7F6FF44314F204629E916EB391EB359950CB51

Function 008B91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb474257aa406dfd968d491750d13a47b0fc5548b58ff307b387e253a4e4864
Instruction ID: ebe6c1b4a62170b43bd3b2d78d953067a68779771b34b3a4ee1a990eeedddf8e
Opcode Fuzzy Hash: 3eb474257aa406dfd968d491750d13a47b0fc5548b58ff307b387e253a4e4864
Instruction Fuzzy Hash: 1602C5B1E00219EBDB04DF64D881BADB7B1FF44304F508169EA56DB3A1E731EA60DB91

Function 008E9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbb78216b3aa5fcbe2cf20e42f0ff42697a869135b545f1e3971c7ef9e6bba5
Instruction ID: 130e9f8a38a32714051383d3233eb3c0ebb7be92bde523f990534ff4fabfec08
Opcode Fuzzy Hash: cbbb78216b3aa5fcbe2cf20e42f0ff42697a869135b545f1e3971c7ef9e6bba5
Instruction Fuzzy Hash: 89B1E220D3AF414DD623963A8831336B75CAFBB6D6F91D71BFC1674D22EB2285835240

Function 008D1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 0dd0757d57e8368d3b10c35b0c015dd5ee2a9db4e4e87cb999431097c5c7a571
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: FD9157726080A35ADF29463A857C07DFFE1EF923A131A079FD4F2CA2C5EE149954D620

Function 008D1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: bb6be8fd905a471e4a9f4d96b39cf7b0acab9b9ced126222720ccd68c8980a91
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 4B9159722090A349DF69433A857843DFFE1EEA23A131A479FD4F2CB2C5EE24D954D620

Function 008D19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: af5f65af464600dbaf6aef946cfb04ff950058a3667be846e0a9a338f64ae379
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 959142722090A35ADF69427A857C03DFFE1EE923B531A079FD4F2CA2C5FE2495549620

Function 008D7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 335cfa6e4756c7cc48720afe269c8dcb7cf4a45af3e7afedd58a36442c0f11e7
Instruction ID: 51e0c1657fbd13c27ccee68f0d88b698cf3d14c9415a3431513168b830fd5f91
Opcode Fuzzy Hash: 335cfa6e4756c7cc48720afe269c8dcb7cf4a45af3e7afedd58a36442c0f11e7
Instruction Fuzzy Hash: 34614971208719A6DE349A2C8CA6BBE3394FF41764F140B1BE982DB381FA11DE42C756

Function 008D7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e1a73744db975cfa712c236d5f5d3ae0e8f9e753173553d2146215fcd1d57c
Instruction ID: b0bffe500a86ea8789ad62c122708648db38d3bcd97ea7b6ed902bfd101b4a69
Opcode Fuzzy Hash: 49e1a73744db975cfa712c236d5f5d3ae0e8f9e753173553d2146215fcd1d57c
Instruction Fuzzy Hash: 98616B7160870DA6DE385A2C9855FBF6396FF42B04F100B5BE943DB389FA11ED428256

Function 008D1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: fbcafff5f1d77d3b5410a18d709c320216b5945bcd8634ed4a7f418b8b4285d9
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 218168726090A319DF5D827A857C43EFFE1FE923A131A07AFD4F2CA2D5EE148554E620

Function 00922046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dfe1e219e44c844a6bb6cb376168db4a21962c060bcbd39b84ea69bd1776678
Instruction ID: 256b5a7e13a5021864f662c4854fc64437c67813104496977c2b2b08b29415fe
Opcode Fuzzy Hash: 9dfe1e219e44c844a6bb6cb376168db4a21962c060bcbd39b84ea69bd1776678
Instruction Fuzzy Hash: 8C21DA327616158BD728CF79C82367E73E9A754310F25862EE4A7C77D0DE35A904DB80

Function 00932ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00932B30
DeleteObject.GDI32(00000000), ref: 00932B43
DestroyWindow.USER32 ref: 00932B52
GetDesktopWindow.USER32 ref: 00932B6D
GetWindowRect.USER32(00000000), ref: 00932B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00932CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00932CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00932CF8
GetClientRect.USER32(00000000,?), ref: 00932D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00932D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00932D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00932D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00932D80
GlobalLock.KERNEL32(00000000), ref: 00932D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00932D98
GlobalUnlock.KERNEL32(00000000), ref: 00932DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00932DA8
GlobalFree.KERNEL32(00000000), ref: 00932DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00932DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0094FC38,00000000), ref: 00932DDB
GlobalFree.KERNEL32(00000000), ref: 00932DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00932E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00932E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00932E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0093303F

Strings

AutoIt v3, xrefs: 00932CF2
static, xrefs: 00932D3A, 00932E91
, xrefs: 00932FC5
DISPLAY, xrefs: 00932EA2

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: d5d760094d6df5ff0c9c322c4400d4ce6dcfd8030cf1a00c0c9a5afa8cd472b1
Instruction ID: d993e28918c94ace48a76e909798401e6fdde913de7c713ab14db4c5b28c7aec
Opcode Fuzzy Hash: d5d760094d6df5ff0c9c322c4400d4ce6dcfd8030cf1a00c0c9a5afa8cd472b1
Instruction Fuzzy Hash: D6027BB5A10205AFDB14DFA4CC89EAE7BB9FB49310F008159F915AB2A1CB74AD01DF60

Function 009470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0094712F
GetSysColorBrush.USER32(0000000F), ref: 00947160
GetSysColor.USER32(0000000F), ref: 0094716C
SetBkColor.GDI32(?,000000FF), ref: 00947186
SelectObject.GDI32(?,?), ref: 00947195
InflateRect.USER32(?,000000FF,000000FF), ref: 009471C0
GetSysColor.USER32(00000010), ref: 009471C8
CreateSolidBrush.GDI32(00000000), ref: 009471CF
FrameRect.USER32(?,?,00000000), ref: 009471DE
DeleteObject.GDI32(00000000), ref: 009471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00947230
FillRect.USER32(?,?,?), ref: 00947262
GetWindowLongW.USER32(?,000000F0), ref: 00947284

Part of subcall function 009473E8: GetSysColor.USER32(00000012), ref: 00947421
Part of subcall function 009473E8: SetTextColor.GDI32(?,?), ref: 00947425
Part of subcall function 009473E8: GetSysColorBrush.USER32(0000000F), ref: 0094743B
Part of subcall function 009473E8: GetSysColor.USER32(0000000F), ref: 00947446
Part of subcall function 009473E8: GetSysColor.USER32(00000011), ref: 00947463
Part of subcall function 009473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00947471
Part of subcall function 009473E8: SelectObject.GDI32(?,00000000), ref: 00947482
Part of subcall function 009473E8: SetBkColor.GDI32(?,00000000), ref: 0094748B
Part of subcall function 009473E8: SelectObject.GDI32(?,?), ref: 00947498
Part of subcall function 009473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009474B7
Part of subcall function 009473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009474CE
Part of subcall function 009473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009474DB

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 1917c978b8c0d7565f62654f706f5b4d6178b971231c7a36da55fadfb8a53b73
Instruction ID: 2118af95ec2ddd47b76586b3d58fab4cb44bc9c494b0304cf11ae89b6faa2f34
Opcode Fuzzy Hash: 1917c978b8c0d7565f62654f706f5b4d6178b971231c7a36da55fadfb8a53b73
Instruction Fuzzy Hash: D3A1D0B601D305BFDB509FA0DC48E6BBBA9FF8A320F100A19F962961E1D774E800DB51

Function 008C8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008C8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00906AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00906AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00906F43

Part of subcall function 008C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008C8BE8,?,00000000,?,?,?,?,008C8BBA,00000000,?), ref: 008C8FC5

SendMessageW.USER32(?,00001053), ref: 00906F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00906F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00906FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00906FB7

Strings

0, xrefs: 00906DCF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: d0a1edbc10063eb8533dd060f9ca597d67f76069a38adc120f6d998e5462d911
Instruction ID: 30ef5c6ad431d851f506cc0b2fa875beeb5e70a86a765a188edd16ccde8471e6
Opcode Fuzzy Hash: d0a1edbc10063eb8533dd060f9ca597d67f76069a38adc120f6d998e5462d911
Instruction Fuzzy Hash: D2127A74209211EFDB25CF14D854FAABBB9FB45300F14446DF599CB2A2CB32E862DB91

Function 00932711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0093273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0093286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00932900
GetClientRect.USER32(00000000,?), ref: 0093290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00932955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00932964
GetStockObject.GDI32(00000011), ref: 00932974
SelectObject.GDI32(00000000,00000000), ref: 00932978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00932988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00932991
DeleteDC.GDI32(00000000), ref: 0093299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00932A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00932A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00932A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00932A77
GetStockObject.GDI32(00000011), ref: 00932A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00932A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00932A97

Strings

static, xrefs: 0093294F, 00932A71
AutoIt v3, xrefs: 009328F8
msctls_progress32, xrefs: 00932A13
DISPLAY, xrefs: 0093295A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 025ebffa659cab0d1af0ea3049bc19b1280dfe7af75d1f2b1bd3544c1599abb5
Instruction ID: 89359d82c35fde552cd7223ad5cacf7e60a312f499fb2b8d50c046029854207c
Opcode Fuzzy Hash: 025ebffa659cab0d1af0ea3049bc19b1280dfe7af75d1f2b1bd3544c1599abb5
Instruction Fuzzy Hash: 4FB16CB5A10215AFEB14DFA8CC4AFAE7BA9FB49710F008515F915E72A0D770AD40CFA4

Function 00924ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00924AED
GetDriveTypeW.KERNEL32(?,0094CB68,?,\\.\,0094CC08), ref: 00924BCA
SetErrorMode.KERNEL32(00000000,0094CB68,?,\\.\,0094CC08), ref: 00924D36

Strings

PhysicalDrive, xrefs: 00924B76
Unknown, xrefs: 00924BED, 00924C83
SSD, xrefs: 00924C4A
RAMDisk, xrefs: 00924BF4
SATA, xrefs: 00924CD0
USB, xrefs: 00924CB4
ATAPI, xrefs: 00924C91
CDROM, xrefs: 00924BFB
MMC, xrefs: 00924CDE
\\.\, xrefs: 00924B3F
Fixed, xrefs: 00924C09
Network, xrefs: 00924C02
ATA, xrefs: 00924C98
1394, xrefs: 00924C9F
Removable, xrefs: 00924C10, 00924C15
SAS, xrefs: 00924CC9
Fibre, xrefs: 00924CAD
FileBackedVirtual, xrefs: 00924CEC
SCSI, xrefs: 00924C8A
RAID, xrefs: 00924CBB
Virtual, xrefs: 00924CE5
SSA, xrefs: 00924CA6
iSCSI, xrefs: 00924CC2

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5b0006cdab636d180e74456d32a730cca742b938a20f30bda76d1c26d6e32dfa
Instruction ID: 179308d62f8aaac18666c007a94dde3f6bfaec6fdd92a908c05ba04a9bbf752f
Opcode Fuzzy Hash: 5b0006cdab636d180e74456d32a730cca742b938a20f30bda76d1c26d6e32dfa
Instruction Fuzzy Hash: 7961F4317056159FCB14DF2CEA81DED77A0EB84304B248416F88AAB39ADB35ED41DB42

Function 009473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00947421
SetTextColor.GDI32(?,?), ref: 00947425
GetSysColorBrush.USER32(0000000F), ref: 0094743B
GetSysColor.USER32(0000000F), ref: 00947446
CreateSolidBrush.GDI32(?), ref: 0094744B
GetSysColor.USER32(00000011), ref: 00947463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00947471
SelectObject.GDI32(?,00000000), ref: 00947482
SetBkColor.GDI32(?,00000000), ref: 0094748B
SelectObject.GDI32(?,?), ref: 00947498
InflateRect.USER32(?,000000FF,000000FF), ref: 009474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0094752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00947554
InflateRect.USER32(?,000000FD,000000FD), ref: 00947572
DrawFocusRect.USER32(?,?), ref: 0094757D
GetSysColor.USER32(00000011), ref: 0094758E
SetTextColor.GDI32(?,00000000), ref: 00947596
DrawTextW.USER32(?,009470F5,000000FF,?,00000000), ref: 009475A8
SelectObject.GDI32(?,?), ref: 009475BF
DeleteObject.GDI32(?), ref: 009475CA
SelectObject.GDI32(?,?), ref: 009475D0
DeleteObject.GDI32(?), ref: 009475D5
SetTextColor.GDI32(?,?), ref: 009475DB
SetBkColor.GDI32(?,?), ref: 009475E5

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 3106b991d7c22930a3c738cc575eb74d17248d77414c999dcce1e7296e7be475
Instruction ID: 1ab33adffe3aabf3758b7c6b4070c97dc97b6ed6f38fc212d81f497b8598920f
Opcode Fuzzy Hash: 3106b991d7c22930a3c738cc575eb74d17248d77414c999dcce1e7296e7be475
Instruction Fuzzy Hash: E4618AB6909218AFDF009FA4DC48EAEBFB9EB09320F114515FA15BB2A1D7749940DF90

Function 00940FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00941128
GetDesktopWindow.USER32 ref: 0094113D
GetWindowRect.USER32(00000000), ref: 00941144
GetWindowLongW.USER32(?,000000F0), ref: 00941199
DestroyWindow.USER32(?), ref: 009411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0094120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0094121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00941232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00941245
IsWindowVisible.USER32(00000000), ref: 009412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009412D0
GetWindowRect.USER32(00000000,?), ref: 009412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0094130E
GetMonitorInfoW.USER32(00000000,?), ref: 00941328
CopyRect.USER32(?,?), ref: 0094133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009413AA

Strings

tooltips_class32, xrefs: 009411E6
(, xrefs: 0094131B
0, xrefs: 009410D3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 335425e7da3b83c61c23b8b0d4b4a6b6c59589e07bed585bd3c69fa44f27efe4
Instruction ID: d77ee26ba04e13274cfffd0477daf4e9af92af608b660ae76ab689dab97fa3ce
Opcode Fuzzy Hash: 335425e7da3b83c61c23b8b0d4b4a6b6c59589e07bed585bd3c69fa44f27efe4
Instruction Fuzzy Hash: 1EB18D71608341AFD754DF64C884FAABBE8FF89354F008918F999DB261D771E884CB92

Function 00940241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009402E5
_wcslen.LIBCMT ref: 0094031F
_wcslen.LIBCMT ref: 00940389
_wcslen.LIBCMT ref: 009403F1
_wcslen.LIBCMT ref: 00940475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009404C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00940504

Part of subcall function 008CF9F2: _wcslen.LIBCMT ref: 008CF9FD

Part of subcall function 0091223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00912258
Part of subcall function 0091223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0091228A

Strings

GETITEMCOUNT, xrefs: 00940316, 00940337
GETSUBITEMCOUNT, xrefs: 00940384, 0094039F
FINDITEM, xrefs: 00940627
SELECT, xrefs: 00940548
SELECTCLEAR, xrefs: 0094052D
GETSELECTED, xrefs: 009405E1
SELECTINVERT, xrefs: 0094057E
SELECTALL, xrefs: 00940515
ISSELECTED, xrefs: 009404DD
VIEWCHANGE, xrefs: 00940675
GETSELECTEDCOUNT, xrefs: 00940470, 0094048B
DESELECT, xrefs: 0094059C
GETTEXT, xrefs: 009403EC, 00940407

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: f521670a09cc55f306da5f77bec36ba3193fa8832741c201b38c4d83672bb948
Instruction ID: 2ed065a2224e3aa8b3962ed7d4e4b3c38e6e8a5852d1d68914f1458b11fb3be6
Opcode Fuzzy Hash: f521670a09cc55f306da5f77bec36ba3193fa8832741c201b38c4d83672bb948
Instruction Fuzzy Hash: 83E18C312182018BC724DF28C451D6AB7EAFFC8714F148A6DF9969B3A1DB30ED45CB42

Function 008C8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008C8968
GetSystemMetrics.USER32(00000007), ref: 008C8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008C899B
GetSystemMetrics.USER32(00000008), ref: 008C89A3
GetSystemMetrics.USER32(00000004), ref: 008C89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008C89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008C89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008C8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008C8A3C
GetClientRect.USER32(00000000,000000FF), ref: 008C8A5A
GetStockObject.GDI32(00000011), ref: 008C8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 008C8A81

Part of subcall function 008C912D: GetCursorPos.USER32(?), ref: 008C9141
Part of subcall function 008C912D: ScreenToClient.USER32(00000000,?), ref: 008C915E
Part of subcall function 008C912D: GetAsyncKeyState.USER32(00000001), ref: 008C9183
Part of subcall function 008C912D: GetAsyncKeyState.USER32(00000002), ref: 008C919D

SetTimer.USER32(00000000,00000000,00000028,008C90FC), ref: 008C8AA8

Strings

AutoIt v3 GUI, xrefs: 008C8A20

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 6dd1099645ac1859b59399f928e8a3475a90fa6524fb0145c5ffd24c00c946c2
Instruction ID: 22970358214df1dbaf227a08ab6886fe3dd46cefd2efde029897bbfa247f38a4
Opcode Fuzzy Hash: 6dd1099645ac1859b59399f928e8a3475a90fa6524fb0145c5ffd24c00c946c2
Instruction Fuzzy Hash: 67B16875A0420AEFDB14DFA8D845FAE3BB9FB48314F104229FA15EB290DB34E841DB55

Function 00910D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00911114
Part of subcall function 009110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00910B9B,?,?,?), ref: 00911120
Part of subcall function 009110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00910B9B,?,?,?), ref: 0091112F
Part of subcall function 009110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00910B9B,?,?,?), ref: 00911136
Part of subcall function 009110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0091114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00910DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00910E29
GetLengthSid.ADVAPI32(?), ref: 00910E40
GetAce.ADVAPI32(?,00000000,?), ref: 00910E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00910E96
GetLengthSid.ADVAPI32(?), ref: 00910EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00910EB5
HeapAlloc.KERNEL32(00000000), ref: 00910EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00910EDD
CopySid.ADVAPI32(00000000), ref: 00910EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00910F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00910F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00910F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00910F6E
HeapFree.KERNEL32(00000000), ref: 00910F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00910F7E
HeapFree.KERNEL32(00000000), ref: 00910F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00910F8E
HeapFree.KERNEL32(00000000), ref: 00910F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00910FA1
HeapFree.KERNEL32(00000000), ref: 00910FA8

Part of subcall function 00911193: GetProcessHeap.KERNEL32(00000008,00910BB1,?,00000000,?,00910BB1,?), ref: 009111A1
Part of subcall function 00911193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00910BB1,?), ref: 009111A8
Part of subcall function 00911193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00910BB1,?), ref: 009111B7

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 13094d8cfad6c6e82f3db1dd3bb4f5250f7308bcc06a2b6a6ee4d5eb24ce2a40
Instruction ID: 96349f1a2bddc7c212eccaae54785e467d83c091e6bebef3d7afb44361632b1e
Opcode Fuzzy Hash: 13094d8cfad6c6e82f3db1dd3bb4f5250f7308bcc06a2b6a6ee4d5eb24ce2a40
Instruction Fuzzy Hash: 88718CB2A0520AEFDF209FA5DC45FEEBBBCBF49300F044115F919A6291D7719986CB60

Function 0093C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0093C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0094CC08,00000000,?,00000000,?,?), ref: 0093C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0093C5A4
_wcslen.LIBCMT ref: 0093C5F4
_wcslen.LIBCMT ref: 0093C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0093C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0093C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0093C84D
RegCloseKey.ADVAPI32(?), ref: 0093C881
RegCloseKey.ADVAPI32(00000000), ref: 0093C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0093C960

Strings

REG_BINARY, xrefs: 0093C913
REG_MULTI_SZ, xrefs: 0093C6F5
REG_SZ, xrefs: 0093C644
REG_DWORD, xrefs: 0093C804
REG_QWORD, xrefs: 0093C8C3
REG_EXPAND_SZ, xrefs: 0093C5CD

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: d5888002e184a13cbbd3b32f099ea18a2808cfc48fc35c96f783b4f8a9f771fd
Instruction ID: d2ee73f054809de4216bdf3c2ead97ac2eabfe36aa0a3cb9fd27ce7b427b84c6
Opcode Fuzzy Hash: d5888002e184a13cbbd3b32f099ea18a2808cfc48fc35c96f783b4f8a9f771fd
Instruction Fuzzy Hash: 2A1248756046019FDB14DF18C881A6AB7E5FF88714F14885DF88AAB3A2DB31ED41CB92

Function 0094091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009409C6
_wcslen.LIBCMT ref: 00940A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00940A54
_wcslen.LIBCMT ref: 00940A8A
_wcslen.LIBCMT ref: 00940B06
_wcslen.LIBCMT ref: 00940B81

Part of subcall function 008CF9F2: _wcslen.LIBCMT ref: 008CF9FD

Part of subcall function 00912BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00912BFA

Strings

EXPAND, xrefs: 00940BF8
UNCHECK, xrefs: 00940D3E
GETTOTALCOUNT, xrefs: 009409F2, 00940A17
COLLAPSE, xrefs: 00940B01, 00940B1C
CHECK, xrefs: 00940A85, 00940AA0
GETITEMCOUNT, xrefs: 00940C1E
SELECT, xrefs: 00940D11
GETTEXT, xrefs: 00940C97
EXISTS, xrefs: 00940B7C, 00940B97
GETSELECTED, xrefs: 00940C4E
ISCHECKED, xrefs: 00940CE1

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: ce052156a5a12a58408065aced76e541b7b9de2034286d54a3e7e19cf77d3a3e
Instruction ID: ecd266935fa5a030d998d671e88f461278d4548c2b04a730fdea4d5377357cba
Opcode Fuzzy Hash: ce052156a5a12a58408065aced76e541b7b9de2034286d54a3e7e19cf77d3a3e
Instruction Fuzzy Hash: AFE159356083019FCB24DF28C45196AB7E5FFD8314B14895DF99A9B3A2D730ED49CB82

Function 0093C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0093B6AE,?,?), ref: 0093C9B5
_wcslen.LIBCMT ref: 0093C9F1
_wcslen.LIBCMT ref: 0093CA68
_wcslen.LIBCMT ref: 0093CA9E
_wcslen.LIBCMT ref: 0093CAF9
_wcslen.LIBCMT ref: 0093CB2F
_wcslen.LIBCMT ref: 0093CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0093CA62, 0093CA67
HKLM, xrefs: 0093CA98, 0093CA9D
HKEY_CLASSES_ROOT, xrefs: 0093CAF3, 0093CAF8
HKU, xrefs: 0093CBF0
HKEY_CURRENT_USER, xrefs: 0093CBBD
HKCR, xrefs: 0093CB29, 0093CB2E
HKEY_CURRENT_CONFIG, xrefs: 0093CB79, 0093CB7E
HKCC, xrefs: 0093CBAC
HKCU, xrefs: 0093CBCE
HKEY_USERS, xrefs: 0093CBDF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: d33262461b86a5936fcfabd444b4a67c112f2cc326b7918624b2ee1e08d9531d
Instruction ID: 740f8382df6826b6ab68b5de204a21803e490d871c62bf09cffd911a382b6573
Opcode Fuzzy Hash: d33262461b86a5936fcfabd444b4a67c112f2cc326b7918624b2ee1e08d9531d
Instruction Fuzzy Hash: 787114B360092A8BCB20DF7CCD515BE73A9AF60750F214528F896F7284EA35CD45CBA1

Function 0094833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0094835A
_wcslen.LIBCMT ref: 0094836E
_wcslen.LIBCMT ref: 00948391
_wcslen.LIBCMT ref: 009483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00945BF2), ref: 0094844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00948487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00948501
FreeLibrary.KERNEL32(?), ref: 0094850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0094851D
DestroyIcon.USER32(?,?,?,?,?,00945BF2), ref: 0094852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00948549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00948555

Strings

.icl, xrefs: 00948368
.exe, xrefs: 00948388
.dll, xrefs: 009483AB

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 719cc72acbef11c60ebd722653c5f5b490808bada2ae09b147e3fb17da1ba9d8
Instruction ID: 848695fbffc4d9b662a2e116f558e61b8d01fd1a4062912ff9c81f1a8527e15c
Opcode Fuzzy Hash: 719cc72acbef11c60ebd722653c5f5b490808bada2ae09b147e3fb17da1ba9d8
Instruction Fuzzy Hash: 0561CDB1954215BEEB149F64CC81FBF77ACFB04B11F10464AF815D61E1DB74AA80DBA0

Function 008B7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 008B7873, 008B78C5
#include-once, xrefs: 008B782F
Bad directive syntax error, xrefs: 008F519A
', xrefs: 008F5169
#requireadmin, xrefs: 008B77FF
Cannot parse #include, xrefs: 008F5279
#pragma compile, xrefs: 008B77D3
", xrefs: 008F5153
#comments-end, xrefs: 008B78D9
Unterminated group of comments, xrefs: 008F528C
#comments-start, xrefs: 008B785F, 008B78B1
#include, xrefs: 008B7847
#ce, xrefs: 008B78ED
#OnAutoItStartRegister, xrefs: 008B7817
#notrayicon, xrefs: 008B77E7

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: febe62e79cc6c129c8c70f348127b690b85a111bc40ccb73d901fddc0f971b7b
Instruction ID: 4c8d4a5e4d07cd2d469ab7ca7fffd26b9c3711981a838baed225b8be9c3603e6
Opcode Fuzzy Hash: febe62e79cc6c129c8c70f348127b690b85a111bc40ccb73d901fddc0f971b7b
Instruction Fuzzy Hash: B281D571644709BBDB20AF64CC42FFE37A9FF95304F044025FA05EA292EB70D951D6A6

Function 00923E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00923EF8
_wcslen.LIBCMT ref: 00923F03
_wcslen.LIBCMT ref: 00923F5A
_wcslen.LIBCMT ref: 00923F98
GetDriveTypeW.KERNEL32(?), ref: 00923FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0092401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00924059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00924087

Strings

close, xrefs: 00923EFE, 00923F18
close cd wait, xrefs: 00924072
type cdaudio alias cd wait, xrefs: 00924001
set cd door , xrefs: 00924028
wait, xrefs: 00924044
closed, xrefs: 00923F08, 00923F2D, 00923F46, 00923F7E, 00923F97
open, xrefs: 00923F54, 00923F59
open , xrefs: 00923FE5

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: cbf22126a6ed47e177785cc3f3f3d3b826d6516045af6f0029e3d61336ea713a
Instruction ID: 3652b75926f005be1a31203d5efc7523b03221eaa10a983c34ebda3b96cbd31d
Opcode Fuzzy Hash: cbf22126a6ed47e177785cc3f3f3d3b826d6516045af6f0029e3d61336ea713a
Instruction Fuzzy Hash: 6471AC726042119FC310EF28D8818AAB7F8FF98758F10892DF99597255EB34ED49CB92

Function 00915A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00915A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00915A40
SetWindowTextW.USER32(?,?), ref: 00915A57
GetDlgItem.USER32(?,000003EA), ref: 00915A6C
SetWindowTextW.USER32(00000000,?), ref: 00915A72
GetDlgItem.USER32(?,000003E9), ref: 00915A82
SetWindowTextW.USER32(00000000,?), ref: 00915A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00915AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00915AC3
GetWindowRect.USER32(?,?), ref: 00915ACC
_wcslen.LIBCMT ref: 00915B33
SetWindowTextW.USER32(?,?), ref: 00915B6F
GetDesktopWindow.USER32 ref: 00915B75
GetWindowRect.USER32(00000000), ref: 00915B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00915BD3
GetClientRect.USER32(?,?), ref: 00915BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00915C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00915C2F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 04e54548992f8cbfd1acfd2336a2167a60cfa45c02f449164c3336e6c18fc0ea
Instruction ID: aeea743942a38160cf0c726214c565e0adc62fa6f610bbfe8b8af7e75067f5f6
Opcode Fuzzy Hash: 04e54548992f8cbfd1acfd2336a2167a60cfa45c02f449164c3336e6c18fc0ea
Instruction Fuzzy Hash: 89718171A04B09EFDB20DFA8CD85EAEBBF5FF88704F124918E542A25A0D775E940DB50

Function 0092FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0092FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0092FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0092FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0092FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0092FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0092FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0092FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0092FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0092FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0092FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0092FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0092FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0092FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0092FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0092FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0092FECC
GetCursorInfo.USER32(?), ref: 0092FEDC
GetLastError.KERNEL32 ref: 0092FF1E

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 1505249973618adbcc82f4476ac30ebc9b6c24d6ebc972518e5e5a6120798ad9
Instruction ID: 769c7f014cde6dd170efb26e6fbfc2be9e2743cee8a4838e8e23e397dc4f3ba0
Opcode Fuzzy Hash: 1505249973618adbcc82f4476ac30ebc9b6c24d6ebc972518e5e5a6120798ad9
Instruction Fuzzy Hash: C64140B0D093196ADB109FBA9C8989EBFF8FF04354B50453AE119E7291DB78A9018F91

Function 008D00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008D00C6

Part of subcall function 008D00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0098070C,00000FA0,B29300A5,?,?,?,?,008F23B3,000000FF), ref: 008D011C
Part of subcall function 008D00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008F23B3,000000FF), ref: 008D0127
Part of subcall function 008D00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008F23B3,000000FF), ref: 008D0138
Part of subcall function 008D00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 008D014E
Part of subcall function 008D00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008D015C
Part of subcall function 008D00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008D016A
Part of subcall function 008D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008D0195
Part of subcall function 008D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008D01A0

___scrt_fastfail.LIBCMT ref: 008D00E7

Part of subcall function 008D00A3: __onexit.LIBCMT ref: 008D00A9

Strings

InitializeConditionVariable, xrefs: 008D0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 008D0122
kernel32.dll, xrefs: 008D0133
WakeAllConditionVariable, xrefs: 008D0162
SleepConditionVariableCS, xrefs: 008D0154

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 233c06fc4125ccc6fb0133419a5a5b11d26f128d20f8e858a306da1653d5775f
Instruction ID: 51c2367cbcc333e0579bde1bcad8121e18888830741e306b9f6cd14f152b36b1
Opcode Fuzzy Hash: 233c06fc4125ccc6fb0133419a5a5b11d26f128d20f8e858a306da1653d5775f
Instruction Fuzzy Hash: 8021F972A5D7116FEB506B64AC05F6A33E4FB85B55F00023AF905D73D1DB749C009E91

Function 009130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0091318D
_wcslen.LIBCMT ref: 009131F8

Strings

INSTANCE, xrefs: 00913453
CLASSNN, xrefs: 009131F3, 00913204
NAME, xrefs: 00913335, 00913346
TEXT, xrefs: 0091347C
CLASS, xrefs: 00913188, 009131A5
REGEXPCLASS, xrefs: 00913255, 00913266

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 1b755815b108b2fd40f792ed5400e881b7541e7724d517c7de778b261b732da8
Instruction ID: 3ecae097773064ad6045869405c72cab7cb7652ccafaac3589361563373d21e0
Opcode Fuzzy Hash: 1b755815b108b2fd40f792ed5400e881b7541e7724d517c7de778b261b732da8
Instruction Fuzzy Hash: 60E1E532B0051AABDB189F78C451BEDBBB9FF44710F54C629E46AE7250DB30AEC58790

Function 009244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0094CC08), ref: 00924527
_wcslen.LIBCMT ref: 0092453B
_wcslen.LIBCMT ref: 00924599
_wcslen.LIBCMT ref: 009245F4
_wcslen.LIBCMT ref: 0092463F
_wcslen.LIBCMT ref: 009246A7

Part of subcall function 008CF9F2: _wcslen.LIBCMT ref: 008CF9FD

GetDriveTypeW.KERNEL32(?,00976BF0,00000061), ref: 00924743

Strings

network, xrefs: 0092469D, 009246A2
fixed, xrefs: 00924635, 0092463A
ramdisk, xrefs: 009246F1
unknown, xrefs: 00924708
all, xrefs: 00924531, 00924536
removable, xrefs: 009245EA, 009245EF
cdrom, xrefs: 0092458F, 00924594

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 9e27bfd19bbe36b72e4632cc73b1130a2fa357f12b426993e51432806282586a
Instruction ID: 121d5d9113a0ffbd8267b2ab227104c181dbca2ac22209b93a9dd30f598af83d
Opcode Fuzzy Hash: 9e27bfd19bbe36b72e4632cc73b1130a2fa357f12b426993e51432806282586a
Instruction Fuzzy Hash: 9FB1E2316083229FC710DF28E890A6AB7E9FFA5720F50491DF5A6C7399E730D844CB92

Function 00933FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0094CC08), ref: 009340BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009340CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0094CC08), ref: 009340F2
FreeLibrary.KERNEL32(00000000,?,0094CC08), ref: 0093413E
StringFromGUID2.OLE32(?,?,00000028,?,0094CC08), ref: 009341A8
SysFreeString.OLEAUT32(00000009), ref: 00934262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009342C8
SysFreeString.OLEAUT32(?), ref: 009342F2

Strings

GetModuleHandleExW, xrefs: 009340C7
kernel32.dll, xrefs: 009340B6

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 812869149446cb725182e5714b8f6f983412f493a77fb60987a07c743680c6b2
Instruction ID: 07226345eecc42aed39b6cf363a767c8b695084f403eb5161684222e2d249d39
Opcode Fuzzy Hash: 812869149446cb725182e5714b8f6f983412f493a77fb60987a07c743680c6b2
Instruction Fuzzy Hash: 47121975A00119EFDB14CF94C888EAEBBB9FF45314F258498E905AB261D731ED46CFA0

Function 008B326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00981990), ref: 008F2F8D
GetMenuItemCount.USER32(00981990), ref: 008F303D
GetCursorPos.USER32(?), ref: 008F3081
SetForegroundWindow.USER32(00000000), ref: 008F308A
TrackPopupMenuEx.USER32(00981990,00000000,?,00000000,00000000,00000000), ref: 008F309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008F30A9

Strings

0, xrefs: 008B327D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 43a57c6de2b6bed5800d01ccc5d7b418a6ed147e1dedb7e1d001a16043c5143e
Instruction ID: 7f10000aa3026380995c522a1f9fe6f2b3c72d72fc21c85e71b648a290f8f255
Opcode Fuzzy Hash: 43a57c6de2b6bed5800d01ccc5d7b418a6ed147e1dedb7e1d001a16043c5143e
Instruction Fuzzy Hash: EF71FB70644209BEEB258F78CC49FEABF65FF45364F204216F614E62D1CBB1A950DB50

Function 00946CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00946DEB

Part of subcall function 008B6B57: _wcslen.LIBCMT ref: 008B6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00946E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00946E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00946E94
DestroyWindow.USER32(?), ref: 00946EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008B0000,00000000), ref: 00946EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00946EFD
GetDesktopWindow.USER32 ref: 00946F16
GetWindowRect.USER32(00000000), ref: 00946F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00946F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00946F4D

Part of subcall function 008C9944: GetWindowLongW.USER32(?,000000EB), ref: 008C9952

Strings

tooltips_class32, xrefs: 00946E58, 00946EDD
0, xrefs: 00946D98

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c20b0e7dd0946c1968d85798562c32e9858b4b22440870c69b4d079caa88d8ba
Instruction ID: 31657bb88947146a70f0050b9836c282aaa23c6ff3d0b73a1b30f9b817a9b4e4
Opcode Fuzzy Hash: c20b0e7dd0946c1968d85798562c32e9858b4b22440870c69b4d079caa88d8ba
Instruction Fuzzy Hash: 057168B4108341AFDB25CF18D844EAABBF9FB8A304F04495DF99987261D771A90ADB12

Function 0094911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008C9BB2

DragQueryPoint.SHELL32(?,?), ref: 00949147

Part of subcall function 00947674: ClientToScreen.USER32(?,?), ref: 0094769A
Part of subcall function 00947674: GetWindowRect.USER32(?,?), ref: 00947710
Part of subcall function 00947674: PtInRect.USER32(?,?,00948B89), ref: 00947720

SendMessageW.USER32(?,000000B0,?,?), ref: 009491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00949225
SendMessageW.USER32(?,000000B0,?,?), ref: 0094923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00949255
SendMessageW.USER32(?,000000B1,?,?), ref: 00949277
DragFinish.SHELL32(?), ref: 0094927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00949371

Strings

@GUI_DROPID, xrefs: 0094929E
@GUI_DRAGFILE, xrefs: 00949320
@GUI_DRAGID, xrefs: 009492E9

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: c12ee48d57381e751322c7e57f7711d5dbe5a0cfda1b58150e3e6000af8bdf96
Instruction ID: 2df56cb6096cee17d3aaeef46757d82a882b6d1ed079f63dc32a46a3b359129f
Opcode Fuzzy Hash: c12ee48d57381e751322c7e57f7711d5dbe5a0cfda1b58150e3e6000af8bdf96
Instruction Fuzzy Hash: 8E613771108301AFD705EF64DC85DAFBBE8FF89750F004A2EF595922A1DB709A49CB52

Function 0092C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0092C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0092C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0092C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0092C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0092C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0092C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0092C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0092C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0092C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0092C5F0
InternetCloseHandle.WININET(00000000), ref: 0092C5FB

Strings

, xrefs: 0092C575

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 6e4b015c9bec8a790e707920820424fdac1f59c4c60902f3626f94c7c1c1bbec
Instruction ID: bfd94a95cee6b8178e4d2587cfa681eb55168ec73713926d568dbc953685ba08
Opcode Fuzzy Hash: 6e4b015c9bec8a790e707920820424fdac1f59c4c60902f3626f94c7c1c1bbec
Instruction Fuzzy Hash: AD516AF4505619BFEB219F60D988EAF7BFCFF09344F00441AF94596214DB74E904AB60

Function 0094856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00948592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009485A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009485AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009485BA
GlobalLock.KERNEL32(00000000), ref: 009485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009485D7
GlobalUnlock.KERNEL32(00000000), ref: 009485E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009485F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0094FC38,?), ref: 00948611
GlobalFree.KERNEL32(00000000), ref: 00948621
GetObjectW.GDI32(?,00000018,?), ref: 00948641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00948671
DeleteObject.GDI32(?), ref: 00948699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009486AF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6e4a43a02140427072951117556959c6342a8c0624bce95039d971ddeca4b8be
Instruction ID: b40a9a1019ac063548265848b3886b4fb649e8aed83f47b8467f36f5cd8e7bb0
Opcode Fuzzy Hash: 6e4a43a02140427072951117556959c6342a8c0624bce95039d971ddeca4b8be
Instruction Fuzzy Hash: CF4129B9615204AFDB519FA5CC48EAF7BBCEF8A715F108058F915E7260DB709901DB20

Function 009214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00921502
VariantCopy.OLEAUT32(?,?), ref: 0092150B
VariantClear.OLEAUT32(?), ref: 00921517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00921657
VariantInit.OLEAUT32(?), ref: 00921708
SysFreeString.OLEAUT32(?), ref: 0092178C
VariantClear.OLEAUT32(?), ref: 009217D8
VariantClear.OLEAUT32(?), ref: 009217E7
VariantInit.OLEAUT32(00000000), ref: 00921823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00921625
Default, xrefs: 009216AF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 51e6607c8f500ec0b3c41100207f1573b8aa4e379258dca4ed43c5fb7a1b22f2
Instruction ID: 5c3e65398fb48c6ddba5b28970064d4bcad90d8cb9668eb71ac65b1b4209ac1e
Opcode Fuzzy Hash: 51e6607c8f500ec0b3c41100207f1573b8aa4e379258dca4ed43c5fb7a1b22f2
Instruction Fuzzy Hash: 38D11171A00225DBDB009F69E884FBDB7B9FF54700F10849AF506AB299DB34DC61DB62

Function 0093B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Part of subcall function 0093C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0093B6AE,?,?), ref: 0093C9B5
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093C9F1
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093CA68
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0093B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0093B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0093B80A
RegCloseKey.ADVAPI32(?), ref: 0093B87E
RegCloseKey.ADVAPI32(?), ref: 0093B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0093B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0093B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0093B922
FreeLibrary.KERNEL32(00000000), ref: 0093B983
RegCloseKey.ADVAPI32(00000000), ref: 0093B994

Strings

RegDeleteKeyExW, xrefs: 0093B8FE
advapi32.dll, xrefs: 0093B8ED

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6b76be4e87e5eb5091481daccc167574ecf05ca1201f87f7be39e0e6ed379759
Instruction ID: 1b0360247b1570ee130d8c6c94ac6277e775068936bd2616c2e36f5da67c2f83
Opcode Fuzzy Hash: 6b76be4e87e5eb5091481daccc167574ecf05ca1201f87f7be39e0e6ed379759
Instruction Fuzzy Hash: 97C16934208201AFD714DF18C495F6ABBE9FF84318F14849CE59A8B3A2CB75E945CF92

Function 0093255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009325E8
CreateCompatibleDC.GDI32(?), ref: 009325F4
SelectObject.GDI32(00000000,?), ref: 00932601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0093266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009326D0
SelectObject.GDI32(?,?), ref: 009326D8
DeleteObject.GDI32(?), ref: 009326E1
DeleteDC.GDI32(?), ref: 009326E8
ReleaseDC.USER32(00000000,?), ref: 009326F3

Strings

(, xrefs: 0093268D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e419c79ceda547913f5632c2a61b7181a5b92a9b4d0f6a2a96d1c3315f01a970
Instruction ID: c27e67ba51e6d0a3235c8678a4feaedc9bf157436f3f41b825d651d67404ee9d
Opcode Fuzzy Hash: e419c79ceda547913f5632c2a61b7181a5b92a9b4d0f6a2a96d1c3315f01a970
Instruction Fuzzy Hash: A86102B5D04219EFCF14CFA8D885EAEBBB6FF48310F20852AE956A7250D770A941DF50

Function 008EDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008EDAA1

Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED659
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED66B
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED67D
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED68F
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED6A1
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED6B3
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED6C5
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED6D7
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED6E9
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED6FB
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED70D
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED71F
Part of subcall function 008ED63C: _free.LIBCMT ref: 008ED731

_free.LIBCMT ref: 008EDA96

Part of subcall function 008E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000), ref: 008E29DE
Part of subcall function 008E29C8: GetLastError.KERNEL32(00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000,00000000), ref: 008E29F0

_free.LIBCMT ref: 008EDAB8
_free.LIBCMT ref: 008EDACD
_free.LIBCMT ref: 008EDAD8
_free.LIBCMT ref: 008EDAFA
_free.LIBCMT ref: 008EDB0D
_free.LIBCMT ref: 008EDB1B
_free.LIBCMT ref: 008EDB26
_free.LIBCMT ref: 008EDB5E
_free.LIBCMT ref: 008EDB65
_free.LIBCMT ref: 008EDB82
_free.LIBCMT ref: 008EDB9A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 933a373dcad771a410c4fa357b83a84773e048418aa04de26e4e0cbbdc33b87c
Instruction ID: f6db0d1c2d032e0e3a1bdb3643fb11eb34eaf4d9eaaee0a46359f72c795a5c29
Opcode Fuzzy Hash: 933a373dcad771a410c4fa357b83a84773e048418aa04de26e4e0cbbdc33b87c
Instruction Fuzzy Hash: 06318232604388AFDB21AA3AD846F5A7BE8FF42320F115429F458D7192EF35ED44C721

Function 0091365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0091369C
_wcslen.LIBCMT ref: 009136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00913797
GetClassNameW.USER32(?,?,00000400), ref: 0091380C
GetDlgCtrlID.USER32(?), ref: 0091385D
GetWindowRect.USER32(?,?), ref: 00913882
GetParent.USER32(?), ref: 009138A0
ScreenToClient.USER32(00000000), ref: 009138A7
GetClassNameW.USER32(?,?,00000100), ref: 00913921
GetWindowTextW.USER32(?,?,00000400), ref: 0091395D

Strings

%s%u, xrefs: 00913734

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 150dd4e102579def83c0529224c96241655d9559eee6e781838ff39ebf1a28c3
Instruction ID: 7dac4f239da037e9c6f4ea40bb1c9a9cb00e18921c3f89a6b80e62011cb651d0
Opcode Fuzzy Hash: 150dd4e102579def83c0529224c96241655d9559eee6e781838ff39ebf1a28c3
Instruction Fuzzy Hash: 15918C7130560AEFD719DF24C885FEAB7A9FF44350F008629F999D2190DB30AA95CBA1

Function 00914954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00914994
GetWindowTextW.USER32(?,?,00000400), ref: 009149DA
_wcslen.LIBCMT ref: 009149EB
CharUpperBuffW.USER32(?,00000000), ref: 009149F7
_wcsstr.LIBVCRUNTIME ref: 00914A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00914A64
GetWindowTextW.USER32(?,?,00000400), ref: 00914A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00914AE6
GetClassNameW.USER32(?,?,00000400), ref: 00914B20
GetWindowRect.USER32(?,?), ref: 00914B8B

Strings

ThumbnailClass, xrefs: 00914A6F, 00914AF1

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 180be0039eb03997ffbe09ec82dafffdd46db1a6d6c698940b7d17eeec0cf4de
Instruction ID: 8e6125bb2ada47626e176df3026b056907d3996598adcb27af37e41ca0869590
Opcode Fuzzy Hash: 180be0039eb03997ffbe09ec82dafffdd46db1a6d6c698940b7d17eeec0cf4de
Instruction Fuzzy Hash: F2919F712482099FDB04CF14C985FEA77ACFF88354F04846AFD859A195DB30ED85CBA1

Function 00948D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008C9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00948D5A
GetFocus.USER32 ref: 00948D6A
GetDlgCtrlID.USER32(00000000), ref: 00948D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00948E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00948ECF
GetMenuItemCount.USER32(?), ref: 00948EEC
GetMenuItemID.USER32(?,00000000), ref: 00948EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00948F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00948F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00948FA1

Strings

0, xrefs: 00948E9F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: c6ba27474d5830deb917021466fda96b2771ddfe3019c23962ae1f2ded171e3c
Instruction ID: b00df5dd67352a168f8e9586837918ab4cf2cdecd9e0743330b6a5f43de422dd
Opcode Fuzzy Hash: c6ba27474d5830deb917021466fda96b2771ddfe3019c23962ae1f2ded171e3c
Instruction Fuzzy Hash: CB81AD71508301AFDB20DF24D884EAFBBE9FB89714F040A59F98497291DB30D905DBA2

Function 0091BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00981990,000000FF,00000000,00000030), ref: 0091BFAC
SetMenuItemInfoW.USER32(00981990,00000004,00000000,00000030), ref: 0091BFE1
Sleep.KERNEL32(000001F4), ref: 0091BFF3
GetMenuItemCount.USER32(?), ref: 0091C039
GetMenuItemID.USER32(?,00000000), ref: 0091C056
GetMenuItemID.USER32(?,-00000001), ref: 0091C082
GetMenuItemID.USER32(?,?), ref: 0091C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0091C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0091C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0091C145

Strings

0, xrefs: 0091BF3D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: a586d0d2a5080bd66b56b71e11f3ef4948c7d4e6e0fb59858788871093f6d02f
Instruction ID: db166e6886375e32601f0275cc15bdb3a98219baa9695cbfe393bf49d2267e2b
Opcode Fuzzy Hash: a586d0d2a5080bd66b56b71e11f3ef4948c7d4e6e0fb59858788871093f6d02f
Instruction Fuzzy Hash: F0617DF0A9824EAFDF11CF64CC88AEE7BA9EB46344F004555F811A3291C735AD85DB60

Function 0091DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0091DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0091DC46
_wcslen.LIBCMT ref: 0091DC50
_wcsstr.LIBVCRUNTIME ref: 0091DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0091DCBC

Strings

%u.%u.%u.%u, xrefs: 0091DD9A
DefaultLangCodepage, xrefs: 0091DD1F
StringFileInfo\, xrefs: 0091DC8F
\VarFileInfo\Translation, xrefs: 0091DCB4
04090000, xrefs: 0091DCF2

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: df6e47e88fef7d84a2891b7b8bd77b91b5157e2e708482d58fccf77c70a557bb
Instruction ID: 6df8bbf99c6618de790b41ba1eacf55dff1887261aea0c27aae8e3c99c81b16c
Opcode Fuzzy Hash: df6e47e88fef7d84a2891b7b8bd77b91b5157e2e708482d58fccf77c70a557bb
Instruction Fuzzy Hash: 6C410472A412047AEB00A769AC43EFF377CEF52710F10456AFA05E6283EB74D90097A6

Function 0093CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0093CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0093CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0093CD48

Part of subcall function 0093CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0093CCAA
Part of subcall function 0093CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0093CCBD
Part of subcall function 0093CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0093CCCF
Part of subcall function 0093CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0093CD05
Part of subcall function 0093CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0093CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0093CCF3

Strings

RegDeleteKeyExW, xrefs: 0093CCC9
advapi32.dll, xrefs: 0093CCB8

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: fe54016dff0cbddff6b4351aad871d89c21ba9446945ffe7153db4533a463ffa
Instruction ID: 63312579d9b07fc4a49f35ffc86f657e9078b1656e585812a00884563e3e66fa
Opcode Fuzzy Hash: fe54016dff0cbddff6b4351aad871d89c21ba9446945ffe7153db4533a463ffa
Instruction Fuzzy Hash: 5A318EB5902128BFDB208B90DC88EFFBB7CEF46740F000565B915E2240DB349A45EBA0

Function 00923D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00923D40
_wcslen.LIBCMT ref: 00923D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00923D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00923DBE
RemoveDirectoryW.KERNEL32(?), ref: 00923DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00923E55
CloseHandle.KERNEL32(00000000), ref: 00923E60
CloseHandle.KERNEL32(00000000), ref: 00923E6B

Strings

\, xrefs: 00923D77
\??\%s, xrefs: 00923D5B
:, xrefs: 00923D82

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 170786197b187ce2dc79902ec4f6824ed576f45464b28cd7460e0f4e6519f11d
Instruction ID: 7a8aa726a6e8b72a8878e83547750e31901b1841f5b92bbf4a66d4b6d861d6b8
Opcode Fuzzy Hash: 170786197b187ce2dc79902ec4f6824ed576f45464b28cd7460e0f4e6519f11d
Instruction Fuzzy Hash: 3C31B4B6A14219ABDB209FA4DC49FEF37BCEF89700F1081B5F509D61A4E77497448B24

Function 0091E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0091E6B4

Part of subcall function 008CE551: timeGetTime.WINMM(?,?,0091E6D4), ref: 008CE555

Sleep.KERNEL32(0000000A), ref: 0091E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0091E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0091E727
SetActiveWindow.USER32 ref: 0091E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0091E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0091E773
Sleep.KERNEL32(000000FA), ref: 0091E77E
IsWindow.USER32 ref: 0091E78A
EndDialog.USER32(00000000), ref: 0091E79B

Strings

BUTTON, xrefs: 0091E719

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 9bbf3d59395688b5d3f5d262f032886e4b4e338cff4ff71e2a325c20440f82a7
Instruction ID: f3a3881233ffba06540dbd4470a5d21de535af9d249d44d2505ab53739cc0430
Opcode Fuzzy Hash: 9bbf3d59395688b5d3f5d262f032886e4b4e338cff4ff71e2a325c20440f82a7
Instruction Fuzzy Hash: 562196B4329209AFFB005F20EC89F693BADF796789F544426FD15812A1EB71AC40AB14

Function 0091E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0091EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0091EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0091EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0091EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0091EAA7

Strings

play PlayMe wait, xrefs: 0091EA91
alias PlayMe, xrefs: 0091EA36
close PlayMe, xrefs: 0091EA6E, 0091EA9B
play PlayMe, xrefs: 0091EAA2
status PlayMe mode, xrefs: 0091EA58
open , xrefs: 0091EA0C

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 5fe898571af98b86f9e8c2ba21ac0a2376a7ee0fe0f11943f1accc57f6b3e955
Instruction ID: 2613ae6e384c827ef52ef0152056235d3b53dd6c500d6232eaa6e4a1865463d2
Opcode Fuzzy Hash: 5fe898571af98b86f9e8c2ba21ac0a2376a7ee0fe0f11943f1accc57f6b3e955
Instruction Fuzzy Hash: C8119E32A9022D79D720A7A5DC4AEFF6EBCFFD1F04F404429B905E21D1EAB00A48C5B1

Function 00919F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0091A012
SetKeyboardState.USER32(?), ref: 0091A07D
GetAsyncKeyState.USER32(000000A0), ref: 0091A09D
GetKeyState.USER32(000000A0), ref: 0091A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0091A0E3
GetKeyState.USER32(000000A1), ref: 0091A0F4
GetAsyncKeyState.USER32(00000011), ref: 0091A120
GetKeyState.USER32(00000011), ref: 0091A12E
GetAsyncKeyState.USER32(00000012), ref: 0091A157
GetKeyState.USER32(00000012), ref: 0091A165
GetAsyncKeyState.USER32(0000005B), ref: 0091A18E
GetKeyState.USER32(0000005B), ref: 0091A19C

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 079c3a753b5b92eebf7af1006fe0e94ce4c34981d2d456ab429ee86eaefddb91
Instruction ID: b971199146775b971d386513be4973d8923f72002880c4440ef5f7cf8891e3fe
Opcode Fuzzy Hash: 079c3a753b5b92eebf7af1006fe0e94ce4c34981d2d456ab429ee86eaefddb91
Instruction Fuzzy Hash: 8D51BB64B0978C39FB35EB704911BEAAFF95F12380F088599D5C2571C2DA649ECCC762

Function 00915CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00915CE2
GetWindowRect.USER32(00000000,?), ref: 00915CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00915D59
GetDlgItem.USER32(?,00000002), ref: 00915D69
GetWindowRect.USER32(00000000,?), ref: 00915D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00915DCF
GetDlgItem.USER32(?,000003E9), ref: 00915DDD
GetWindowRect.USER32(00000000,?), ref: 00915DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00915E31
GetDlgItem.USER32(?,000003EA), ref: 00915E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00915E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00915E67

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6f131f18abdc15d68a585e1e62b65a352d7f37bd19bfbb3c9db4ee7ecd65ceeb
Instruction ID: 13b2b4b29ee5adec68e2f447550c7efd6e2d39157bbc35446db2c2fca972a0ee
Opcode Fuzzy Hash: 6f131f18abdc15d68a585e1e62b65a352d7f37bd19bfbb3c9db4ee7ecd65ceeb
Instruction Fuzzy Hash: CD512FB4B10609AFDF18CF68DD89EAE7BB9FB89300F518129F915E6290D7709E40CB50

Function 008C8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 008C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008C8BE8,?,00000000,?,?,?,?,008C8BBA,00000000,?), ref: 008C8FC5

DestroyWindow.USER32(?), ref: 008C8C81
KillTimer.USER32(00000000,?,?,?,?,008C8BBA,00000000,?), ref: 008C8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00906973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,008C8BBA,00000000,?), ref: 009069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,008C8BBA,00000000,?), ref: 009069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008C8BBA,00000000), ref: 009069D4
DeleteObject.GDI32(00000000), ref: 009069E6

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1feb739dc8674761aab8e407479833d0d5fcdde66e63fc8e2a7aa9610841dd47
Instruction ID: cf2ac524c7c46c20db28ff975ebe1a8f0ac7ede49ab4cfaa07b01391380e66ac
Opcode Fuzzy Hash: 1feb739dc8674761aab8e407479833d0d5fcdde66e63fc8e2a7aa9610841dd47
Instruction Fuzzy Hash: A9619831126604DFCB659F18E948F2A77F5FB51316F10451CE0429BAA0CB36ED91EFA4

Function 008C9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 008C9944: GetWindowLongW.USER32(?,000000EB), ref: 008C9952

GetSysColor.USER32(0000000F), ref: 008C9862

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8abcebf84426082352b2913c967b3941b472d5ea6b38057163db60296ef89c21
Instruction ID: b3606874a411e36665b2bedf7ead19bd725ee69b4e0e216b9248873f05304f30
Opcode Fuzzy Hash: 8abcebf84426082352b2913c967b3941b472d5ea6b38057163db60296ef89c21
Instruction Fuzzy Hash: FE418D75509644AEDB205B389C88FB93BB9FB07330F1446A9F9E2871E2C631D942EB10

Function 009196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,008FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00919717
LoadStringW.USER32(00000000,?,008FF7F8,00000001), ref: 00919720

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,008FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00919742
LoadStringW.USER32(00000000,?,008FF7F8,00000001), ref: 00919745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00919866

Strings

Error: , xrefs: 0091981D
^ ERROR, xrefs: 009197FB
Line %d (File "%s"):, xrefs: 0091978F
%s (%d) : ==> %s: %s %s, xrefs: 0091984A
Line %d:, xrefs: 009197A0

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 58bcf52508037d37bc8b5799d47dfb38dbb289dc15e0facc6b9a7b383a243747
Instruction ID: 25f11b5e6a99159ca11f519a1fd2a0adcd74f6cc813f81cb829b88bd119059a6
Opcode Fuzzy Hash: 58bcf52508037d37bc8b5799d47dfb38dbb289dc15e0facc6b9a7b383a243747
Instruction Fuzzy Hash: 83414E7290420DAACB04EBE4DD96EEE7778FF55340F600065F605B2292EB356F48CB62

Function 009106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 008B6B57: _wcslen.LIBCMT ref: 008B6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00910804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0091082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00910837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0091083C

Strings

SOFTWARE\Classes\, xrefs: 0091070E
\IPC$, xrefs: 00910784
\CLSID, xrefs: 00910724

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: de5b63c9a8ddcca69bcf3e3b21cd8d2b822ba9590bbb86f1462b3c2c94b946f1
Instruction ID: 620eeb1db251db7af7df526cff2c6382ab9e5a69724d69ad68662a4949950296
Opcode Fuzzy Hash: de5b63c9a8ddcca69bcf3e3b21cd8d2b822ba9590bbb86f1462b3c2c94b946f1
Instruction Fuzzy Hash: 3C412772D1422CABDF15EBA8DC85CEEB778FF44350F454129E901A32A1EB71AE44CB91

Function 00943F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0094403B
CreateCompatibleDC.GDI32(00000000), ref: 00944042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00944055
SelectObject.GDI32(00000000,00000000), ref: 0094405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00944068
DeleteDC.GDI32(00000000), ref: 00944072
GetWindowLongW.USER32(?,000000EC), ref: 0094407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00944092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0094409E

Strings

static, xrefs: 00943FD3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 554c6a509eeb12bea72c9d5c8985c51972ea283516d8309466988b82a9ad5aa9
Instruction ID: 3aa7debfca1ad6846747b4b58811c9bf8b79068a70bd1a3a86a1856118e01b4a
Opcode Fuzzy Hash: 554c6a509eeb12bea72c9d5c8985c51972ea283516d8309466988b82a9ad5aa9
Instruction Fuzzy Hash: 80317A76516219BFDF219FA4CC09FDA3B68EF0E324F010211FA18E61A0D775D820EB54

Function 00933C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00933C5C
CoInitialize.OLE32(00000000), ref: 00933C8A
CoUninitialize.OLE32 ref: 00933C94
_wcslen.LIBCMT ref: 00933D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00933DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00933ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00933F0E
CoGetObject.OLE32(?,00000000,0094FB98,?), ref: 00933F2D
SetErrorMode.KERNEL32(00000000), ref: 00933F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00933FC4
VariantClear.OLEAUT32(?), ref: 00933FD8

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 3f8b9fca903b76fb7fb6a55c4129fe7a977bbf08bd2f8ccc56bfc419ec0c6f02
Instruction ID: 5108326af5830df350e3af5903c74368825fe00762d854160e59cef3aed1c389
Opcode Fuzzy Hash: 3f8b9fca903b76fb7fb6a55c4129fe7a977bbf08bd2f8ccc56bfc419ec0c6f02
Instruction Fuzzy Hash: 77C134B16083059FD710DF68C88492BBBE9FF89744F10891DF98A9B260D731EE45CB52

Function 00927A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00927AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00927B8F
SHGetDesktopFolder.SHELL32(?), ref: 00927BA3
CoCreateInstance.OLE32(0094FD08,00000000,00000001,00976E6C,?), ref: 00927BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00927C74
CoTaskMemFree.OLE32(?,?), ref: 00927CCC
SHBrowseForFolderW.SHELL32(?), ref: 00927D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00927D7A
CoTaskMemFree.OLE32(00000000), ref: 00927D81
CoTaskMemFree.OLE32(00000000), ref: 00927DD6
CoUninitialize.OLE32 ref: 00927DDC

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 9820ab46e4b0f05dbde5ad40d4abc6a4e206464a4da1ed08e5cba13a20c02a30
Instruction ID: 512265143451543a00779141f8f23b14a2d4a8e039b1879edbd0841eb86ebf9b
Opcode Fuzzy Hash: 9820ab46e4b0f05dbde5ad40d4abc6a4e206464a4da1ed08e5cba13a20c02a30
Instruction Fuzzy Hash: EBC13C75A04119AFCB14DFA4D894DAEBBF9FF48304B148499E81AEB361D730ED41CB90

Function 0094541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00945504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00945515
CharNextW.USER32(00000158), ref: 00945544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00945585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0094559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009455AC

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2c58ea0b2a77a18a6d0836f08aa18929ad72023938182ae44f211bb65265f9a6
Instruction ID: 4c86d17ecff5a692c382875c7e83861b030dee82908072e9ba44f2e0c36b0885
Opcode Fuzzy Hash: 2c58ea0b2a77a18a6d0836f08aa18929ad72023938182ae44f211bb65265f9a6
Instruction Fuzzy Hash: 1C61B074904609EFDF109FE4CC84EFE7BB9EB06320F118545F925AB2A2D7748A80DB60

Function 0090FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0090FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0090FB08
VariantInit.OLEAUT32(?), ref: 0090FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0090FB3A
VariantCopy.OLEAUT32(?,?), ref: 0090FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0090FBA1
VariantClear.OLEAUT32(?), ref: 0090FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0090FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0090FBCC
VariantClear.OLEAUT32(?), ref: 0090FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0090FBE9

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e1355b59f68096b209139062e15aeeadb2c6a4dfe77862d95c6e1bda986803fb
Instruction ID: 27a03bbe8f6a1482a36d235131daccb5838695250d0188546e6b5b7af648de7f
Opcode Fuzzy Hash: e1355b59f68096b209139062e15aeeadb2c6a4dfe77862d95c6e1bda986803fb
Instruction Fuzzy Hash: D6415175A04219DFCB14DF68D864DADBBB9FF48354F008069F905A72A1DB34EA45CFA0

Function 00919C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00919CA1
GetAsyncKeyState.USER32(000000A0), ref: 00919D22
GetKeyState.USER32(000000A0), ref: 00919D3D
GetAsyncKeyState.USER32(000000A1), ref: 00919D57
GetKeyState.USER32(000000A1), ref: 00919D6C
GetAsyncKeyState.USER32(00000011), ref: 00919D84
GetKeyState.USER32(00000011), ref: 00919D96
GetAsyncKeyState.USER32(00000012), ref: 00919DAE
GetKeyState.USER32(00000012), ref: 00919DC0
GetAsyncKeyState.USER32(0000005B), ref: 00919DD8
GetKeyState.USER32(0000005B), ref: 00919DEA

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0f7d3d7fdb9449eb377e8844783918134112258e939878d1f8516237c2eaa9f6
Instruction ID: f626d122b572d0905f7537e860964a2c903d391713a577112a4ebc4f4a465cb8
Opcode Fuzzy Hash: 0f7d3d7fdb9449eb377e8844783918134112258e939878d1f8516237c2eaa9f6
Instruction Fuzzy Hash: 5C41E8387087CD6DFF308760D4243F5BEE86B12304F08805AEAC6566C2D7A499C4C7A2

Function 0093055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009305BC
inet_addr.WSOCK32(?), ref: 0093061C
gethostbyname.WSOCK32(?), ref: 00930628
IcmpCreateFile.IPHLPAPI ref: 00930636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009307B9
WSACleanup.WSOCK32 ref: 009307BF

Strings

Ping, xrefs: 00930676

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 245bdf60274722b2f8d82ea6067a01437893b35480daf192b446dad96a1a6518
Instruction ID: bf0f70020e587dc472a91b35e0bd1af5e66c5fd6b38536b94b34c43f4af100d2
Opcode Fuzzy Hash: 245bdf60274722b2f8d82ea6067a01437893b35480daf192b446dad96a1a6518
Instruction Fuzzy Hash: 4C917C756082019FD320DF19C899F1ABBE4EF84318F1485A9F46A8B7A2C774ED45CF92

Function 00938CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00938CF3

Part of subcall function 00918E54: _wcslen.LIBCMT ref: 00918E77

_wcslen.LIBCMT ref: 00938D4E
_wcslen.LIBCMT ref: 00938D9C
_wcslen.LIBCMT ref: 00938DDC
_wcslen.LIBCMT ref: 00938E6E

Strings

none, xrefs: 00938E65, 00938E6A
cdecl, xrefs: 00938D48, 00938D4D
stdcall, xrefs: 00938DD6, 00938DDB
winapi, xrefs: 00938D96, 00938D9B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4f4306d2d6b1ac969d8975100c2f66d465e854ab4708188b96689531849ef143
Instruction ID: d9a8f771a1aee89f8e9baf771597dbb325de3965381226219fef7133ad17ac7a
Opcode Fuzzy Hash: 4f4306d2d6b1ac969d8975100c2f66d465e854ab4708188b96689531849ef143
Instruction Fuzzy Hash: 09518F32A042169BCB24EF6CC9509BFB7A9BF64724F214629F426E73C4DB35DD408B91

Function 0093372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00933774
CoUninitialize.OLE32 ref: 0093377F
CoCreateInstance.OLE32(?,00000000,00000017,0094FB78,?), ref: 009337D9
IIDFromString.OLE32(?,?), ref: 0093384C
VariantInit.OLEAUT32(?), ref: 009338E4
VariantClear.OLEAUT32(?), ref: 00933936

Strings

Invalid parameter, xrefs: 00933865
NULL Pointer assignment, xrefs: 0093381E
Failed to create object, xrefs: 009337E4, 0093389A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 982d5ed1b7021a9ede6f09f53be782461d8a5d82de3d86ab38e8f51e679abef2
Instruction ID: bbb5dfd01e0e331168aa3200e1b57f317c3a2d4e5415dd2a22a67c8fdca19334
Opcode Fuzzy Hash: 982d5ed1b7021a9ede6f09f53be782461d8a5d82de3d86ab38e8f51e679abef2
Instruction Fuzzy Hash: 1F619DB5648301AFD310DF54C889F5AB7E8EF89714F008919F9859B291C774EE48CB92

Function 00923388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009233CF

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009233F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00923504
^ ERROR , xrefs: 0092349E
Error: , xrefs: 009234D1
Incorrect parameters to object property !, xrefs: 009234AB
Line %d (File "%s"):, xrefs: 00923443, 0092345C
"%s" (%d) : ==> %s:, xrefs: 00923522

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 87faa5a466a689707d9863001002ebfbecdcbbaafc8818c6e29aee89336ef386
Instruction ID: 377071cd2b1f8b5f8ea9b51cb3a4bf3480b321f666393c67e0253b50c79a09b8
Opcode Fuzzy Hash: 87faa5a466a689707d9863001002ebfbecdcbbaafc8818c6e29aee89336ef386
Instruction Fuzzy Hash: D351B372904219AADF14EBA4DD52EEEB778FF04304F108065F109B2262EB356F58DB61

Function 0091B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0091B5FC
_wcslen.LIBCMT ref: 0091B608
_wcslen.LIBCMT ref: 0091B64D
_wcslen.LIBCMT ref: 0091B68C
_wcslen.LIBCMT ref: 0091B6C7

Strings

REMOVE, xrefs: 0091B602, 0091B607
EXISTS, xrefs: 0091B686, 0091B68B
KEYS, xrefs: 0091B647, 0091B64C
APPEND, xrefs: 0091B6C1, 0091B6C6

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 7ea73b1f036d05827b99c74fa64ffb28c884d6111710405941b08b74c3a00f70
Instruction ID: 7bca06afca7ab9f7ff1759a8b646ec2a03cd742679f03590629242ac9de59949
Opcode Fuzzy Hash: 7ea73b1f036d05827b99c74fa64ffb28c884d6111710405941b08b74c3a00f70
Instruction Fuzzy Hash: 8441E732B0012A9BCB205F7DC9A05FE77AABBB07E4B244229E565D7284E735CDC1C790

Function 00925393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00925416
GetLastError.KERNEL32 ref: 00925420
SetErrorMode.KERNEL32(00000000,READY), ref: 009254A7

Strings

READONLY, xrefs: 00925452
NOTREADY, xrefs: 0092544B
UNKNOWN, xrefs: 00925444
READY, xrefs: 00925460, 00925468
INVALID, xrefs: 00925459

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a6ad1b9bdef57506b0d214e310381be4e14393c8b1e091ecee15b9b8811f861e
Instruction ID: 3a666c3f158eb2b6d925cc2573c2fc6c041344ac5f69e563e0eb7982a9dd5d7d
Opcode Fuzzy Hash: a6ad1b9bdef57506b0d214e310381be4e14393c8b1e091ecee15b9b8811f861e
Instruction Fuzzy Hash: FE31F075A006149FC710EF68D884FAABBB8FF05305F158066E505CB3A6D730DD86CB91

Function 00943C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00943C79
SetMenu.USER32(?,00000000), ref: 00943C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00943D10
IsMenu.USER32(?), ref: 00943D24
CreatePopupMenu.USER32 ref: 00943D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00943D5B
DrawMenuBar.USER32 ref: 00943D63

Strings

0, xrefs: 00943C54
F, xrefs: 00943D4E

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d9c65abec0f76ed9d426823e0bf386e92761931d5cc4793b89d5844f4114acf9
Instruction ID: 1812fd03baf0a8cc382cc5c3f033c765bd6e022f43a17ccbf8274d7dfa3bef97
Opcode Fuzzy Hash: d9c65abec0f76ed9d426823e0bf386e92761931d5cc4793b89d5844f4114acf9
Instruction Fuzzy Hash: E2416BB9A15209AFDB14CF64D884EAE7BB9FF49350F144029F946973A0D731AA10DF90

Function 00911EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Part of subcall function 00913CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00913CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00911F64
GetDlgCtrlID.USER32 ref: 00911F6F
GetParent.USER32 ref: 00911F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00911F8E
GetDlgCtrlID.USER32(?), ref: 00911F97
GetParent.USER32(?), ref: 00911FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00911FAE

Strings

ComboBox, xrefs: 00911EEC
ListBox, xrefs: 00911F21

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 87db221cde98327dea4e988e39263946bda6dc92bf38553c9c16599144fc1034
Instruction ID: e258984ea827c0bf03f2d22beb813c13e6051d98fb14571bb3e9fd848f30c77e
Opcode Fuzzy Hash: 87db221cde98327dea4e988e39263946bda6dc92bf38553c9c16599144fc1034
Instruction Fuzzy Hash: 2A21B075A00218BFCF04AFA4CC85EEEBBB8EF06310F104115FAA5A7291DB745949DB60

Function 00911FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Part of subcall function 00913CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00913CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00912043
GetDlgCtrlID.USER32 ref: 0091204E
GetParent.USER32 ref: 0091206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0091206D
GetDlgCtrlID.USER32(?), ref: 00912076
GetParent.USER32(?), ref: 0091208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0091208D

Strings

ComboBox, xrefs: 00911FCD
ListBox, xrefs: 00912002

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: af2386f949a9f1fc4002d56e373995d41c1c9641172b7158c55271b582aaadf6
Instruction ID: 07f696e2ed01c78ecc02592ba416aaef92ec5d09499ea155ad685a2eb54fc096
Opcode Fuzzy Hash: af2386f949a9f1fc4002d56e373995d41c1c9641172b7158c55271b582aaadf6
Instruction Fuzzy Hash: DE21D1B5A00218BFCF14AFA4CC85EFEBBB8FF09340F108415F995A72A1DA794954DB60

Function 00943A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00943A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00943AA0
GetWindowLongW.USER32(?,000000F0), ref: 00943AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00943AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00943B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00943BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00943BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00943BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00943BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00943C13

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 0625985971ee6af39c27e0dc7549800d591595497865748fde3865ee6df8979e
Instruction ID: 39c2c9410e9509f61cd50192084108eae91586172e060cd7b714b80122888210
Opcode Fuzzy Hash: 0625985971ee6af39c27e0dc7549800d591595497865748fde3865ee6df8979e
Instruction Fuzzy Hash: F7616775A00208AFDB20DFA8CC81EEE77B8EB49710F104199FA15E73A1D774AA46DF50

Function 0091B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0091B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0091A1E1,?,00000001), ref: 0091B165
GetWindowThreadProcessId.USER32(00000000), ref: 0091B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0091A1E1,?,00000001), ref: 0091B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0091B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0091A1E1,?,00000001), ref: 0091B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0091A1E1,?,00000001), ref: 0091B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0091A1E1,?,00000001), ref: 0091B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0091A1E1,?,00000001), ref: 0091B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0091A1E1,?,00000001), ref: 0091B21D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 411a127842f9f426bd3804aad27a0bcd5b22201e5cdd018dddc8fab297193253
Instruction ID: cef91aa61a4a2751579bbb090666c758abccd4af926839374e040c8077d17da0
Opcode Fuzzy Hash: 411a127842f9f426bd3804aad27a0bcd5b22201e5cdd018dddc8fab297193253
Instruction Fuzzy Hash: 9031F2B5228208BFDB109F64DC58FAD7BAEBB22711F118404FA11D6290C7B49E809F20

Function 008E2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008E2C94

Part of subcall function 008E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000), ref: 008E29DE
Part of subcall function 008E29C8: GetLastError.KERNEL32(00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000,00000000), ref: 008E29F0

_free.LIBCMT ref: 008E2CA0
_free.LIBCMT ref: 008E2CAB
_free.LIBCMT ref: 008E2CB6
_free.LIBCMT ref: 008E2CC1
_free.LIBCMT ref: 008E2CCC
_free.LIBCMT ref: 008E2CD7
_free.LIBCMT ref: 008E2CE2
_free.LIBCMT ref: 008E2CED
_free.LIBCMT ref: 008E2CFB

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 219c0598f66e2667afd0a73df992256c68ad173b5bbd544707693630e48bae30
Instruction ID: 9b85a252fce322638cca611359a4e1d9deeebebba65c05fa4e1b4d0d7c7ac6e4
Opcode Fuzzy Hash: 219c0598f66e2667afd0a73df992256c68ad173b5bbd544707693630e48bae30
Instruction Fuzzy Hash: DB119376100148BFCB02FF5AD882DDD3FA9FF06350F5254A5FA489B222DA35EA509B91

Function 00927DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00927FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00927FC1
GetFileAttributesW.KERNEL32(?), ref: 00927FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00928005
SetCurrentDirectoryW.KERNEL32(?), ref: 00928017
SetCurrentDirectoryW.KERNEL32(?), ref: 00928060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009280B0

Strings

*.*, xrefs: 00928066

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 8191c0ad2aa8180d286241a234b7a466051e1c15ce09d4a262300caf5c5c0020
Instruction ID: 5c550780428f95d40e170fc6fff597ed3b09faa684777a27a8b7cb91e68fa90b
Opcode Fuzzy Hash: 8191c0ad2aa8180d286241a234b7a466051e1c15ce09d4a262300caf5c5c0020
Instruction Fuzzy Hash: C881A0725082119BCB20EF54D8449AEF3E8FF89310F154C5EF885E7264EB74DD498B62

Function 008B5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 008B5C7A

Part of subcall function 008B5D0A: GetClientRect.USER32(?,?), ref: 008B5D30
Part of subcall function 008B5D0A: GetWindowRect.USER32(?,?), ref: 008B5D71
Part of subcall function 008B5D0A: ScreenToClient.USER32(?,?), ref: 008B5D99

GetDC.USER32 ref: 008F46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008F4708
SelectObject.GDI32(00000000,00000000), ref: 008F4716
SelectObject.GDI32(00000000,00000000), ref: 008F472B
ReleaseDC.USER32(?,00000000), ref: 008F4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008F47C4

Strings

U, xrefs: 008F4693

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3ecfda1d672d78fee62495f763bd484280eececf2373f5a4fb65a8ca4754b879
Instruction ID: 11a9faa24d0f07c596d5e67ecadfe43dabf30fcca0c96e9098bd07cb305227dd
Opcode Fuzzy Hash: 3ecfda1d672d78fee62495f763bd484280eececf2373f5a4fb65a8ca4754b879
Instruction Fuzzy Hash: 1A71FE3440020DDFCF219F74C984AFA3BB6FF4A364F24526AEA51DA2A6C3318881DF50

Function 0092359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009235E4

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

LoadStringW.USER32(00982390,?,00000FFF,?), ref: 0092360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00923724
Error: , xrefs: 009236EF
^ ERROR, xrefs: 009236C9
Line %d (File "%s"):, xrefs: 0092366B
"%s" (%d) : ==> %s:, xrefs: 00923742

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 9cbab0ad8fdf539353820ed18d5f9119456edc28d8d44cf23d33ceb36aa7236e
Instruction ID: e8bd05d0f479c65b54836b97a54f0d07c8a73baccf95cab79822a588a26fd424
Opcode Fuzzy Hash: 9cbab0ad8fdf539353820ed18d5f9119456edc28d8d44cf23d33ceb36aa7236e
Instruction Fuzzy Hash: D0515F71900219BADF14EBA4DC52EEEBB78FF44304F148125F105B22A2EB355B99DF61

Function 00948B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008C9BB2

Part of subcall function 008C912D: GetCursorPos.USER32(?), ref: 008C9141
Part of subcall function 008C912D: ScreenToClient.USER32(00000000,?), ref: 008C915E
Part of subcall function 008C912D: GetAsyncKeyState.USER32(00000001), ref: 008C9183
Part of subcall function 008C912D: GetAsyncKeyState.USER32(00000002), ref: 008C919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00948B6B
ImageList_EndDrag.COMCTL32 ref: 00948B71
ReleaseCapture.USER32 ref: 00948B77
SetWindowTextW.USER32(?,00000000), ref: 00948C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00948C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00948CFF

Strings

@GUI_DROPID, xrefs: 00948C51
@GUI_DRAGFILE, xrefs: 00948C9A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: f911e0c9455d99dfc325ddac48b6aa455ae94fffaf4d26d2fa7b9519991c6015
Instruction ID: 74f7d6f659bd3b9a3b2200d4494d2380152621b96787c1235535384121886a29
Opcode Fuzzy Hash: f911e0c9455d99dfc325ddac48b6aa455ae94fffaf4d26d2fa7b9519991c6015
Instruction Fuzzy Hash: 11518971109304AFD704EF24DC96FAE77E8FB88715F00062DF996A72A2DB719904DB62

Function 0092C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0092C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0092C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0092C2CA
GetLastError.KERNEL32 ref: 0092C322
SetEvent.KERNEL32(?), ref: 0092C336
InternetCloseHandle.WININET(00000000), ref: 0092C341

Strings

, xrefs: 0092C2BB

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 2f16ebd533f0b453a9ea1b7dbf89f116624de6c1805c41a04731d8ae08807773
Instruction ID: 97bf45433a794fb0560f7ec0f2313f1c744fe125b81533e321eb51d5b5d3ff1b
Opcode Fuzzy Hash: 2f16ebd533f0b453a9ea1b7dbf89f116624de6c1805c41a04731d8ae08807773
Instruction Fuzzy Hash: 3831A9F1605618AFD721DFA4AC88EAF7BFCEB4A740B10891EF44693204DB74DD049BA0

Function 0091989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008F3AAF,?,?,Bad directive syntax error,0094CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009198BC
LoadStringW.USER32(00000000,?,008F3AAF,?), ref: 009198C3

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00919987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 009198F1
Line %d (File "%s"):, xrefs: 0091992D
., xrefs: 0091996D
Error: , xrefs: 00919955
Line %d:, xrefs: 00919912

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 192909b0d8c796e1e8a16120ab32b19672f2bd8103b687e3d91d593ea41f8928
Instruction ID: 47217953b44e687e9d012f14f60d8e9e5b4bc21f508a516c5d014b8ae0ceb6d0
Opcode Fuzzy Hash: 192909b0d8c796e1e8a16120ab32b19672f2bd8103b687e3d91d593ea41f8928
Instruction Fuzzy Hash: 5F21943290421EBFCF15AF94CC16EEE7779FF18304F044469F619A51A2EB319658DB11

Function 0091209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0091214D

Strings

largeicons, xrefs: 009120E1
smallicons, xrefs: 00912115
list, xrefs: 0091212F
SHELLDLL_DefView, xrefs: 009120CC
details, xrefs: 009120FB

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 1a2ada00d02258088b427a266eeb2d9a2228f2d9def10966f017b0a792c50269
Instruction ID: 7306158e5a2ae6febac2c7ee728fe4a876e16e5cc9c2f5db7e2282ac945fc62f
Opcode Fuzzy Hash: 1a2ada00d02258088b427a266eeb2d9a2228f2d9def10966f017b0a792c50269
Instruction Fuzzy Hash: 16110A7B7CC70BBAF605B324DC06DFA379CDB06328B215117FB08E51D1FAA558915514

Function 008E8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5108f8cd1bb036424faae603997d2163d41b37ee8749a70a5f229c80506bf5
Instruction ID: 443d78c67732952b6b7f4ae58f905e815792587a74e0357633af2f2c0f353080
Opcode Fuzzy Hash: fd5108f8cd1bb036424faae603997d2163d41b37ee8749a70a5f229c80506bf5
Instruction Fuzzy Hash: 28C1F174904289EFCB11DFAEC841BADBBB4FF0A310F444199E559EB392CB709941DB61

Function 008ECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 008ECEB7
_free.LIBCMT ref: 008ECF22
_free.LIBCMT ref: 008ECF48
_free.LIBCMT ref: 008ECF71
_free.LIBCMT ref: 008ECFA9
_free.LIBCMT ref: 008ECFDA
_free.LIBCMT ref: 008ED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 008ED09C
_free.LIBCMT ref: 008ED0B5

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: e354782b51a5eb7dad5dff83992e9c8f8d8916ad983b1a625e38cec679c8c7d0
Instruction ID: 394b5c00bb07a33eb7f80f31397a955e31ed57f0a8f748576aaf9276bb18c7f0
Opcode Fuzzy Hash: e354782b51a5eb7dad5dff83992e9c8f8d8916ad983b1a625e38cec679c8c7d0
Instruction Fuzzy Hash: A4615972D08384AFDB21AFBA9C42A697B99FF07320F14416DF904D7382DB719D069751

Function 008C8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00906890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008C8874,00000000,00000000,00000000,000000FF,00000000), ref: 00906901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0090691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008C8874,00000000,00000000,00000000,000000FF,00000000), ref: 0090692D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0dac1ce5759f8d3595b2e2ec191d6bf33f0d06ec3a5e8316bd27861d2e3d8434
Instruction ID: 08c74e9ff054c8a3a192182bd1fe224f8892cd7300145d13ba91ddac89b6412c
Opcode Fuzzy Hash: 0dac1ce5759f8d3595b2e2ec191d6bf33f0d06ec3a5e8316bd27861d2e3d8434
Instruction Fuzzy Hash: 9B5165B0610209EFDB248F24CC55FAA7BB9FB48760F104518F956D62A0DB71ED90EB50

Function 0092C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0092C182
GetLastError.KERNEL32 ref: 0092C195
SetEvent.KERNEL32(?), ref: 0092C1A9

Part of subcall function 0092C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0092C272
Part of subcall function 0092C253: GetLastError.KERNEL32 ref: 0092C322
Part of subcall function 0092C253: SetEvent.KERNEL32(?), ref: 0092C336
Part of subcall function 0092C253: InternetCloseHandle.WININET(00000000), ref: 0092C341

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: f3ef5a8c13fbab9c270451d5fac4aacd1a9ebcf33db8a2db33f2428094aa9fe7
Instruction ID: 2fbd80c26c5134a7deb2f739fb3cefe53923eebe988e68b1dbd3987ce324ec9c
Opcode Fuzzy Hash: f3ef5a8c13fbab9c270451d5fac4aacd1a9ebcf33db8a2db33f2428094aa9fe7
Instruction Fuzzy Hash: 4331AEB5205611FFDB219FA5EC04A6ABBFCFF59300B00441DF96A83619DB31E814EBA0

Function 009125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00913A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00913A57
Part of subcall function 00913A3D: GetCurrentThreadId.KERNEL32 ref: 00913A5E
Part of subcall function 00913A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009125B3), ref: 00913A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00912601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00912605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0091260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00912623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00912627

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: fa7eb8889340b40daaa7894348c61858803e328c0ea897a286e1e741ec3ea5f7
Instruction ID: 08b13c953e1b6d75f125e3a2a8aa5430fce122481c4aeea2f1a7bb60c6c2fc46
Opcode Fuzzy Hash: fa7eb8889340b40daaa7894348c61858803e328c0ea897a286e1e741ec3ea5f7
Instruction Fuzzy Hash: 5301D4703A9214BBFB1067689C8AF993F59DF8EB52F104001F318AE0D1C9F224849AA9

Function 00911803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00911449,?,?,00000000), ref: 0091180C
HeapAlloc.KERNEL32(00000000,?,00911449,?,?,00000000), ref: 00911813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00911449,?,?,00000000), ref: 00911828
GetCurrentProcess.KERNEL32(?,00000000,?,00911449,?,?,00000000), ref: 00911830
DuplicateHandle.KERNEL32(00000000,?,00911449,?,?,00000000), ref: 00911833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00911449,?,?,00000000), ref: 00911843
GetCurrentProcess.KERNEL32(00911449,00000000,?,00911449,?,?,00000000), ref: 0091184B
DuplicateHandle.KERNEL32(00000000,?,00911449,?,?,00000000), ref: 0091184E
CreateThread.KERNEL32(00000000,00000000,00911874,00000000,00000000,00000000), ref: 00911868

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: aef338baa58fa427117bc4295b3cda56767bc814af10c548f05fd4eed5a6dc10
Instruction ID: 51481cb692713419970b9111fe2f6e37b7eb9f8bb2d8e565aceca1a13d16e5a3
Opcode Fuzzy Hash: aef338baa58fa427117bc4295b3cda56767bc814af10c548f05fd4eed5a6dc10
Instruction Fuzzy Hash: 0B01BBB9355308BFE750AFA5DC4DF6B3BACEB8AB11F008411FA05DB1A1CA709800DB20

Function 0093A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0091D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0091D501
Part of subcall function 0091D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0091D50F
Part of subcall function 0091D4DC: CloseHandle.KERNELBASE(00000000), ref: 0091D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0093A16D
GetLastError.KERNEL32 ref: 0093A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0093A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0093A268
GetLastError.KERNEL32(00000000), ref: 0093A273
CloseHandle.KERNEL32(00000000), ref: 0093A2C4

Strings

SeDebugPrivilege, xrefs: 0093A18F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: bf8d235ba721bd86654ed9d1349b583bc3d74d85bd2a0cbeb43244e2237ec3df
Instruction ID: b120108faf2eedd3b3c2c16b5e9d98dd0ea455b221acb532bd47fa3da06cc0f2
Opcode Fuzzy Hash: bf8d235ba721bd86654ed9d1349b583bc3d74d85bd2a0cbeb43244e2237ec3df
Instruction Fuzzy Hash: 3661AD74208242AFD720DF58C494F66BBE5AF44318F18848CE4A68B7A3C776EC45CF92

Function 00943886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00943925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0094393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00943954
_wcslen.LIBCMT ref: 00943999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009439F4

Strings

SysListView32, xrefs: 009438F7

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a8f9a04ea8e42a58a44c9522f2fd80a68e9fa729fb53c5823b2d619df520b22c
Instruction ID: 5e10a8e21801f3ad767c8f988b29283c5638e219a65ded8718d7137bdd129b00
Opcode Fuzzy Hash: a8f9a04ea8e42a58a44c9522f2fd80a68e9fa729fb53c5823b2d619df520b22c
Instruction Fuzzy Hash: AE41B171A00219EBEF219FA4CC49FEA7BA9FF48354F104526F958E7281D7719E80CB90

Function 0091BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0091BCFD
IsMenu.USER32(00000000), ref: 0091BD1D
CreatePopupMenu.USER32 ref: 0091BD53
GetMenuItemCount.USER32(01455658), ref: 0091BDA4
InsertMenuItemW.USER32(01455658,?,00000001,00000030), ref: 0091BDCC

Strings

0, xrefs: 0091BCA8
2, xrefs: 0091BD37

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 567fde0b66e939c392ec6bba64c8bf5deb04e95d709d7c7366e99664c3d00235
Instruction ID: 3b2b033fc62019738434cf7a055695af52d9b64bd1842d4e695f947708145f7a
Opcode Fuzzy Hash: 567fde0b66e939c392ec6bba64c8bf5deb04e95d709d7c7366e99664c3d00235
Instruction Fuzzy Hash: 5651BEB8B0420D9BDB18CFA8E984BEEBBFAAF49314F144519F511D72D0D7709981CB51

Function 0091C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0091C913

Strings

blank, xrefs: 0091C895
question, xrefs: 0091C8CC
stop, xrefs: 0091C8E4
warning, xrefs: 0091C8FC
info, xrefs: 0091C8B4

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5500c116b9506f3af8cf4a1329eba02a407d4146e424d6ecb83420e7d1c0b1fc
Instruction ID: eb47afbfd580471588e794e8aac439bb13d8b900a979a645ab0c647195ee6cb2
Opcode Fuzzy Hash: 5500c116b9506f3af8cf4a1329eba02a407d4146e424d6ecb83420e7d1c0b1fc
Instruction Fuzzy Hash: BC113DB27C970EBBE7045B589CC3CEE279CDF15368B10506BF504EA282E7745E805269

Function 0091DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0091DE42
gethostname.WSOCK32(?,00000100), ref: 0091DE5C
gethostbyname.WSOCK32(?), ref: 0091DE69
inet_ntoa.WSOCK32(?), ref: 0091DEAB
_strcat.LIBCMT ref: 0091DEB9
WSACleanup.WSOCK32 ref: 0091DEDE

Strings

0.0.0.0, xrefs: 0091DE87

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: e8cfa2a0ab85c5d6f2ab4b8f555b962dab2f8d6611dbb57a12a8a22ddf22c588
Instruction ID: a746b3c914525538e8aee084b4d92af6695b3bf48d7ce840af171d9cc5f94c82
Opcode Fuzzy Hash: e8cfa2a0ab85c5d6f2ab4b8f555b962dab2f8d6611dbb57a12a8a22ddf22c588
Instruction Fuzzy Hash: 6E115971A05108BFDB20AB34DC0AEEE37BCEF11712F00026AF445DA291EF748AC0DA51

Function 00949F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008C9BB2

GetSystemMetrics.USER32(0000000F), ref: 00949FC7
GetSystemMetrics.USER32(0000000F), ref: 00949FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0094A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0094A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0094A263
ShowWindow.USER32(00000003,00000000), ref: 0094A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0094A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0094A2CA

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 76030230f4a12b8f5eece3c62124ce540a5db9eec4857acaee80f3dfc25be9f6
Instruction ID: 2d3b97d165510adf417b04f6086dde6e20ba586a4dfdadcecf537165c8a3765f
Opcode Fuzzy Hash: 76030230f4a12b8f5eece3c62124ce540a5db9eec4857acaee80f3dfc25be9f6
Instruction Fuzzy Hash: 8DB1EA30604215EFDF14CF68C984BAE3BB6FF48311F088069EC59AF295D771AA40DB51

Function 0091ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0091ED2A
_wcslen.LIBCMT ref: 0091ED3B
_wcslen.LIBCMT ref: 0091ED79
_wcslen.LIBCMT ref: 0091EDAF
_wcslen.LIBCMT ref: 0091EDDF
_wcslen.LIBCMT ref: 0091EDEF
_wcslen.LIBCMT ref: 0091EE2B
_wcslen.LIBCMT ref: 0091EE5A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 6a624f04f1ef40c2fd2c12b6d369ebb30b8a3a8285eaa09669a589d4ffd5e529
Instruction ID: 93d844cce4016c28d94381619b719b088adb9571a21c12536fdb30d7b0c362e1
Opcode Fuzzy Hash: 6a624f04f1ef40c2fd2c12b6d369ebb30b8a3a8285eaa09669a589d4ffd5e529
Instruction Fuzzy Hash: C9415165D1021876CB11EBB88C8A9CFB7A8EF45710F508663F918E3261FB34E255C7E6

Function 008CF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0090682C,00000004,00000000,00000000), ref: 008CF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0090682C,00000004,00000000,00000000), ref: 0090F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0090682C,00000004,00000000,00000000), ref: 0090F454

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: a939ee6c824d87083bcb311070a6e17fcfc63b3a29d7438900de034b1d5af2ca
Instruction ID: f26f2b091f07edaa4a171519c2b26d47c86c69e57a7d1496df19954bf01f2e67
Opcode Fuzzy Hash: a939ee6c824d87083bcb311070a6e17fcfc63b3a29d7438900de034b1d5af2ca
Instruction Fuzzy Hash: 2F410B30118740BEEF788B288898F2A7EB7FB46314F14443CE647D6AA2C635E588D711

Function 00942D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00942D1B
GetDC.USER32(00000000), ref: 00942D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00942D2E
ReleaseDC.USER32(00000000,00000000), ref: 00942D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00942D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00942D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00945A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00942DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00942DE1

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8d5b21cf289fcfcc3b76cb1740db0715fa7eefb9a3f73e5851328c1c64c83429
Instruction ID: a92299ecaa53f7f89292cb15734778044eb201977c1c4104c672367d07c92de0
Opcode Fuzzy Hash: 8d5b21cf289fcfcc3b76cb1740db0715fa7eefb9a3f73e5851328c1c64c83429
Instruction Fuzzy Hash: 04316D76216614BFEB214F508C89FEB3BADFB0A715F044055FE089A291D6759C50C7A4

Function 00915622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00915637
_memcmp.LIBVCRUNTIME ref: 00915659
_memcmp.LIBVCRUNTIME ref: 00915671
_memcmp.LIBVCRUNTIME ref: 00915684
_memcmp.LIBVCRUNTIME ref: 0091569E
_memcmp.LIBVCRUNTIME ref: 009156B1
_memcmp.LIBVCRUNTIME ref: 009156C9
_memcmp.LIBVCRUNTIME ref: 009156E4

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d7cd963d600d06f7e4c7b572db9c48905f069e9785b29f17db0326e136f96df3
Instruction ID: 879a45741035b999330d02532976183f152b03fceca00d58cb1f6698232788fd
Opcode Fuzzy Hash: d7cd963d600d06f7e4c7b572db9c48905f069e9785b29f17db0326e136f96df3
Instruction Fuzzy Hash: DC21C261740A0EFBDA1856248E92FFA235CFEE13C9B470121FD049A782F768ED5081E6

Function 00934FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00935007
NULL Pointer assignment, xrefs: 0093502E, 00935383

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: a04e774e23c71b8be310d8a038931b1b0d490a691ea1f118052d1e94cc6e7bc0
Instruction ID: 2760a7d459a9db86367acda0daedd65883c0e91330516bd3190450d232804b45
Opcode Fuzzy Hash: a04e774e23c71b8be310d8a038931b1b0d490a691ea1f118052d1e94cc6e7bc0
Instruction Fuzzy Hash: 6DD1B075A0060A9FDF14CF98C880BAEB7B9BF88344F158469E915AB281E771DD41CF90

Function 008F1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008F17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008F15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008F1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008F17FB,?,008F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008F16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008F16FB

Part of subcall function 008E3820: RtlAllocateHeap.NTDLL(00000000,?,00981444,?,008CFDF5,?,?,008BA976,00000010,00981440,008B13FC,?,008B13C6,?,008B1129), ref: 008E3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008F1777
__freea.LIBCMT ref: 008F17A2
__freea.LIBCMT ref: 008F17AE

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: a8fe37c3b9bba05802c5d7a6b58153e4f0b49284648d17949cf6ee038f6e6fd3
Instruction ID: 392f39f9e558abbf3c61c4e8ba312f4a3d03ead2c3d9f39a109b3ddc192866e6
Opcode Fuzzy Hash: a8fe37c3b9bba05802c5d7a6b58153e4f0b49284648d17949cf6ee038f6e6fd3
Instruction Fuzzy Hash: B191B072E0021EDADF209E74C889AFE7BB5FF59314F180659EA05E7155DB25DC40CBA0

Function 00934523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00934648
VariantInit.OLEAUT32(?), ref: 00934749
VariantClear.OLEAUT32(?), ref: 00934753
VariantClear.OLEAUT32(?), ref: 009347B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0093472C
Null Object assignment in FOR..IN loop, xrefs: 009345D8, 00934706, 009347BE

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 8ba9d417042605f4a5c69b4f7d805325947a021dc5b92ad339a09fb0ae6fc376
Instruction ID: a97e22b97082ab486e77e72f0ecc9519848f7f3a85df4919965f6d66bd978ba1
Opcode Fuzzy Hash: 8ba9d417042605f4a5c69b4f7d805325947a021dc5b92ad339a09fb0ae6fc376
Instruction Fuzzy Hash: B0919171A00219AFDF20CFA4CC45FAEBBB8EF46714F118559F506AB291D774A941CFA0

Function 00921187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0092125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00921284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0092135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00921430

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 3829de343b49ca5d82ee6e3a35cb2d68d086da41878d593a065e8d2bf0e472b4
Instruction ID: 9f64bb8580a0ce5126f19a35a6cf8cf8dd1a9765a92b90d7530aae4031e04f23
Opcode Fuzzy Hash: 3829de343b49ca5d82ee6e3a35cb2d68d086da41878d593a065e8d2bf0e472b4
Instruction Fuzzy Hash: 26912475A00228EFDB00EFA8E884BBE77B9FF55310F104029E950E72A5D778E951CB90

Function 008C948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: be40e1fc124b87c0d202394503a8ecc4047cd9e42def0804677812a18696f445
Instruction ID: 584cb0e162e700de85742f0360cb841f9a49afbaee4f5b5c85acebf73ca71611
Opcode Fuzzy Hash: be40e1fc124b87c0d202394503a8ecc4047cd9e42def0804677812a18696f445
Instruction Fuzzy Hash: 66912571D04219EFCB14CFA9C888EEEBBB8FF49320F148499E555B7291D774A942CB60

Function 00933947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0093396B
CharUpperBuffW.USER32(?,?), ref: 00933A7A
_wcslen.LIBCMT ref: 00933A8A
VariantClear.OLEAUT32(?), ref: 00933C1F

Part of subcall function 00920CDF: VariantInit.OLEAUT32(00000000), ref: 00920D1F
Part of subcall function 00920CDF: VariantCopy.OLEAUT32(?,?), ref: 00920D28
Part of subcall function 00920CDF: VariantClear.OLEAUT32(?), ref: 00920D34

Strings

Incorrect Parameter format, xrefs: 009339A6, 00933BA1
AUTOIT.ERROR, xrefs: 00933A80, 00933A85

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 959a8e37996610ad2a0c84a794894459f1308d0e82c155edee6914defba78ebe
Instruction ID: df2a6403a9017ac7bd23afc4d24b3d13c111dcddc4a91f68d744d0fc2916ec1a
Opcode Fuzzy Hash: 959a8e37996610ad2a0c84a794894459f1308d0e82c155edee6914defba78ebe
Instruction Fuzzy Hash: 379122756083059FC714EF28C48196ABBE9FB89314F14892DF88A9B351DB30EE45CF92

Function 00934BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0091000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0090FF41,80070057,?,?,?,0091035E), ref: 0091002B
Part of subcall function 0091000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0090FF41,80070057,?,?), ref: 00910046
Part of subcall function 0091000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0090FF41,80070057,?,?), ref: 00910054
Part of subcall function 0091000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0090FF41,80070057,?), ref: 00910064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00934C51
_wcslen.LIBCMT ref: 00934D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00934DCF
CoTaskMemFree.OLE32(?), ref: 00934DDA

Strings

NULL Pointer assignment, xrefs: 00934E23, 00934E52

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: fd1dbd25fe98e3d345755aac18ebb621ecafe489eda8f2d8fbec5d808f07bbf7
Instruction ID: 53dc641bc57efd05bcb214f6df452706ee16a27c7c4ddd4dffdb2901d269cdc0
Opcode Fuzzy Hash: fd1dbd25fe98e3d345755aac18ebb621ecafe489eda8f2d8fbec5d808f07bbf7
Instruction Fuzzy Hash: A3911871D0021D9FDF14DFA4C891AEEB7B8FF48310F11456AE915A7251EB34AA44CFA1

Function 009420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00942183
GetMenuItemCount.USER32(00000000), ref: 009421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009421DD
_wcslen.LIBCMT ref: 00942213
GetMenuItemID.USER32(?,?), ref: 0094224D
GetSubMenu.USER32(?,?), ref: 0094225B

Part of subcall function 00913A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00913A57
Part of subcall function 00913A3D: GetCurrentThreadId.KERNEL32 ref: 00913A5E
Part of subcall function 00913A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009125B3), ref: 00913A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009422E3

Part of subcall function 0091E97B: Sleep.KERNEL32 ref: 0091E9F3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 42616d3ec796be5e36ed030c40300777ce00df18a28e4ffbe0508633f84c7a97
Instruction ID: f973981e42be8085b14062a360bf2be76798eaa87a54c8ed601f55dd1534288c
Opcode Fuzzy Hash: 42616d3ec796be5e36ed030c40300777ce00df18a28e4ffbe0508633f84c7a97
Instruction Fuzzy Hash: 5A717C75A04205AFCB14DF68C881EAEBBF5FF88310F508499F926EB351DB74E9418B90

Function 00947E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(014557C0), ref: 00947F37
IsWindowEnabled.USER32(014557C0), ref: 00947F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0094801E
SendMessageW.USER32(014557C0,000000B0,?,?), ref: 00948051
IsDlgButtonChecked.USER32(?,?), ref: 00948089
GetWindowLongW.USER32(014557C0,000000EC), ref: 009480AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009480C3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: eb8b671b28892c601296873e9c40f9af36b47fedd58b524df4e44283252c0a73
Instruction ID: 003660e8ce5fadb8c21f416a6dc060107ff5197b90dbb16b6ba73e304bfa1ec9
Opcode Fuzzy Hash: eb8b671b28892c601296873e9c40f9af36b47fedd58b524df4e44283252c0a73
Instruction Fuzzy Hash: 67719274608208AFEB259F94C884FFABBB9FF49300F14449AF94597261DB31AC49DB10

Function 0091AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0091AEF9
GetKeyboardState.USER32(?), ref: 0091AF0E
SetKeyboardState.USER32(?), ref: 0091AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0091AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0091AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0091AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0091B020

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 67908bb6ecb196428d8d06ee3cbc4c9781562df83fb5b4362447e3182afd2faf
Instruction ID: c23760f05468b7d2e0eeaf00e25d749d3f5f5f25d1a83e5ba5eeb3d5bd97c4a1
Opcode Fuzzy Hash: 67908bb6ecb196428d8d06ee3cbc4c9781562df83fb5b4362447e3182afd2faf
Instruction Fuzzy Hash: D651C3A07157D93DFB3682348C45BFA7EAE5B06304F088989F1E9554C2D3E8ACC9D761

Function 0091ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0091AD19
GetKeyboardState.USER32(?), ref: 0091AD2E
SetKeyboardState.USER32(?), ref: 0091AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0091ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0091ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0091AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0091AE38

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 417b1e0b9ee2324dbe5fa24bb9bbc59bd7db2e0f11471c89c1ff57653d8c5292
Instruction ID: da1dc7c541ef9a0a6298cad1962df0c9eb462abe7f0e80ffb2a5324ae38ba86c
Opcode Fuzzy Hash: 417b1e0b9ee2324dbe5fa24bb9bbc59bd7db2e0f11471c89c1ff57653d8c5292
Instruction Fuzzy Hash: 1B51D4A170A7D93DFB3683348C55BFA7EAD5B46304F088488E1D5468C2D2A4ECD8E762

Function 008E542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(008F3CD6,?,?,?,?,?,?,?,?,008E5BA3,?,?,008F3CD6,?,?), ref: 008E5470
__fassign.LIBCMT ref: 008E54EB
__fassign.LIBCMT ref: 008E5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,008F3CD6,00000005,00000000,00000000), ref: 008E552C
WriteFile.KERNEL32(?,008F3CD6,00000000,008E5BA3,00000000,?,?,?,?,?,?,?,?,?,008E5BA3,?), ref: 008E554B
WriteFile.KERNEL32(?,?,00000001,008E5BA3,00000000,?,?,?,?,?,?,?,?,?,008E5BA3,?), ref: 008E5584

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: cc9bfa4834c32ce1b7b673faa52cd2abc8dcc4637d5e75fb1e0ba51d93aa8213
Instruction ID: 7ce0dff4912f669680788fe6cae5d171d4af8b333e487ace0a4f2bb46dd08eea
Opcode Fuzzy Hash: cc9bfa4834c32ce1b7b673faa52cd2abc8dcc4637d5e75fb1e0ba51d93aa8213
Instruction Fuzzy Hash: 4B51F3B1A00689AFDB10CFA9D855AEEBBF9FF0A304F14411AF555E7291D730DA40CB60

Function 008D2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008D2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 008D2D53
_ValidateLocalCookies.LIBCMT ref: 008D2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 008D2E0C
_ValidateLocalCookies.LIBCMT ref: 008D2E61

Strings

csm, xrefs: 008D2DF6

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9d633b003b7898f6c1a05d2477b23ace13b9e2ed00a601dde5bd6d66970258fc
Instruction ID: e4b949c28d9e9976f4db01361f7770bccd58259ec8b613cf3ae705ab9bd6472e
Opcode Fuzzy Hash: 9d633b003b7898f6c1a05d2477b23ace13b9e2ed00a601dde5bd6d66970258fc
Instruction Fuzzy Hash: 2F419034A0020DABCF10DF69C845A9EBBB5FF55328F148266E814EB392D731AA15CBD1

Function 009310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0093304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0093307A
Part of subcall function 0093304E: _wcslen.LIBCMT ref: 0093309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00931112
WSAGetLastError.WSOCK32 ref: 00931121
WSAGetLastError.WSOCK32 ref: 009311C9
closesocket.WSOCK32(00000000), ref: 009311F9

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 08c560a666b5404877266191aae1f1b21a0cddd9888cc91be6ac3bc074142870
Instruction ID: 041424abeac6366d54fa066d9b3a931ec0676234f7dfe27cb0a43d391dc7bca9
Opcode Fuzzy Hash: 08c560a666b5404877266191aae1f1b21a0cddd9888cc91be6ac3bc074142870
Instruction Fuzzy Hash: 4F41E175604204AFDB109F98C884BEABBE9FF45324F148059F9059B3A1C774AD41CFA1

Function 0091CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0091DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0091CF22,?), ref: 0091DDFD

Part of subcall function 0091DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0091CF22,?), ref: 0091DE16

lstrcmpiW.KERNEL32(?,?), ref: 0091CF45
MoveFileW.KERNEL32(?,?), ref: 0091CF7F
_wcslen.LIBCMT ref: 0091D005
_wcslen.LIBCMT ref: 0091D01B
SHFileOperationW.SHELL32(?), ref: 0091D061

Strings

\*.*, xrefs: 0091CFF3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: d0f619c3b20b6d80321371a501640f1d97877244dc3f0af86994e8e569b9bf53
Instruction ID: 3f7ce0542dfb7085ce47bcd352372368e1c1cbf52d39aee62494a2678f5365ee
Opcode Fuzzy Hash: d0f619c3b20b6d80321371a501640f1d97877244dc3f0af86994e8e569b9bf53
Instruction Fuzzy Hash: CA4165B194521C5FDF12EFA4D981ADDB7BDAF48380F1000E6E505EB241EA34A689CB51

Function 00942DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00942E1C
GetWindowLongW.USER32(?,000000F0), ref: 00942E4F
GetWindowLongW.USER32(?,000000F0), ref: 00942E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00942EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00942EE0
GetWindowLongW.USER32(?,000000F0), ref: 00942EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00942F0B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 0c246000287bd4f8cc8a3ea97529d8de2d20698a7706ca1171a63f61e61fabc5
Instruction ID: 43417dc6abc1d1c3d4c25a66058d0f8fda9b5865d273eb154701af8a81f3c072
Opcode Fuzzy Hash: 0c246000287bd4f8cc8a3ea97529d8de2d20698a7706ca1171a63f61e61fabc5
Instruction Fuzzy Hash: 6C313534619241AFDB20CF58EC84F6A37E8FB8A710F9501A4F9148F2B2CB71AC41EB00

Function 00917726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00917769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0091778F
SysAllocString.OLEAUT32(00000000), ref: 00917792
SysAllocString.OLEAUT32(?), ref: 009177B0
SysFreeString.OLEAUT32(?), ref: 009177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009177DE
SysAllocString.OLEAUT32(?), ref: 009177EC

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 64c6524d6fe882fcc5fd22e097a311c7f1bc0fb187b164a7c1bf022e8ae312f5
Instruction ID: cdf11edd8740cc401605027d9def4244ec8827b89a78aa164efe91acf79ca102
Opcode Fuzzy Hash: 64c6524d6fe882fcc5fd22e097a311c7f1bc0fb187b164a7c1bf022e8ae312f5
Instruction Fuzzy Hash: 5221A37A70921EAFDB10DFA8DC84DFBB3BCEB09364B048425BA15DB1A1D674DC818760

Function 009177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00917842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00917868
SysAllocString.OLEAUT32(00000000), ref: 0091786B
SysAllocString.OLEAUT32 ref: 0091788C
SysFreeString.OLEAUT32 ref: 00917895
StringFromGUID2.OLE32(?,?,00000028), ref: 009178AF
SysAllocString.OLEAUT32(?), ref: 009178BD

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0ddfc1c7552a90398fa135ba2a83976c990bc486cf356ac519a92818dfc3849d
Instruction ID: 2b568333a4540427ecea7adbadbd3cadf09584059996ad374209ee1b9b192375
Opcode Fuzzy Hash: 0ddfc1c7552a90398fa135ba2a83976c990bc486cf356ac519a92818dfc3849d
Instruction Fuzzy Hash: 11219075709209AFDB10AFE8DC88DEAB7BCEB093607108165F915CB2A1D674DC81DB74

Function 009204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0092052E

Strings

nul, xrefs: 00920567

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 15e70bee8da7dbe1bbc97d05eadfcd8bed97043c70258f37f4b1de853bab9156
Instruction ID: b380b9532d0ebaceebee61d061126c152e5641541876a628cec8efccddbad998
Opcode Fuzzy Hash: 15e70bee8da7dbe1bbc97d05eadfcd8bed97043c70258f37f4b1de853bab9156
Instruction Fuzzy Hash: 01215E75600319AFDB209F2AE844E9A77A8AF85724F204A19F8A1D62E5D7B0D940DF60

Function 009205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00920601

Strings

nul, xrefs: 00920639

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 43c77b1dc5b8cf49ef4362ca8920aaf2280d69ffdb18e590bab8b93dc9472178
Instruction ID: fdc1c7cd76a6f84db0c2512d9c6715b7a3186dff4c66ab0b30cf455a1d314444
Opcode Fuzzy Hash: 43c77b1dc5b8cf49ef4362ca8920aaf2280d69ffdb18e590bab8b93dc9472178
Instruction Fuzzy Hash: C62192756003259FDB209F69EC44E9A77E8BFD5720F200B19F8A1E72E9D7B09860CB10

Function 009440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008B604C
Part of subcall function 008B600E: GetStockObject.GDI32(00000011), ref: 008B6060
Part of subcall function 008B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008B606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00944112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0094411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0094412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00944139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00944145

Strings

Msctls_Progress32, xrefs: 009440E3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ac4861ba72ebf2ea1f64485cf4213fb7246c5cdf4b8569863d5ba174721ef9ea
Instruction ID: fb173528f0264737a7bb3d2ff985f85df84f9ab0832d8284a6515df2c436f4c5
Opcode Fuzzy Hash: ac4861ba72ebf2ea1f64485cf4213fb7246c5cdf4b8569863d5ba174721ef9ea
Instruction Fuzzy Hash: 4B11B2B215021DBEEF119F64CC86EE77F5DEF18798F014111FA18A2160C6769C61DBA4

Function 008ED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008ED7A3: _free.LIBCMT ref: 008ED7CC

_free.LIBCMT ref: 008ED82D

Part of subcall function 008E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000), ref: 008E29DE
Part of subcall function 008E29C8: GetLastError.KERNEL32(00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000,00000000), ref: 008E29F0

_free.LIBCMT ref: 008ED838
_free.LIBCMT ref: 008ED843
_free.LIBCMT ref: 008ED897
_free.LIBCMT ref: 008ED8A2
_free.LIBCMT ref: 008ED8AD
_free.LIBCMT ref: 008ED8B8

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 62502b033d8b48d59da35f8b7a074ae5359ed35bc1dc13d075520a4d8bacbc45
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 32115E71540B88BAD621BFB6CC47FCB7BDCFF02700F400825B699E6093DA69F5098662

Function 0091DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0091DA74
LoadStringW.USER32(00000000), ref: 0091DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0091DA91
LoadStringW.USER32(00000000), ref: 0091DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0091DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0091DAB9

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e7d6e71943b0b72e5de6574afa7d57b4a2f9c33427c308426496fa97fd158036
Instruction ID: 9831fb2553bdba66d1986b5bf8962159a04b144ee0509b4ef779132c0bfe13bf
Opcode Fuzzy Hash: e7d6e71943b0b72e5de6574afa7d57b4a2f9c33427c308426496fa97fd158036
Instruction Fuzzy Hash: CA0186F65052087FE750DBE09D89EEB336CEB09305F404891B746E2041EA749E844F74

Function 0092096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0144D1D0,0144D1D0), ref: 0092097B
EnterCriticalSection.KERNEL32(0144D1B0,00000000), ref: 0092098D
TerminateThread.KERNEL32(?,000001F6), ref: 0092099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 009209A9
CloseHandle.KERNEL32(?), ref: 009209B8
InterlockedExchange.KERNEL32(0144D1D0,000001F6), ref: 009209C8
LeaveCriticalSection.KERNEL32(0144D1B0), ref: 009209CF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b82eaa608e786b7ca65912a0327e61eebee960ee7b37e70bd20e7856b8f291ed
Instruction ID: 3ac17ee93283801f36224846d742685a6c7f193b218ca1da4bce00925efc9572
Opcode Fuzzy Hash: b82eaa608e786b7ca65912a0327e61eebee960ee7b37e70bd20e7856b8f291ed
Instruction Fuzzy Hash: 31F0697615BA12AFD7812FA0EE88ED6BA28BF06702F402021F202908A1C7B09461DF90

Function 00931C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00931DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00931DE1
WSAGetLastError.WSOCK32 ref: 00931DF2
htons.WSOCK32(?,?,?,?,?), ref: 00931EDB
inet_ntoa.WSOCK32(?), ref: 00931E8C

Part of subcall function 009139E8: _strlen.LIBCMT ref: 009139F2

Part of subcall function 00933224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0092EC0C), ref: 00933240

_strlen.LIBCMT ref: 00931F35

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 803512bda324d1fab21527675b788d450d4d3c1bb7b100d147a34ab8d330966a
Instruction ID: 55632a0c853dc2561e830c576a39e2cdfbc2325dffba6f943e5ec50d753c787f
Opcode Fuzzy Hash: 803512bda324d1fab21527675b788d450d4d3c1bb7b100d147a34ab8d330966a
Instruction Fuzzy Hash: C6B1AE31204300AFD324DF28C885E6A7BA9EF85318F54895CF5569B3E2DB71ED42CB92

Function 008B5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 008B5D30
GetWindowRect.USER32(?,?), ref: 008B5D71
ScreenToClient.USER32(?,?), ref: 008B5D99
GetClientRect.USER32(?,?), ref: 008B5ED7
GetWindowRect.USER32(?,?), ref: 008B5EF8

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: e56cc3fe8137f92112d07f04aa33f75d9c576e329d09f975a42a9a5415b04984
Instruction ID: 0c6a3209667bab0cd941a5ead701d6551247fb1c51a2e263b744733b490c61fd
Opcode Fuzzy Hash: e56cc3fe8137f92112d07f04aa33f75d9c576e329d09f975a42a9a5415b04984
Instruction Fuzzy Hash: A1B15678A10A4ADBDB10CFB8C4807EABBF1FF48310F14951AE9A9D7250DB34EA51DB54

Function 008E01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008E00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E00D6
__allrem.LIBCMT ref: 008E00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E010B
__allrem.LIBCMT ref: 008E0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E0140

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 4eab0b3e3402b2c0997ddfd4664df2a1b84288ed9885b7bf216bccd64fd0f27b
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: A581E771A00B469BE7209F6ECC41B6B73E9FF42324F24463AF551DA382EBB0D9409B51

Function 008E61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008D82D9,008D82D9,?,?,?,008E644F,00000001,00000001,8BE85006), ref: 008E6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008E644F,00000001,00000001,8BE85006,?,?,?), ref: 008E62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008E63D8
__freea.LIBCMT ref: 008E63E5

Part of subcall function 008E3820: RtlAllocateHeap.NTDLL(00000000,?,00981444,?,008CFDF5,?,?,008BA976,00000010,00981440,008B13FC,?,008B13C6,?,008B1129), ref: 008E3852

__freea.LIBCMT ref: 008E63EE
__freea.LIBCMT ref: 008E6413

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 5a1d8785cb31bfd98ee4e0180f94422b551dc9656777137b089f37625369fb26
Instruction ID: e292244a265d2de74ee25f332e5d6ef8115dbec8afa56ec3e5fd4ce7cc4197ab
Opcode Fuzzy Hash: 5a1d8785cb31bfd98ee4e0180f94422b551dc9656777137b089f37625369fb26
Instruction Fuzzy Hash: 9051F572A00296AFDB258F66CC81EAF77A9FB56790F144229FD05D7240EB34DC60C660

Function 0093BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Part of subcall function 0093C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0093B6AE,?,?), ref: 0093C9B5
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093C9F1
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093CA68
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0093BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0093BD25
RegCloseKey.ADVAPI32(00000000), ref: 0093BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0093BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0093BDF3
RegCloseKey.ADVAPI32(?), ref: 0093BDFF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: b5443069dc321926b524e756f88af3f322b704a60b415c404dd6be62ea24c94b
Instruction ID: 4ed42f086a5f3c765fa87c3635b1333a65842587c3e60a5dc0c0ae2c05020add
Opcode Fuzzy Hash: b5443069dc321926b524e756f88af3f322b704a60b415c404dd6be62ea24c94b
Instruction Fuzzy Hash: 9781A170208241AFD714DF28C891E6ABBE9FF84308F14895CF5958B2A2DB31ED45CF92

Function 0090F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0090F7B9
SysAllocString.OLEAUT32(00000001), ref: 0090F860
VariantCopy.OLEAUT32(0090FA64,00000000), ref: 0090F889
VariantClear.OLEAUT32(0090FA64), ref: 0090F8AD
VariantCopy.OLEAUT32(0090FA64,00000000), ref: 0090F8B1
VariantClear.OLEAUT32(?), ref: 0090F8BB

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 5a6c0635507710d846f828c1fa633a5913c5473d092cf014e825277e490baf38
Instruction ID: 9c5c5428c05fb7b90dc4a9fbb6e045c0264dec98479dde19a8f2ddcb90ad6cf6
Opcode Fuzzy Hash: 5a6c0635507710d846f828c1fa633a5913c5473d092cf014e825277e490baf38
Instruction Fuzzy Hash: 80510635600310BFDF34AB65D8A5B69B3A8FF45310B209866E906DF6D2DB748D40C7A7

Function 0092910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 008B7620: _wcslen.LIBCMT ref: 008B7625

Part of subcall function 008B6B57: _wcslen.LIBCMT ref: 008B6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009294E5
_wcslen.LIBCMT ref: 00929506
_wcslen.LIBCMT ref: 0092952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00929585

Strings

X, xrefs: 00929412

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ee55e0c22d1a2cdb9d722eb63b12b68e7b0570e742491586eff8b4afdf89015b
Instruction ID: 2a3c57cb6a970a0b0ab6b0fccc4855292263ebc7b474b0aee72cbcc2e5b278c2
Opcode Fuzzy Hash: ee55e0c22d1a2cdb9d722eb63b12b68e7b0570e742491586eff8b4afdf89015b
Instruction Fuzzy Hash: 4EE1A1316083109FD724DF28D881AAAB7E4FF85314F14896DF8999B3A6DB31DD05CB92

Function 008C920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 008C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008C9BB2

BeginPaint.USER32(?,?,?), ref: 008C9241
GetWindowRect.USER32(?,?), ref: 008C92A5
ScreenToClient.USER32(?,?), ref: 008C92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008C92D3
EndPaint.USER32(?,?,?,?,?), ref: 008C9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009071EA

Part of subcall function 008C9339: BeginPath.GDI32(00000000), ref: 008C9357

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: b2b89862f63da181776a581bed8a10b7c956e8bc4c9267e1d5ba45214005c863
Instruction ID: 6ef63e2ad2d2ba5fe2782bd3ad07fc717dd36f31450131699d931bb98ab27223
Opcode Fuzzy Hash: b2b89862f63da181776a581bed8a10b7c956e8bc4c9267e1d5ba45214005c863
Instruction Fuzzy Hash: 7E418070509201AFD711DF64DC88FAA7BB8FB46324F1406ADF9A5C72E1C7319845EB62

Function 009207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0092080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00920847
EnterCriticalSection.KERNEL32(?), ref: 00920863
LeaveCriticalSection.KERNEL32(?), ref: 009208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00920921

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 6303cc0e65263a6ff564df6994edf8699ae53eec1940fc9dde59219955bfd6dd
Instruction ID: ffd21bc65f7be5f4920559ae49a91d47013bbb52742d0e9886ce334e5908e8fb
Opcode Fuzzy Hash: 6303cc0e65263a6ff564df6994edf8699ae53eec1940fc9dde59219955bfd6dd
Instruction Fuzzy Hash: 8D415975900205AFEF14AF58EC85A6A77B9FF44300F1440A9E904DE29BDB71DE60DBA1

Function 009481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0090F3AB,00000000,?,?,00000000,?,0090682C,00000004,00000000,00000000), ref: 0094824C
EnableWindow.USER32(?,00000000), ref: 00948272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009482D1
ShowWindow.USER32(?,00000004), ref: 009482E5
EnableWindow.USER32(?,00000001), ref: 0094830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0094832F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a9dae9765c73fd8dfd6712469d07b28a19e24961a58ec42fc3eadf49dfee60bb
Instruction ID: 073af6ab51a4cb22bf5f59825a1a13abe15a383b4a7f16709060a574b4867663
Opcode Fuzzy Hash: a9dae9765c73fd8dfd6712469d07b28a19e24961a58ec42fc3eadf49dfee60bb
Instruction Fuzzy Hash: 8641E634605640AFDB25CF14D899FE97BE8FB0A754F184268E5184F272CB72AC42DB40

Function 00914C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00914C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00914CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00914CEA
_wcslen.LIBCMT ref: 00914D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00914D10
_wcsstr.LIBVCRUNTIME ref: 00914D1A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 6b1085a54db8f4869412d278209899eb9a8a3ba5f7db116d0f1655091dfefc97
Instruction ID: 7f849b4ca8d1e293934acddeccb910bd31a0e1c6c007031817908c88c47312e0
Opcode Fuzzy Hash: 6b1085a54db8f4869412d278209899eb9a8a3ba5f7db116d0f1655091dfefc97
Instruction Fuzzy Hash: F02129753052057BEB155B39AC09EBB7BADEF49750F10802DF805CA192EA71DC4096A1

Function 0092581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 008B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008B3A97,?,?,008B2E7F,?,?,?,00000000), ref: 008B3AC2

_wcslen.LIBCMT ref: 0092587B
CoInitialize.OLE32(00000000), ref: 00925995
CoCreateInstance.OLE32(0094FCF8,00000000,00000001,0094FB68,?), ref: 009259AE
CoUninitialize.OLE32 ref: 009259CC

Strings

.lnk, xrefs: 00925876, 009258C1, 00925985

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 03b280edf85d6a186ed259fe42296ff0fb9cdfb324f0f75eba17952492df32ad
Instruction ID: 2fa0b3caf368906c93d31c1138b8ede19e58e625bac4427a52f148195bb89b31
Opcode Fuzzy Hash: 03b280edf85d6a186ed259fe42296ff0fb9cdfb324f0f75eba17952492df32ad
Instruction Fuzzy Hash: A0D171756087119FC714DF28D480A6ABBE5FF89310F16885DF88A9B361DB31EC45CB92

Function 0091175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00910FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00910FCA
Part of subcall function 00910FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00910FD6
Part of subcall function 00910FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00910FE5
Part of subcall function 00910FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00910FEC
Part of subcall function 00910FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00911002

GetLengthSid.ADVAPI32(?,00000000,00911335), ref: 009117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009117BA
HeapAlloc.KERNEL32(00000000), ref: 009117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009117DA
GetProcessHeap.KERNEL32(00000000,00000000,00911335), ref: 009117EE
HeapFree.KERNEL32(00000000), ref: 009117F5

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: cfb09afd79ea2edae3a7c4c3fa3a06806dd551bed90eccf9e902433479b653bd
Instruction ID: 063ba9164e397edcb9886b85772ecc8a0b05ebd68d3df22a0b54f53d3c131774
Opcode Fuzzy Hash: cfb09afd79ea2edae3a7c4c3fa3a06806dd551bed90eccf9e902433479b653bd
Instruction Fuzzy Hash: 1311BB7661A209FFDB209FA4CD49FEE7BADEB46355F104018F581A7290C736A980DB60

Function 009114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00911506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00911515
CloseHandle.KERNEL32(00000004), ref: 00911520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0091154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00911563

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: de3bdc790aaa4a2caa48749b7f861b6a8ff2b59d0e548b8460ff9deab9b073a2
Instruction ID: 1026d065b36f96dc4ca45900a86900721ac422b8e1e204982459e7d971e6c540
Opcode Fuzzy Hash: de3bdc790aaa4a2caa48749b7f861b6a8ff2b59d0e548b8460ff9deab9b073a2
Instruction Fuzzy Hash: 201117B660620DBFDF118F98DE49FDA7BA9EB49744F044015FA05A20A0C3758EA0EB61

Function 008D3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008D3379,008D2FE5), ref: 008D3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008D339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008D33B7
SetLastError.KERNEL32(00000000,?,008D3379,008D2FE5), ref: 008D3409

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f029582afca004b2bba43856489ff6ecf5eb25ccd1f3fcc7990ae612c3149370
Instruction ID: 3bccdf23ad0d5b2e8dc131a7ca48f3f342b408df73fcc5aac4c580a2d54758c7
Opcode Fuzzy Hash: f029582afca004b2bba43856489ff6ecf5eb25ccd1f3fcc7990ae612c3149370
Instruction Fuzzy Hash: 3401F17331D311BEAA282BB87C859272B94FB25379320032FF410C03F0EF118D01A286

Function 008E2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008E5686,008F3CD6,?,00000000,?,008E5B6A,?,?,?,?,?,008DE6D1,?,00978A48), ref: 008E2D78
_free.LIBCMT ref: 008E2DAB
_free.LIBCMT ref: 008E2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,008DE6D1,?,00978A48,00000010,008B4F4A,?,?,00000000,008F3CD6), ref: 008E2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,008DE6D1,?,00978A48,00000010,008B4F4A,?,?,00000000,008F3CD6), ref: 008E2DEC
_abort.LIBCMT ref: 008E2DF2

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 49f9c66bb7273d9f4579deae1bba766390ab9086b412263a4d34c710063295e4
Instruction ID: 437ab006bf4c71f54bc5c424cd6d43534b030c6a7f9ae5127b9aa4f2ac5cba35
Opcode Fuzzy Hash: 49f9c66bb7273d9f4579deae1bba766390ab9086b412263a4d34c710063295e4
Instruction Fuzzy Hash: 53F0C876A096887BC252373FBC0AE1A265DFFC37A5F354529FA29D31D2EF248C015162

Function 00948A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008C9693
Part of subcall function 008C9639: SelectObject.GDI32(?,00000000), ref: 008C96A2
Part of subcall function 008C9639: BeginPath.GDI32(?), ref: 008C96B9
Part of subcall function 008C9639: SelectObject.GDI32(?,00000000), ref: 008C96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00948A4E
LineTo.GDI32(?,00000003,00000000), ref: 00948A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00948A70
LineTo.GDI32(?,00000000,00000003), ref: 00948A80
EndPath.GDI32(?), ref: 00948A90
StrokePath.GDI32(?), ref: 00948AA0

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 97cfad695549cbdc64c4a2d39637263fdad672d0730290c65c987b02f07ffc32
Instruction ID: 9e771aef282034ffaf7210644c6288aa8b062f3ba4199617ff18f3ab5c1fe8ad
Opcode Fuzzy Hash: 97cfad695549cbdc64c4a2d39637263fdad672d0730290c65c987b02f07ffc32
Instruction Fuzzy Hash: 33111B7600510CFFDF129F94DC88EAA7F6CEB09390F048012FA199A1A1C7729D55EFA0

Function 009151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00915218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00915229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00915230
ReleaseDC.USER32(00000000,00000000), ref: 00915238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0091524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00915261

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: bc2de568dce9ce796fe9b33100630d3ac564b5d6ab91730588a7b57d63944472
Instruction ID: 31a40d662032f6fbb4a7c46c1fbd587cbb05a62aa5a8f461b42fad996877c501
Opcode Fuzzy Hash: bc2de568dce9ce796fe9b33100630d3ac564b5d6ab91730588a7b57d63944472
Instruction Fuzzy Hash: 10018FB5A05709BFEB109BA59C49E4EBFB8EB49351F054065FA04A7290D6709800DBA0

Function 008B1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 008B1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 008B1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 008B1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 008B1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 008B1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 008B1C22

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9554aac5ffcfd91b5bcc72a1ae8ad9411a90073f0aa5ccd9f906a8af15998398
Instruction ID: 4c1d3c381b9c35f2d50fc33a93f1091fe4336558861a32cc6a4d9611ce59f26a
Opcode Fuzzy Hash: 9554aac5ffcfd91b5bcc72a1ae8ad9411a90073f0aa5ccd9f906a8af15998398
Instruction Fuzzy Hash: E70167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CFE5

Function 0091EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0091EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0091EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0091EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0091EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0091EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0091EB75

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 47e71a88bc93b5c8dd2accdd69fa81c18c49fbdc834e5efff0c4cf8d80b266b9
Instruction ID: 31184077bfe77639fc0fbae195c816d5552d3eaeb9907c050054fd47fa3c04f0
Opcode Fuzzy Hash: 47e71a88bc93b5c8dd2accdd69fa81c18c49fbdc834e5efff0c4cf8d80b266b9
Instruction Fuzzy Hash: 55F0B4B6256159BFE7205B529C0DEEF3E7CEFCBB11F004158F601D1090D7A01A01D6B4

Function 00907439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00907452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00907469
GetWindowDC.USER32(?), ref: 00907475
GetPixel.GDI32(00000000,?,?), ref: 00907484
ReleaseDC.USER32(?,00000000), ref: 00907496
GetSysColor.USER32(00000005), ref: 009074B0

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 7037369f43ce18696620e325cf9701be9d6b1f523ca8530a3153382de5b312f9
Instruction ID: fcda70fc98a5fa2e5502985cbb728b1940d55fb394b4896f9ff8ee935a08b32c
Opcode Fuzzy Hash: 7037369f43ce18696620e325cf9701be9d6b1f523ca8530a3153382de5b312f9
Instruction Fuzzy Hash: 36018B75819209FFDBA05FA4DC08FAEBBBAFB05321F114064F915A21B1CB312E41AB10

Function 00911874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0091187F
UnloadUserProfile.USERENV(?,?), ref: 0091188B
CloseHandle.KERNEL32(?), ref: 00911894
CloseHandle.KERNEL32(?), ref: 0091189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009118A5
HeapFree.KERNEL32(00000000), ref: 009118AC

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 1b0444d0dbe4284733e8ee602a390929a330b07d1067ca8e7c0f7703dbbeab1b
Instruction ID: a9ef1d992a7a4d950afa642c989c0f4cb232d08bb54f8fb8ec2b2e71506807b9
Opcode Fuzzy Hash: 1b0444d0dbe4284733e8ee602a390929a330b07d1067ca8e7c0f7703dbbeab1b
Instruction Fuzzy Hash: 0EE0C2BA21A101BFDA415FA1ED0CD0ABF29FB4AB22B108220F22581070CB329420EB50

Function 0091C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B7620: _wcslen.LIBCMT ref: 008B7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0091C6EE
_wcslen.LIBCMT ref: 0091C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0091C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0091C7CA

Strings

0, xrefs: 0091C6AF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: d95df3f8a08350c41ca8cc12ff4ad111daf273a5fe24bb53e95d0aded30c5224
Instruction ID: 570270f84c702daf12f5a7c6c194604a9f1b06e20a8ca3b4c5086543d5ff814e
Opcode Fuzzy Hash: d95df3f8a08350c41ca8cc12ff4ad111daf273a5fe24bb53e95d0aded30c5224
Instruction Fuzzy Hash: 7D51D0B17843099BD7149F28C885BEE77E8EF85350F040A2DF995D22E1DBB4D884CB52

Function 0093AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0093AEA3

Part of subcall function 008B7620: _wcslen.LIBCMT ref: 008B7625

GetProcessId.KERNEL32(00000000), ref: 0093AF38
CloseHandle.KERNEL32(00000000), ref: 0093AF67

Strings

@, xrefs: 0093AE72
<, xrefs: 0093AE6B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 90c844be347e1d2113021f686028e10a6b6e5bf215ee556c3fb9edc514eed233
Instruction ID: 452083af9b56198c49fb8cb1646f373c137f9dca92f054418b2ff68b0e84c093
Opcode Fuzzy Hash: 90c844be347e1d2113021f686028e10a6b6e5bf215ee556c3fb9edc514eed233
Instruction Fuzzy Hash: 63713475A002199FCB24DF58C485A9EBBB4FF08314F048499E856AB7A2CB74ED45CF92

Function 0091719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00917206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0091723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0091724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009172CF

Strings

DllGetClassObject, xrefs: 00917242

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b0329fc8baab8e4ae5277d8cb5ba09cc949d792038a51fd259eadb3400010296
Instruction ID: 84240a7ea8ffc3c92eeab9a2ecec0dbdb586dd7ca00dc9a9e019f82d9b2d4f4c
Opcode Fuzzy Hash: b0329fc8baab8e4ae5277d8cb5ba09cc949d792038a51fd259eadb3400010296
Instruction Fuzzy Hash: 964182B1704209DFDB15CF94C884BDABBB9EF89310F1484A9BD159F20AD7B1D985CBA0

Function 00943D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00943E35
IsMenu.USER32(?), ref: 00943E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00943E92
DrawMenuBar.USER32 ref: 00943EA5

Strings

0, xrefs: 00943D89

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ba68f6c1fcfbe363f0358dc1d43366e54c1d617dff6cc0c94764c386775382c8
Instruction ID: 6d5b0082eff63a2e38d0d2abd33aa0166749d55bb8e129aeea5d6bbc3582238a
Opcode Fuzzy Hash: ba68f6c1fcfbe363f0358dc1d43366e54c1d617dff6cc0c94764c386775382c8
Instruction Fuzzy Hash: C4416875A12209AFDB10DF60D884EAABBB9FF49350F048129F915A7350D730AE45DF50

Function 00911DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Part of subcall function 00913CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00913CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00911E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00911E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00911EA9

Part of subcall function 008B6B57: _wcslen.LIBCMT ref: 008B6B6A

Strings

ComboBox, xrefs: 00911DF0
ListBox, xrefs: 00911E25

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: b0332bffac83e8a970b0bf9d33ea73fed54b25edfc632e31d51049c03a70739c
Instruction ID: e86de69e719eae1e418d622f30b28c39a84c7d10e603e2d99f30de75c596cc39
Opcode Fuzzy Hash: b0332bffac83e8a970b0bf9d33ea73fed54b25edfc632e31d51049c03a70739c
Instruction Fuzzy Hash: 68214971B00108BFDB14ABA4DC45DFFB7BCEF41350B108519F925E72E1EB3849459620

Function 00942F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00942F8D
LoadLibraryW.KERNEL32(?), ref: 00942F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00942FA9
DestroyWindow.USER32(?), ref: 00942FB1

Strings

SysAnimate32, xrefs: 00942F68

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a30fafaf06622e1841682d9bbad53d529e4d273037d87ea63957792de5aa99c0
Instruction ID: 9a27f4eca9ab645780c5b40f13337b01107ba6d9b0d07606769ea60aeb83ca75
Opcode Fuzzy Hash: a30fafaf06622e1841682d9bbad53d529e4d273037d87ea63957792de5aa99c0
Instruction Fuzzy Hash: DF219A72214209AFEB204FA4DC80EBB7BBDFB59364F904658F950D21A0D771DC95A760

Function 008D4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008D4D1E,008E28E9,?,008D4CBE,008E28E9,009788B8,0000000C,008D4E15,008E28E9,00000002), ref: 008D4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008D4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,008D4D1E,008E28E9,?,008D4CBE,008E28E9,009788B8,0000000C,008D4E15,008E28E9,00000002,00000000), ref: 008D4DC3

Strings

mscoree.dll, xrefs: 008D4D86
CorExitProcess, xrefs: 008D4D98

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a9b7c9d4aa83b22371e14bc22b02f85f8b6b921b93f2753f9282dd54b57b620d
Instruction ID: 0b4891bc0a94f80b63ec56c74dc9461c551c10f895d034789549a421b21fcf73
Opcode Fuzzy Hash: a9b7c9d4aa83b22371e14bc22b02f85f8b6b921b93f2753f9282dd54b57b620d
Instruction Fuzzy Hash: 34F0AF75A15208BFDB109F90DC09FADBFB5EF48752F0001A9F809E2260DB305944EF90

Function 008B4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008B4EDD,?,00981418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008B4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008B4EAE
FreeLibrary.KERNEL32(00000000,?,?,008B4EDD,?,00981418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008B4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 008B4EA8
kernel32.dll, xrefs: 008B4E94

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 65ed6eec0ca318dc28908fa3f4b6f0c521b18ad7edf32f079d92d96741853c1e
Instruction ID: 4e828d7afae7c9e154e91588b6cc689313c9226249515a19e961a09994601ff9
Opcode Fuzzy Hash: 65ed6eec0ca318dc28908fa3f4b6f0c521b18ad7edf32f079d92d96741853c1e
Instruction Fuzzy Hash: A6E0CD7AA1B9225FD37117296C19F9F6554FFC6F727050115FC04D2302EB60CD05D5A1

Function 008B4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008F3CDE,?,00981418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008B4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008B4E74
FreeLibrary.KERNEL32(00000000,?,?,008F3CDE,?,00981418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008B4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 008B4E6E
kernel32.dll, xrefs: 008B4E5B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 3b00ec13eb4b22f8e34aa48f1c02f58fd8deb8da9c097c1229dcdb48f4dd8160
Instruction ID: cb07499562df8fd457fb304a1749487037ad4d6b72e27fc1d08be6c3925455e2
Opcode Fuzzy Hash: 3b00ec13eb4b22f8e34aa48f1c02f58fd8deb8da9c097c1229dcdb48f4dd8160
Instruction Fuzzy Hash: 85D0C27A51BA215B46621B246C09DCB2B18FF8AB253454210B804E2212DF20CD01D5E0

Function 00922947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00922C05
DeleteFileW.KERNEL32(?), ref: 00922C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00922C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00922CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00922CC0

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 07918a48531dbbfba1adf1f37ecc1506e1d1b7366ac7ac4723018660a60cb20c
Instruction ID: d7ca25b9c5fb7d8c44ef54183c6436d6c9b0a8cc678a853d523a8f76cb451b05
Opcode Fuzzy Hash: 07918a48531dbbfba1adf1f37ecc1506e1d1b7366ac7ac4723018660a60cb20c
Instruction Fuzzy Hash: 5CB15F72D00229ABDF21EFA4DC85EDEB7BDFF49350F1040A6F509E6255EA309A448F61

Function 0093A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0093A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0093A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0093A468
CloseHandle.KERNEL32(?), ref: 0093A63D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: b4a54f59cc50c4fe8cb9513a0a2429fb8abe98ca3fc739897e5dd276778065fc
Instruction ID: 54e143cf2997d93849da450b22d04a9159fce32a04e07a88a00e4f189e2cc6a2
Opcode Fuzzy Hash: b4a54f59cc50c4fe8cb9513a0a2429fb8abe98ca3fc739897e5dd276778065fc
Instruction Fuzzy Hash: B5A15C71604301AFD724DF28C886F2AB7E5EB84714F14885DF59ADB392DBB4EC418B92

Function 008EBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00953700), ref: 008EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0098121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00981270,000000FF,?,0000003F,00000000,?), ref: 008EBC36
_free.LIBCMT ref: 008EBB7F

Part of subcall function 008E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000), ref: 008E29DE
Part of subcall function 008E29C8: GetLastError.KERNEL32(00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000,00000000), ref: 008E29F0

_free.LIBCMT ref: 008EBD4B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 530854603398bf25633eb888e78734eed244887ce916e88e7c2921dd8478e5b8
Instruction ID: 2f524d7c9d5a57dcbf43d03dd0678af71ecee90cd168fdca27228628238d81f1
Opcode Fuzzy Hash: 530854603398bf25633eb888e78734eed244887ce916e88e7c2921dd8478e5b8
Instruction Fuzzy Hash: A9510B71908259EFCB10EF6ADC819AFB7BCFF46320F10026AE564D7291EB309D419B91

Function 0091E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0091DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0091CF22,?), ref: 0091DDFD

Part of subcall function 0091DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0091CF22,?), ref: 0091DE16

Part of subcall function 0091E199: GetFileAttributesW.KERNEL32(?,0091CF95), ref: 0091E19A

lstrcmpiW.KERNEL32(?,?), ref: 0091E473
MoveFileW.KERNEL32(?,?), ref: 0091E4AC
_wcslen.LIBCMT ref: 0091E5EB
_wcslen.LIBCMT ref: 0091E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0091E650

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 9965212c38f58668c71de392736176f926948f7eb63f0fc79eb25e6102991833
Instruction ID: 3b06ca0c976f9499100d06cd7eb485f3c08948ac46339be7401a843ba132c40f
Opcode Fuzzy Hash: 9965212c38f58668c71de392736176f926948f7eb63f0fc79eb25e6102991833
Instruction Fuzzy Hash: 925181B25083499BC724DB94DC819DF73ECEF84340F00492EFA89D3191EF74A6888766

Function 0093B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Part of subcall function 0093C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0093B6AE,?,?), ref: 0093C9B5
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093C9F1
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093CA68
Part of subcall function 0093C998: _wcslen.LIBCMT ref: 0093CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0093BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0093BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0093BB63
RegCloseKey.ADVAPI32(?,?), ref: 0093BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0093BBB3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 7a24830b24b84f2f1046dfb7182f7f1c8f8250af89c78c4d57200d13160a3be8
Instruction ID: 473dedb2a7439a59b2e5e0124be3882158bfdd5955c10891d075f5ac9ab8c9ae
Opcode Fuzzy Hash: 7a24830b24b84f2f1046dfb7182f7f1c8f8250af89c78c4d57200d13160a3be8
Instruction Fuzzy Hash: B6619D71208241AFD714DF14C490E6ABBE9FF84308F14896DF5998B2A2DB31ED45CF92

Function 00918BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00918BCD
VariantClear.OLEAUT32 ref: 00918C3E
VariantClear.OLEAUT32 ref: 00918C9D
VariantClear.OLEAUT32(?), ref: 00918D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00918D3B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 77c0c01abc9631ea31e46fa1e03b26df8b6f85e51f665ef84ad12124353fe543
Instruction ID: e206357930e20feff6e5184952063fcd997c1bf186f86a6ace10da7a47f92549
Opcode Fuzzy Hash: 77c0c01abc9631ea31e46fa1e03b26df8b6f85e51f665ef84ad12124353fe543
Instruction Fuzzy Hash: F85166B5A10219EFCB10CF68D884AAAB7F9FF89310B158559F909DB350E734E911CF90

Function 00928AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00928BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00928BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00928C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00928C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00928C5F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: fee5ed52891158f49d664217c4c3a3303db0441184b20e6a178da3d9e4d007ee
Instruction ID: c7628e136ee06a676c8927a2aa9c0ec2c2d5cb63faac3c88cb9f41236597531b
Opcode Fuzzy Hash: fee5ed52891158f49d664217c4c3a3303db0441184b20e6a178da3d9e4d007ee
Instruction Fuzzy Hash: 48516C75A002149FCB11DF68C881EAEBBF5FF49314F088458E849AB362DB71ED41CBA1

Function 00938EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00938F40
GetProcAddress.KERNEL32(00000000,?), ref: 00938FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00938FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00939032
FreeLibrary.KERNEL32(00000000), ref: 00939052

Part of subcall function 008CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00921043,?,7529E610), ref: 008CF6E6
Part of subcall function 008CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0090FA64,00000000,00000000,?,?,00921043,?,7529E610,?,0090FA64), ref: 008CF70D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 12a45b870371b1c488c669b003841212ef37fc2fc66a0bf02a917cd325a753fb
Instruction ID: 71ab1b921b7ca5a6b197358654e137379d80dc6eaecdaca4229d06bf6fe7c285
Opcode Fuzzy Hash: 12a45b870371b1c488c669b003841212ef37fc2fc66a0bf02a917cd325a753fb
Instruction Fuzzy Hash: E9512734605205DFCB15DF68C484DAABBB5FF49314F0480A8E80A9B362DB71ED86CF91

Function 00946B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00946C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00946C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00946C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0092AB79,00000000,00000000), ref: 00946C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00946CC7

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 03d2af95e5759396923f619d57065a42b33b4b2c2b4d93914bb3acbf33d1459c
Instruction ID: b1d56aaeea866392e8ea600f2774d1fe770346a5769cb3434d8cee673631b16c
Opcode Fuzzy Hash: 03d2af95e5759396923f619d57065a42b33b4b2c2b4d93914bb3acbf33d1459c
Instruction Fuzzy Hash: F041D4B5A08104AFD724CF68CC98FA97BA9EB0B351F150268FAD5A73E0C371AD41DA41

Function 008E2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008E20C3
_free.LIBCMT ref: 008E20E3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5921b4cf15aa37b187c10721196f10645866aa1759a79e0cb8464537925da29a
Instruction ID: e057a585cf2987a2748b81bd26c20a7b6228e391a525953f8e1f1342a38ff953
Opcode Fuzzy Hash: 5921b4cf15aa37b187c10721196f10645866aa1759a79e0cb8464537925da29a
Instruction Fuzzy Hash: 5F41E272A00204AFDB24DF79C881A5DB7B9FF8A314F1545A9E615EB392D631EE01CB81

Function 008C912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008C9141
ScreenToClient.USER32(00000000,?), ref: 008C915E
GetAsyncKeyState.USER32(00000001), ref: 008C9183
GetAsyncKeyState.USER32(00000002), ref: 008C919D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 2c38016da38abf250f4b0b2c2e50cbfc1ba7b97e58dfbb9ea82881e54ce57f90
Instruction ID: 2b4f2414fec47a8c5332bca606d8ff98565188e5af1ffe3104a84f45e09aee71
Opcode Fuzzy Hash: 2c38016da38abf250f4b0b2c2e50cbfc1ba7b97e58dfbb9ea82881e54ce57f90
Instruction Fuzzy Hash: 46415E71A0C60AEFDF159FA8C849FEEF774FB05324F24825AE465A22D0C734A950DB91

Function 00923874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00923922
TranslateMessage.USER32(?), ref: 0092394B
DispatchMessageW.USER32(?), ref: 00923955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00923966

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 8f223fab77da0240d50bbfdf85b9c023dcbbd3773074f983dfd13af4dae53979
Instruction ID: 094b38a98e3c488831186ee18dfed43d4d78305a365cf950ce670eee41436e13
Opcode Fuzzy Hash: 8f223fab77da0240d50bbfdf85b9c023dcbbd3773074f983dfd13af4dae53979
Instruction Fuzzy Hash: 4F31C674918361DFEB39CB34B849FB637ACEB06300F048569E452D61A4E3BD96C5EB11

Function 0092CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0092C21E,00000000), ref: 0092CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0092CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0092C21E,00000000), ref: 0092CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0092C21E,00000000), ref: 0092CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0092C21E,00000000), ref: 0092CFF2

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: e5d668a30ee31ab820168e186a9ea0f4140ae71037821175dfe8a1a948cddded
Instruction ID: 089a00b2afcbec7c76a6f86f9c995b892ad29ab4ab54a45cd4a6c571ba6fcbba
Opcode Fuzzy Hash: e5d668a30ee31ab820168e186a9ea0f4140ae71037821175dfe8a1a948cddded
Instruction Fuzzy Hash: 6A318BB1504215EFDB20DFA5E984EAEBBFDEB04350B10442EF116D2145DB30EE409B60

Function 00911901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00911915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009119E2

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8ff98b25251ffd75d9f348e18cd1190e5d5056ec161d4376e487ce69f7cb7547
Instruction ID: 3de9d6e621897fc034d8f1d49c2ecd0f617e68fbab8f40877a51b932448ae1b9
Opcode Fuzzy Hash: 8ff98b25251ffd75d9f348e18cd1190e5d5056ec161d4376e487ce69f7cb7547
Instruction Fuzzy Hash: EC31C0B5A0421DFFCB00CFA8DD99ADE3BB5EB45315F108229FA21A72D1C7709984DB90

Function 00945706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00945745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0094579D
_wcslen.LIBCMT ref: 009457AF
_wcslen.LIBCMT ref: 009457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00945816

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: d36a3b1bfc9d3a387fa8b15d81620cd468fc89d755f542882c7c87687345dfbe
Instruction ID: cf1d3491394aa979f103ea50de44b5ba8938db32575ffa08ed7f57a5bad996cc
Opcode Fuzzy Hash: d36a3b1bfc9d3a387fa8b15d81620cd468fc89d755f542882c7c87687345dfbe
Instruction Fuzzy Hash: F921D570904608ABDB209FE5CC85EED7BBCFF00320F108216E919EA291E7708985CF50

Function 008C990F Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008C98CC
SetTextColor.GDI32(?,?), ref: 008C98D6
SetBkMode.GDI32(?,00000001), ref: 008C98E9
GetStockObject.GDI32(00000005), ref: 008C98F1
GetWindowLongW.USER32(?,000000EB), ref: 008C9952

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 7aa9d4683aaf7371f7f0ab8f15476e561f27ee0c7c51fcd78a5070cf1ac8c2d5
Instruction ID: 6362350b47bfa036a77f9119151ed9013eee366151d7df847b39cb6398bce6c3
Opcode Fuzzy Hash: 7aa9d4683aaf7371f7f0ab8f15476e561f27ee0c7c51fcd78a5070cf1ac8c2d5
Instruction Fuzzy Hash: 8F21ED7254A2409FC7128F24EC58EAA3F74FF17330B1441EDE9928B1A2C6328946DB60

Function 00930930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00930951
GetForegroundWindow.USER32 ref: 00930968
GetDC.USER32(00000000), ref: 009309A4
GetPixel.GDI32(00000000,?,00000003), ref: 009309B0
ReleaseDC.USER32(00000000,00000003), ref: 009309E8

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: fa6c917fc83485480ad7aefa7ee5272b63b73a42e6e6ae395899c2aee3ccff3e
Instruction ID: e69a8fd4b3b14d9352f6c0bc3cfb2f4d2894b8b1507a019e2ef7e0c7992ac899
Opcode Fuzzy Hash: fa6c917fc83485480ad7aefa7ee5272b63b73a42e6e6ae395899c2aee3ccff3e
Instruction Fuzzy Hash: 51219279600214AFD714EF68D884EAEB7E9FF85740F048068F846D7362CB70AD04DB50

Function 008ECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008ECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008ECDE9

Part of subcall function 008E3820: RtlAllocateHeap.NTDLL(00000000,?,00981444,?,008CFDF5,?,?,008BA976,00000010,00981440,008B13FC,?,008B13C6,?,008B1129), ref: 008E3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008ECE0F
_free.LIBCMT ref: 008ECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008ECE31

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: dd303d32bab84703311064f93214fdb466dc309b405cf989f0b3d1fd11093885
Instruction ID: e3832923e9b14818e8b7d866460bc0efa6f6de9d929d40ccca29939b2c6b0aed
Opcode Fuzzy Hash: dd303d32bab84703311064f93214fdb466dc309b405cf989f0b3d1fd11093885
Instruction Fuzzy Hash: 1C01D8B2A062967F23211A7BAC4CD7B696DFEC7BA13150129F905D7201DB618D0291B0

Function 008C9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008C9693
SelectObject.GDI32(?,00000000), ref: 008C96A2
BeginPath.GDI32(?), ref: 008C96B9
SelectObject.GDI32(?,00000000), ref: 008C96E2

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 350ccc869fc0c4c21a7e0f326a407c50de9122b44ed5272b5ed5a1d9b4d9a523
Instruction ID: 0d3a5f39232326f62d13f19f51adb110855dbc6b5428170d22641d8312921779
Opcode Fuzzy Hash: 350ccc869fc0c4c21a7e0f326a407c50de9122b44ed5272b5ed5a1d9b4d9a523
Instruction Fuzzy Hash: 9D21607082A305EFDB119F68FC18FA97B78FB11755F100259F451A62E0D3719852EB94

Function 00915711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00915726
_memcmp.LIBVCRUNTIME ref: 00915744
_memcmp.LIBVCRUNTIME ref: 00915757
_memcmp.LIBVCRUNTIME ref: 0091576F
_memcmp.LIBVCRUNTIME ref: 00915787

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9b43fa100a0bfa004d5d5df29df70c0402f671d3baaf2a86f19e0230169efc70
Instruction ID: 1278dbafedb592ac452eac85c2aae5022393a757e6d643b121c547da2eaa7cb8
Opcode Fuzzy Hash: 9b43fa100a0bfa004d5d5df29df70c0402f671d3baaf2a86f19e0230169efc70
Instruction Fuzzy Hash: 9B0192A574160EFAE60855149D93EFA635CEFA13A9B024021FD089A382F764EE5086A1

Function 008E2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,008DF2DE,008E3863,00981444,?,008CFDF5,?,?,008BA976,00000010,00981440,008B13FC,?,008B13C6), ref: 008E2DFD
_free.LIBCMT ref: 008E2E32
_free.LIBCMT ref: 008E2E59
SetLastError.KERNEL32(00000000,008B1129), ref: 008E2E66
SetLastError.KERNEL32(00000000,008B1129), ref: 008E2E6F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ef665dae48ec148654ba7f729f6052da00e251fdaaa48a619c8d9289c63f520d
Instruction ID: d1c01c7f148e7ee2a17a4bb3c0167985fff052cb5491004d51018b33c9f46aa0
Opcode Fuzzy Hash: ef665dae48ec148654ba7f729f6052da00e251fdaaa48a619c8d9289c63f520d
Instruction Fuzzy Hash: CB01F47620A6966BC612677B6C4AD2B265DFBC37B9B314028F825E32D3EB348C015121

Function 0091000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0090FF41,80070057,?,?,?,0091035E), ref: 0091002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0090FF41,80070057,?,?), ref: 00910046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0090FF41,80070057,?,?), ref: 00910054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0090FF41,80070057,?), ref: 00910064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0090FF41,80070057,?,?), ref: 00910070

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1ef7fa58de6d1b328acffa7080fe430b326d0719edaab1aa2077a6fd2d49c7e5
Instruction ID: 7306aaafeacfc3e8294677e2d969b82e8f1aff5329b79fbbd6fd3c318b3abd1f
Opcode Fuzzy Hash: 1ef7fa58de6d1b328acffa7080fe430b326d0719edaab1aa2077a6fd2d49c7e5
Instruction Fuzzy Hash: F00184B6711208BFDB504F64DC04FEA7AADEB88791F144114F945D2210E7B6DD80D760

Function 0091E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0091E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0091E9A5
Sleep.KERNEL32(00000000), ref: 0091E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0091E9B7
Sleep.KERNEL32 ref: 0091E9F3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 10ef92cbf063e6e32f222c286d820ffec7899790cd70180346c7b16974dd9233
Instruction ID: 9de376013f3efbb158f47f31fd7e756d359bb8becec747816d94ba3aa780b83b
Opcode Fuzzy Hash: 10ef92cbf063e6e32f222c286d820ffec7899790cd70180346c7b16974dd9233
Instruction Fuzzy Hash: 8A015775E0AA2DDBDF40ABE4D849AEDBB78FB09700F000546E902B2240DB3495909BA1

Function 009110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00911114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00910B9B,?,?,?), ref: 00911120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00910B9B,?,?,?), ref: 0091112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00910B9B,?,?,?), ref: 00911136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0091114D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 5509368377bd2cc5c0373a5870f133c2dd9b93881a2255d2d53bb9c7aa75227b
Instruction ID: 0d5bbf9d17e033932f342503f0da8afa91fd31d9c8a53368ecd2cab718f88026
Opcode Fuzzy Hash: 5509368377bd2cc5c0373a5870f133c2dd9b93881a2255d2d53bb9c7aa75227b
Instruction Fuzzy Hash: DF0181B9205205BFDB514FA5DC49EAA3F6EEF8A364B100414FA41C3360DB31DC409A60

Function 00910FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00910FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00910FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00910FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00910FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00911002

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 48f23a676d9a9904ae7078f6ee353fa809ff14a7616e384a2108b2caad5019a2
Instruction ID: b3e0072fd08b133caa85a2aa87f9001dc667f368b62cac3fe445d959fc51920d
Opcode Fuzzy Hash: 48f23a676d9a9904ae7078f6ee353fa809ff14a7616e384a2108b2caad5019a2
Instruction Fuzzy Hash: 62F06DB9616305FFDB214FA4DC4DF963BADEF8A7A2F104414FA45C7261CA70DC809A60

Function 00911014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0091102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00911036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00911045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0091104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00911062

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 64360b3ccc4dce0c8cfbfbf6571eb9204bbd2ebc6b67a9b1a7dbd337a36e75f2
Instruction ID: 1f9de18982ec84615ff797a0716358e1cd9ceef4fcab4d76e49d6f52a1612efa
Opcode Fuzzy Hash: 64360b3ccc4dce0c8cfbfbf6571eb9204bbd2ebc6b67a9b1a7dbd337a36e75f2
Instruction Fuzzy Hash: 11F06DB9616305FFDB215FA5EC49F963BADEF8A761F500414FA45C7250CA70D880DA60

Function 0092030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0092017D,?,009232FC,?,00000001,008F2592,?), ref: 00920324
CloseHandle.KERNEL32(?,?,?,?,0092017D,?,009232FC,?,00000001,008F2592,?), ref: 00920331
CloseHandle.KERNEL32(?,?,?,?,0092017D,?,009232FC,?,00000001,008F2592,?), ref: 0092033E
CloseHandle.KERNEL32(?,?,?,?,0092017D,?,009232FC,?,00000001,008F2592,?), ref: 0092034B
CloseHandle.KERNEL32(?,?,?,?,0092017D,?,009232FC,?,00000001,008F2592,?), ref: 00920358
CloseHandle.KERNEL32(?,?,?,?,0092017D,?,009232FC,?,00000001,008F2592,?), ref: 00920365

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6b18a966d5bb41f29682651185d3fe223bbdf526f4798b5e0c1a171027591c4e
Instruction ID: 5e9dcd0652d0a49100df169f6c5b2ccf126568f131a4873cd957f98d98fa9757
Opcode Fuzzy Hash: 6b18a966d5bb41f29682651185d3fe223bbdf526f4798b5e0c1a171027591c4e
Instruction Fuzzy Hash: C801A272801B259FCB309F66E880812FBF9BF903153158A3FD19652932C371A958DF80

Function 008ED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008ED752

Part of subcall function 008E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000), ref: 008E29DE
Part of subcall function 008E29C8: GetLastError.KERNEL32(00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000,00000000), ref: 008E29F0

_free.LIBCMT ref: 008ED764
_free.LIBCMT ref: 008ED776
_free.LIBCMT ref: 008ED788
_free.LIBCMT ref: 008ED79A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 225d05c0daf85a8b1e10222f39cadf1a83632afd5f776a2c8fd5e48d456e56ff
Instruction ID: 0f2ae6b430b29277277db6b863338616e85c41f032685bfa4b2428d5cf444a22
Opcode Fuzzy Hash: 225d05c0daf85a8b1e10222f39cadf1a83632afd5f776a2c8fd5e48d456e56ff
Instruction Fuzzy Hash: 32F06273514388BB8625FB6AFDC2D1A7BDDFB06310B951809F058E7502C734FC808661

Function 00915C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00915C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00915C6F
MessageBeep.USER32(00000000), ref: 00915C87
KillTimer.USER32(?,0000040A), ref: 00915CA3
EndDialog.USER32(?,00000001), ref: 00915CBD

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 274c879497d11f59587ec3f483d69ff8ec91720449bfdbb7c246d3bdb10e9e92
Instruction ID: 58ecd0283896adb870003724e5dae6bbdc2edec9884663a7f08bfd02ba6c431a
Opcode Fuzzy Hash: 274c879497d11f59587ec3f483d69ff8ec91720449bfdbb7c246d3bdb10e9e92
Instruction Fuzzy Hash: BE01D174601B09EFEB206F10DD4EFE677B8BB01B01F020559A693A10E0DBF4AA849A90

Function 008E22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008E22BE

Part of subcall function 008E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000), ref: 008E29DE
Part of subcall function 008E29C8: GetLastError.KERNEL32(00000000,?,008ED7D1,00000000,00000000,00000000,00000000,?,008ED7F8,00000000,00000007,00000000,?,008EDBF5,00000000,00000000), ref: 008E29F0

_free.LIBCMT ref: 008E22D0
_free.LIBCMT ref: 008E22E3
_free.LIBCMT ref: 008E22F4
_free.LIBCMT ref: 008E2305

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bd4745f98724617fe977dbd6bcbbcdd1184c080dd1097cd6e8bd1ce74a8842e6
Instruction ID: 870b19d379140721f461481b3ebe12df9c830df7bb0ce4017984f84adef5c88e
Opcode Fuzzy Hash: bd4745f98724617fe977dbd6bcbbcdd1184c080dd1097cd6e8bd1ce74a8842e6
Instruction Fuzzy Hash: DFF054B2428154ABC622BF59BC02D483F6CF719761701550AF524D6372C7354452BFE6

Function 008C95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008C95D4
StrokeAndFillPath.GDI32(?,?,009071F7,00000000,?,?,?), ref: 008C95F0
SelectObject.GDI32(?,00000000), ref: 008C9603
DeleteObject.GDI32 ref: 008C9616
StrokePath.GDI32(?), ref: 008C9631

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3f89440af0f7b5a045e12851aecae494b4c748d8e594c8618d14598f93507798
Instruction ID: aefcc23fc56351ebf14009887082d37177655075fc2172ea37fc94c89d5bccf4
Opcode Fuzzy Hash: 3f89440af0f7b5a045e12851aecae494b4c748d8e594c8618d14598f93507798
Instruction Fuzzy Hash: 68F0F63402E608EFDB265F65ED1CF643B69FB12362F048258E465951F0C7328992EF20

Function 008E0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008E10F9
__freea.LIBCMT ref: 008E1117

Part of subcall function 008E1537: _free.LIBCMT ref: 008E154F

Strings

am/pm, xrefs: 008E117A
a/p, xrefs: 008E11DE

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 24bef9f2da890f93ca0324cba2c26b8193552c1028872fa2b740e15b0ad94811
Instruction ID: 5f7f3d565faf156947022ea8f77136d703e682f62714576d2e619c4eeba2e9d0
Opcode Fuzzy Hash: 24bef9f2da890f93ca0324cba2c26b8193552c1028872fa2b740e15b0ad94811
Instruction Fuzzy Hash: CBD1CF7190028A9ACF249F6AC84DBFAB7B1FF07704F240159EA01EBA54D7799D80CB91

Function 00937B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 008D0242: EnterCriticalSection.KERNEL32(0098070C,00981884,?,?,008C198B,00982518,?,?,?,008B12F9,00000000), ref: 008D024D
Part of subcall function 008D0242: LeaveCriticalSection.KERNEL32(0098070C,?,008C198B,00982518,?,?,?,008B12F9,00000000), ref: 008D028A

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Part of subcall function 008D00A3: __onexit.LIBCMT ref: 008D00A9

__Init_thread_footer.LIBCMT ref: 00937BFB

Part of subcall function 008D01F8: EnterCriticalSection.KERNEL32(0098070C,?,?,008C8747,00982514), ref: 008D0202
Part of subcall function 008D01F8: LeaveCriticalSection.KERNEL32(0098070C,?,008C8747,00982514), ref: 008D0235

Strings

Variable must be of type 'Object'., xrefs: 00937C3A
5, xrefs: 00937C78
G, xrefs: 00937C7F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 2db4f0924ddf123b53988a39d0a4ac7dc160554af9f4ef1f13f7e49e532e7211
Instruction ID: f18fc899777211dd94ef042dee1c994bc41b68e4adb7f646a406db3f13fc8302
Opcode Fuzzy Hash: 2db4f0924ddf123b53988a39d0a4ac7dc160554af9f4ef1f13f7e49e532e7211
Instruction Fuzzy Hash: 629168B0A04209AFCB24EF98D8919ADB7B5FF49304F108459F856AB392DB71AE41CF51

Function 00912716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0091B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009121D0,?,?,00000034,00000800,?,00000034), ref: 0091B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00912760

Part of subcall function 0091B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0091B3F8

Part of subcall function 0091B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0091B355
Part of subcall function 0091B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00912194,00000034,?,?,00001004,00000000,00000000), ref: 0091B365
Part of subcall function 0091B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00912194,00000034,?,?,00001004,00000000,00000000), ref: 0091B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0091281A

Strings

@, xrefs: 00912832

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 0e0bb75d67d9bef422d18a46eee9be9296d3c2e043e07e9c109148faede64ce6
Instruction ID: ce2a178c77bfadda199795b03d5a378b3ac07f2d77474e23b1e8afea21aed598
Opcode Fuzzy Hash: 0e0bb75d67d9bef422d18a46eee9be9296d3c2e043e07e9c109148faede64ce6
Instruction Fuzzy Hash: C3413D76A0121CAFDB10EBA4CD85BEEBBB8EF45300F108095FA55B7191DB706E85CB61

Function 008E172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 008E1769
_free.LIBCMT ref: 008E1834
_free.LIBCMT ref: 008E183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 008E1760, 008E1767, 008E1796, 008E17CE

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: f4633aa2f723e280d50deba2d6434fd70672c510bb5ccc01f3f454bc0b784a4a
Instruction ID: 7795df0d1bc65d02d18aa491c0895baf28a1b0ac97c7ae249cef472bd5b32926
Opcode Fuzzy Hash: f4633aa2f723e280d50deba2d6434fd70672c510bb5ccc01f3f454bc0b784a4a
Instruction Fuzzy Hash: BF318E71A04298AFDF21DB9A9C89D9EBBFCFB86710B10416AF805D7311D6708E41DB91

Function 0091C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0091C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0091C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00981990,01455658), ref: 0091C395

Strings

0, xrefs: 0091C2DF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 59b0ee85e38284391c4f5b6aafc7a65f1e632b31a772b7593860ee4345bc2f0d
Instruction ID: d0c5ccd5f82a520fe929b00175eed93a39fb5b05db139a78e7e00eb9aad4031b
Opcode Fuzzy Hash: 59b0ee85e38284391c4f5b6aafc7a65f1e632b31a772b7593860ee4345bc2f0d
Instruction Fuzzy Hash: 5841A0B12483059FD724DF28D884B9ABBE8AF85311F008A1EF9B5972D1D730E946CB52

Function 00944416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0094CC08,00000000,?,?,?,?), ref: 009444AA
GetWindowLongW.USER32 ref: 009444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009444D7

Strings

SysTreeView32, xrefs: 0094447C

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 1fd16b54432a6131ab23ace55bf036807f9315badab287ee8ec2635dc0afff10
Instruction ID: f8c86237d639f511a6e8eba310b9db938615dc9067dece7be2a1a12379d653bd
Opcode Fuzzy Hash: 1fd16b54432a6131ab23ace55bf036807f9315badab287ee8ec2635dc0afff10
Instruction Fuzzy Hash: B1319C72214605AFDF208E38DC45FEA77A9EB09338F208715F979A21E0D774EC509B50

Function 0093304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0093335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00933077,?,?), ref: 00933378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0093307A
_wcslen.LIBCMT ref: 0093309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00933106

Strings

255.255.255.255, xrefs: 00933095, 0093309A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 0291361cc45f90973d7e07a2561eb020b6fe859029f24670276a3053858e1f26
Instruction ID: 14beeaa95d1e6432b1f6ad645704a0aae73795780bf5609ca131277d209cc8a2
Opcode Fuzzy Hash: 0291361cc45f90973d7e07a2561eb020b6fe859029f24670276a3053858e1f26
Instruction Fuzzy Hash: 2631D3396042019FCB24CF69C585EAA77F4EF55318F24C059E9158F3A2DB32EE41CB61

Function 00943EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00943F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00943F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00943F78

Strings

SysMonthCal32, xrefs: 00943F0B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 566b7d28b66f8e48f0a5b5c9affd175d787e17dda3bf5b8b9fecf01017f033dc
Instruction ID: 7933dd25b965773772d4f4b1569a8829628f3763253083e538fda420617d6170
Opcode Fuzzy Hash: 566b7d28b66f8e48f0a5b5c9affd175d787e17dda3bf5b8b9fecf01017f033dc
Instruction Fuzzy Hash: 2921BF32610219BFEF158FA0CC46FEA3B79EF88714F114254FE15AB1D0D6B5A8549B90

Function 00944653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00944705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00944713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0094471A

Strings

msctls_updown32, xrefs: 00944684

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 077e2f8930b33b8cc492932a34d1849ecb176f59575e4a162739592cb4ae8660
Instruction ID: c4adaa2be1ef86157eb7c59ceba11d86aca98fdc36f85923e1474782472902bf
Opcode Fuzzy Hash: 077e2f8930b33b8cc492932a34d1849ecb176f59575e4a162739592cb4ae8660
Instruction Fuzzy Hash: C2218EB5604209AFDB10DF68DC81DA737ADEB9A3A4B000059FA00DB351CB31EC12DB60

Function 009195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0091961D

Strings

#requireadmin, xrefs: 009195D9
#OnAutoItStartRegister, xrefs: 009195F3
#notrayicon, xrefs: 009195B7

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: c1554b543d1ed268030c0cf5c23e6f9f402e5ec895d8b75b95d88ad594b3e250
Instruction ID: b4d5f2b2b8ec1a27653166e51050378ee40f80f10bc413519b737c994e0ed5a1
Opcode Fuzzy Hash: c1554b543d1ed268030c0cf5c23e6f9f402e5ec895d8b75b95d88ad594b3e250
Instruction Fuzzy Hash: 04215B3230421566D331AB289C26FFB73DDFF92344F504426F949EB141EB65ADC1C2A6

Function 009437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00943840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00943850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00943876

Strings

Listbox, xrefs: 0094380F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 5b1196294fa82f11766b073f2ae2ff3bcb813fdaee32910556796bc86fffb659
Instruction ID: 1c5aef1ed3d682ca3aaf03eed72a0327398e2d71ef73981ab7e0f88ec134b373
Opcode Fuzzy Hash: 5b1196294fa82f11766b073f2ae2ff3bcb813fdaee32910556796bc86fffb659
Instruction Fuzzy Hash: EC21CF72610218BBEF218F65CC81FBB7B6EEF89764F10C124F9449B290C671DC5287A0

Function 009249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00924A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00924A5C
SetErrorMode.KERNEL32(00000000,?,?,0094CC08), ref: 00924AD0

Strings

%lu, xrefs: 00924A6F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4d0495aec3ca2615129b40e76114fe31fe07a92e640dd21da65157d1cc595f34
Instruction ID: 11e38268884c1547b2b37f202b12ddfc413b5c7d3e33a8a8c5c955e8c6329070
Opcode Fuzzy Hash: 4d0495aec3ca2615129b40e76114fe31fe07a92e640dd21da65157d1cc595f34
Instruction Fuzzy Hash: 21316F75A00118AFDB10DF68C885EAA7BF8EF49308F1480A9F909DB352D771ED45CB61

Function 009441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0094424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00944264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00944271

Strings

msctls_trackbar32, xrefs: 00944226

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0e367e21bc24fec6bc9189739ad4c5e59b81081f201be1941fea7a65ea334f3e
Instruction ID: f15333f03c7008615eda7ff0ab5eb91a03aa634a0cbaac82b7e8a2814c6e1b10
Opcode Fuzzy Hash: 0e367e21bc24fec6bc9189739ad4c5e59b81081f201be1941fea7a65ea334f3e
Instruction Fuzzy Hash: 66112931240208BEEF205F79CC06FAB3BACEF95B54F010524FA55E20A0D6B1DC619B10

Function 00912F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B6B57: _wcslen.LIBCMT ref: 008B6B6A

Part of subcall function 00912DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00912DC5
Part of subcall function 00912DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00912DD6
Part of subcall function 00912DA7: GetCurrentThreadId.KERNEL32 ref: 00912DDD
Part of subcall function 00912DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00912DE4

GetFocus.USER32 ref: 00912F78

Part of subcall function 00912DEE: GetParent.USER32(00000000), ref: 00912DF9

GetClassNameW.USER32(?,?,00000100), ref: 00912FC3
EnumChildWindows.USER32(?,0091303B), ref: 00912FEB

Strings

%s%d, xrefs: 00912FFF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 52769450176ba1578ab2b35e2193f83de53bf272ba8a587ded189affe83338ed
Instruction ID: 65dc084bd56938e2a5e760852d016ec2798427be0b9fb5fd1b5b0560a778d19f
Opcode Fuzzy Hash: 52769450176ba1578ab2b35e2193f83de53bf272ba8a587ded189affe83338ed
Instruction Fuzzy Hash: 7411C0B5300209ABDF447F64DC95FED37BAAF88318F048075B909AB292DE3099858B70

Function 00945882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009458EE
DrawMenuBar.USER32(?), ref: 009458FD

Strings

0, xrefs: 0094588F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 84fd199fdb5841776b08d38afc85ea70d0ce88115d2a1519f3c8b2fe3e71309c
Instruction ID: d2c95acd0ee581c3497b486c37f480f1d913df859bef297e7a81f7924235b01c
Opcode Fuzzy Hash: 84fd199fdb5841776b08d38afc85ea70d0ce88115d2a1519f3c8b2fe3e71309c
Instruction Fuzzy Hash: FC01C031514208EFDB609F51DC44FAEBBB9FF45760F008099F849DA162DB308A80EF21

Function 0090D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0090D3BF
FreeLibrary.KERNEL32 ref: 0090D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0090D3B9
X64, xrefs: 0090D2A8

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 51264636c5864bc914be650a140fbb1535e4ad883f79f2e1ac851a5cec0924dd
Instruction ID: 58ca094a3e525538fce30d5a305395bd44285ef034f4a425a93a98b346d6e4e7
Opcode Fuzzy Hash: 51264636c5864bc914be650a140fbb1535e4ad883f79f2e1ac851a5cec0924dd
Instruction Fuzzy Hash: 4BF0ABB680FB21EFD3B122984C58E6DB3A8AF00B05B548529F402E21C9E720CD40C7C6

Function 0091007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495793d657038de7ed5a7d02e929be53054f6a6d1809c96f5390495dcdfdc3c3
Instruction ID: e5a06747397760e1bd48e5526da2aff2383af91007936dfb75c05a6417484524
Opcode Fuzzy Hash: 495793d657038de7ed5a7d02e929be53054f6a6d1809c96f5390495dcdfdc3c3
Instruction Fuzzy Hash: 1FC15C75A0020AEFDB14CF94C894AAEB7B5FF88704F108598E515EB251D772DDC2CB90

Function 008E3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008E3F0B
__alldvrm.LIBCMT ref: 008E410C
__alldvrm.LIBCMT ref: 008E412E

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: cfa699db0815d3305258efa7fc70560af9ad67d529ef66c54db29e4afe660939
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 0CA14671D007C69FDB22CE2AC8917AABBE4FF67350F1441ADE599DB282C6348D81C751

Function 0093342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00933459
CoUninitialize.OLE32 ref: 00933463
VariantInit.OLEAUT32(?), ref: 0093346E
VariantClear.OLEAUT32(?), ref: 0093371B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 4b9987d158e6c3c3d3b97ddb3bf2d35e0c1e2c207e09053369cb9422b6f41451
Instruction ID: 61e79553c6886b24a045bb827d8a7cd86f807103ff82aaa3a826169f2abf7fec
Opcode Fuzzy Hash: 4b9987d158e6c3c3d3b97ddb3bf2d35e0c1e2c207e09053369cb9422b6f41451
Instruction Fuzzy Hash: 24A1F4756047009FC710DF28C586A6AB7E9FF89714F048859F98A9B362DB34EE01CF92

Function 00910436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0094FC08,?), ref: 009105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0094FC08,?), ref: 00910608
CLSIDFromProgID.OLE32(?,?,00000000,0094CC40,000000FF,?,00000000,00000800,00000000,?,0094FC08,?), ref: 0091062D
_memcmp.LIBVCRUNTIME ref: 0091064E

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cd5c9107d5a98202ee44d6c0151051ddac8d9e0b95eed7c371f2e1d42eeae19f
Instruction ID: b507db6aca6a9fb1f0898d342552763b02513dd812e2d06ddabc93c9f2d4bfe3
Opcode Fuzzy Hash: cd5c9107d5a98202ee44d6c0151051ddac8d9e0b95eed7c371f2e1d42eeae19f
Instruction Fuzzy Hash: E481EA75A00109EFCB04DF94C984DEEB7B9FF89315F204558F506AB250DB72AE86CB60

Function 0093A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0093A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0093A6BA

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0093A79C
CloseHandle.KERNEL32(00000000), ref: 0093A7AB

Part of subcall function 008CCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,008F3303,?), ref: 008CCE8A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: f01a3f6d1abdd9923704874ff5527c60cd7ff31286f1e396fd9bbe589338e3a3
Instruction ID: 635dce27a52eb0fb05616dba1ed4929349d18e8455313980d1ee94dade453268
Opcode Fuzzy Hash: f01a3f6d1abdd9923704874ff5527c60cd7ff31286f1e396fd9bbe589338e3a3
Instruction Fuzzy Hash: 895108B5508300AFD714EF28C886A6BBBE8FF89754F40492DF595D7252EB70E904CB92

Function 008F1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008F14C0

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4372054fca2c3f68b36c10446f64c3bfa1ea590b539a3b2ea767817ff45d85fa
Instruction ID: a7fd62943f421f0618fda4247629c49bb4c752c1edcee254500b92f61ae5f8fb
Opcode Fuzzy Hash: 4372054fca2c3f68b36c10446f64c3bfa1ea590b539a3b2ea767817ff45d85fa
Instruction Fuzzy Hash: DD414D3160010CEBDF217BBD9C49ABE3BA5FF96334F244226FA19D2292E67448415277

Function 00946278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009462E2
ScreenToClient.USER32(?,?), ref: 00946315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00946382

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5b7207b7b6ebb6007adc4f4d4af8ab17159a9dd37778de3b9ec68f3fec438eed
Instruction ID: 7198328c4e777781967b27ccc36bb2ba0535d63ab8489810b061a521fddd8e32
Opcode Fuzzy Hash: 5b7207b7b6ebb6007adc4f4d4af8ab17159a9dd37778de3b9ec68f3fec438eed
Instruction Fuzzy Hash: 71512CB4A00249AFCF14DF58D880EAE7BB9FB46364F108259F865972A0D731ED41DB51

Function 00931AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00931AFD
WSAGetLastError.WSOCK32 ref: 00931B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00931B8A
WSAGetLastError.WSOCK32 ref: 00931B94

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: c39a86cda8d9714a95fd50b69e74b39bf4a4c78065f8e1ea98e0c949bf5da928
Instruction ID: f766a9a1fe8f63b4ee0f7bbfc7a8f74c25b6b37754fc2064acf60b68fc4b99d7
Opcode Fuzzy Hash: c39a86cda8d9714a95fd50b69e74b39bf4a4c78065f8e1ea98e0c949bf5da928
Instruction Fuzzy Hash: 1941A178600200AFE720AF28C886F6A77E5EB44718F54849CF91A9F7D2D776ED41CB91

Function 008EB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1c7a49ee6a9648d10fb7f17ac69066ef6375029c4dca48a622c919cebbeef2
Instruction ID: 23310d327628a1e55f91d8d71a1a14ead78183eaefd8f8daf60f180598ed4d00
Opcode Fuzzy Hash: 4b1c7a49ee6a9648d10fb7f17ac69066ef6375029c4dca48a622c919cebbeef2
Instruction Fuzzy Hash: E041E4B1A00388AFD7249F7DCC41B6BBBA9FB89714F10462AF552DB2C2D771A9018781

Function 009256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00925783
GetLastError.KERNEL32(?,00000000), ref: 009257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009257FA

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5c501cf432d3cedb6b2fb8a11be3ae45a140713ef473a29809f133c9957c419d
Instruction ID: b7a40b03f45c0e6672d253e1d927dfee40bc5fb8eb2b676349f58a43b63ef945
Opcode Fuzzy Hash: 5c501cf432d3cedb6b2fb8a11be3ae45a140713ef473a29809f133c9957c419d
Instruction Fuzzy Hash: BE410C39600610DFCB21DF19C545A5EBBE6FF89720B19C488E84A9B366CB74FD40DB92

Function 008ED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,008D6D71,00000000,00000000,008D82D9,?,008D82D9,?,00000001,008D6D71,8BE85006,00000001,008D82D9,008D82D9), ref: 008ED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008ED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008ED9AB
__freea.LIBCMT ref: 008ED9B4

Part of subcall function 008E3820: RtlAllocateHeap.NTDLL(00000000,?,00981444,?,008CFDF5,?,?,008BA976,00000010,00981440,008B13FC,?,008B13C6,?,008B1129), ref: 008E3852

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: fb04d9931531637b42ec63f8945390ebc2ddaaab4f48f395de96c29da9d0097b
Instruction ID: e56744445b91fa73e3ee45c3d486b674ae082c1e86763c933718c81a5d7eadea
Opcode Fuzzy Hash: fb04d9931531637b42ec63f8945390ebc2ddaaab4f48f395de96c29da9d0097b
Instruction Fuzzy Hash: 2531D072A0025AABDF249F6ADC45EAE7BA5FB42310F050269FC04DB251EB35CD55CBA0

Function 009452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00945352
GetWindowLongW.USER32(?,000000F0), ref: 00945375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00945382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009453A8

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 4b3cc0c2def5d25681005926a44e27deec024a4179f7ec42c41809ffe445212c
Instruction ID: afad2a251cc477444003876fdd95302d7cb09247f3557190db4e08c54bbc7608
Opcode Fuzzy Hash: 4b3cc0c2def5d25681005926a44e27deec024a4179f7ec42c41809ffe445212c
Instruction Fuzzy Hash: 6131E334A69A0CEFEF349E94CC15FE837A9AB053D0F5A4141FA10962E2C7B59D40EB42

Function 0091AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0091ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0091AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0091AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0091ACC6

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4239209029af6c4f4f6e7941b5dd0eb07c87c32b58b0d4943a9f99563cacd6ba
Instruction ID: 9e703c83e116dc5e13fac559c290d4dfbe4494e0230841f67e83f474f4c491ca
Opcode Fuzzy Hash: 4239209029af6c4f4f6e7941b5dd0eb07c87c32b58b0d4943a9f99563cacd6ba
Instruction Fuzzy Hash: A4311270B0631CAFEB35CB658804BFA7AAAAB89310F04461AE4D5922D1D3798DC597D2

Function 00947674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0094769A
GetWindowRect.USER32(?,?), ref: 00947710
PtInRect.USER32(?,?,00948B89), ref: 00947720
MessageBeep.USER32(00000000), ref: 0094778C

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 50e1d549433de5c92298b697f7107a09e50469a2f0bd41d604bcac1f22340c77
Instruction ID: 48e0d2fa1c59b123514f03658d8c1ecb45b059c45a9c472ba0b2c2a36f4d034f
Opcode Fuzzy Hash: 50e1d549433de5c92298b697f7107a09e50469a2f0bd41d604bcac1f22340c77
Instruction Fuzzy Hash: F141AC38A09219DFCB15CF98D894EA9B7F9FF49314F5580A8E8149B361C731E942DF90

Function 009416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009416EB

Part of subcall function 00913A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00913A57
Part of subcall function 00913A3D: GetCurrentThreadId.KERNEL32 ref: 00913A5E
Part of subcall function 00913A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009125B3), ref: 00913A65

GetCaretPos.USER32(?), ref: 009416FF
ClientToScreen.USER32(00000000,?), ref: 0094174C
GetForegroundWindow.USER32 ref: 00941752

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 52fa16e6954d468ac0490ad04e049f7ded7b0dd496b112671ce95694c9968817
Instruction ID: 24a37f5f1e200f9c4a9a62bb60cfa8837887f079c45426f26e7ceb78d643d066
Opcode Fuzzy Hash: 52fa16e6954d468ac0490ad04e049f7ded7b0dd496b112671ce95694c9968817
Instruction Fuzzy Hash: 44311075E00149AFC700EFA9C881DEEB7F9FF89304B5480A9E415E7311D6359E45CBA1

Function 0091DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 008B7620: _wcslen.LIBCMT ref: 008B7625

_wcslen.LIBCMT ref: 0091DFCB
_wcslen.LIBCMT ref: 0091DFE2
_wcslen.LIBCMT ref: 0091E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0091E018

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 272ce5b779bbd8671cc1615769fb28ac0c764d9f5179066ac88839883ddbbcd8
Instruction ID: c7731861c7b758ed00ec404b0d36dcc3fdbd021e9833bfc1b0929e251b7cc899
Opcode Fuzzy Hash: 272ce5b779bbd8671cc1615769fb28ac0c764d9f5179066ac88839883ddbbcd8
Instruction Fuzzy Hash: 7C21D371A00218AFCB10DFA8D981BAEB7F8FF89750F144065E905FB341D6709E418BA2

Function 00948FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008C9BB2

GetCursorPos.USER32(?), ref: 00949001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00907711,?,?,?,?,?), ref: 00949016
GetCursorPos.USER32(?), ref: 0094905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00907711,?,?,?), ref: 00949094

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 34b1dc55e338edd205c2be132339c6be23f1f56b3365b60468d88b82d7f8ac61
Instruction ID: 45ec63fcded20c67f27235f316dfc2473eedcbc3c2e2e4fee4e779142197554c
Opcode Fuzzy Hash: 34b1dc55e338edd205c2be132339c6be23f1f56b3365b60468d88b82d7f8ac61
Instruction Fuzzy Hash: 22219F35611018EFDB25CF94C859EEB7BB9FB4A360F044059F90587261C7369D91EB60

Function 0091D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0094CB68), ref: 0091D2FB
GetLastError.KERNEL32 ref: 0091D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0091D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0094CB68), ref: 0091D376

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1cc36820205a9aa6f6d38133ddd8a61845fed173fc797189c80d709034dc395f
Instruction ID: 61fad14f7e0b95488dacf347b8c7b3cc60e3d0a79b3ff3ec6a9a3b67445ebd81
Opcode Fuzzy Hash: 1cc36820205a9aa6f6d38133ddd8a61845fed173fc797189c80d709034dc395f
Instruction Fuzzy Hash: 9721957460A3059F8710DF28C8818EE77E8FE56368F104A1DF4A9C72A1D731D986CB93

Function 00911571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00911014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0091102A
Part of subcall function 00911014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00911036
Part of subcall function 00911014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00911045
Part of subcall function 00911014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0091104C
Part of subcall function 00911014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00911062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009115BE
_memcmp.LIBVCRUNTIME ref: 009115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00911617
HeapFree.KERNEL32(00000000), ref: 0091161E

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 81da967bfcf5a79a2237f51d9031b4bf4316b5a229a4401a7c71690e2272f0a1
Instruction ID: 7515da239f1cafd570bbc72950e76fbd29b64f296465a040c57699b5f46a5e4c
Opcode Fuzzy Hash: 81da967bfcf5a79a2237f51d9031b4bf4316b5a229a4401a7c71690e2272f0a1
Instruction Fuzzy Hash: 4E217871E01109BFDF04DFA4C949BEEB7B9EF85384F084459E542AB241E731AA85DBA0

Function 00942782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0094280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00942824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00942832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00942840

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 155776e715c7884cbda138880e11c0b630a7681fcd43af788558462be5e80131
Instruction ID: f8b3d133c96fbc67e98d372f8cb2897cc8fcb5007029a3021511210c650b0720
Opcode Fuzzy Hash: 155776e715c7884cbda138880e11c0b630a7681fcd43af788558462be5e80131
Instruction Fuzzy Hash: DB21D035219111AFD7149B24C844FAA7BA9FF86324F148158F826CB7E2CB75FC82CB91

Function 009178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00918D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0091790A,?,000000FF,?,00918754,00000000,?,0000001C,?,?), ref: 00918D8C
Part of subcall function 00918D7D: lstrcpyW.KERNEL32(00000000,?,?,0091790A,?,000000FF,?,00918754,00000000,?,0000001C,?,?,00000000), ref: 00918DB2
Part of subcall function 00918D7D: lstrcmpiW.KERNEL32(00000000,?,0091790A,?,000000FF,?,00918754,00000000,?,0000001C,?,?), ref: 00918DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00918754,00000000,?,0000001C,?,?,00000000), ref: 00917923
lstrcpyW.KERNEL32(00000000,?,?,00918754,00000000,?,0000001C,?,?,00000000), ref: 00917949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00918754,00000000,?,0000001C,?,?,00000000), ref: 00917984

Strings

cdecl, xrefs: 0091797B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 94af15bda8756189d477af640b3a57c373ef9cea46bd44568fa35c81f24ee034
Instruction ID: fa09c5fcda2f919ac15847211f43b75bf87ff1f1b3b8ae5bd4387d03aea575a9
Opcode Fuzzy Hash: 94af15bda8756189d477af640b3a57c373ef9cea46bd44568fa35c81f24ee034
Instruction Fuzzy Hash: 5E11E43E304306AFDB159F78D844EBAB7B9FF85390B50402AF906CB2A4EB319841D791

Function 00947CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00947D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00947D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00947D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0092B7AD,00000000), ref: 00947D6B

Part of subcall function 008C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008C9BB2

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: eac161bffc4b53d8bfe8ab8f5b9ea0c472293561a4f547d3addfff6b1b800617
Instruction ID: 3dead36a263796945a2b101ae0fb7d609f0f5a42ad9d70ee279c4fff738c8f58
Opcode Fuzzy Hash: eac161bffc4b53d8bfe8ab8f5b9ea0c472293561a4f547d3addfff6b1b800617
Instruction Fuzzy Hash: 4E11D231629619AFCB109FA8DC04E6A7BA9BF46360B118724F839C72F0D7318D51DB50

Function 00945660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009456BB
_wcslen.LIBCMT ref: 009456CD
_wcslen.LIBCMT ref: 009456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00945816

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: bd06768ce285b0e87bd296a997664095c46cf9e196f68f6ad2a7f378b2845972
Instruction ID: 3a07c486c10ab9f650687d84b65786d43fc065fadd11793dc0a482694fd05c78
Opcode Fuzzy Hash: bd06768ce285b0e87bd296a997664095c46cf9e196f68f6ad2a7f378b2845972
Instruction Fuzzy Hash: 19110375604608A7DB209FE6CC81EEE77ACFF11360F514526F905D6192EB74CA80CB60

Function 008E1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68634312c11ac8e659117b425792567c009aad6c91cd47b2086e8578827e43f1
Instruction ID: 3e64c1e9ac72eeb1dd4517951502192b89ec24b2a2baf065fee6be5df1e257e6
Opcode Fuzzy Hash: 68634312c11ac8e659117b425792567c009aad6c91cd47b2086e8578827e43f1
Instruction Fuzzy Hash: 0F01A2B230969A3EFA51267A6CC5F27661CFF833B8B311325F921D11D2DB718C005160

Function 00911A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00911A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00911A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00911A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00911A8A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 31c7f573ed8ba935135be9d7f6155b11086a249378c18e09676db3c1bf855bdc
Instruction ID: 25967ab0282991d27e6f001495c1663cdcd684e9abae99f7bb48043878838fc2
Opcode Fuzzy Hash: 31c7f573ed8ba935135be9d7f6155b11086a249378c18e09676db3c1bf855bdc
Instruction Fuzzy Hash: F811F77AA01219FFEF119BA5C985FEDBB78EF08750F200091EA04B7290D6716E50DB94

Function 0091E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0091E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0091E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0091E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0091E24D

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: a7d28456f315ce88b0f28213a5e92a8499252ba6fcc68989a1258679bba9e048
Instruction ID: db69d0af74fccb81ccd5ae1c9422bf1e3cf917ad92bf9bf8a9cc40695cef64fe
Opcode Fuzzy Hash: a7d28456f315ce88b0f28213a5e92a8499252ba6fcc68989a1258679bba9e048
Instruction Fuzzy Hash: 861104B6A18258BFC7019FA8DC09EDE7FACAB46320F004616FC24E3391D2B0890097A0

Function 008DD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,008DCFF9,00000000,00000004,00000000), ref: 008DD218
GetLastError.KERNEL32 ref: 008DD224
__dosmaperr.LIBCMT ref: 008DD22B
ResumeThread.KERNEL32(00000000), ref: 008DD249

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b835a43a8353d7ad53f85034fdc50afb41f7c342905ecc90d9aedfc8f8e1a54a
Instruction ID: e422de98d58ee076357399e45d32dd7bb7464411f391c61843a422576e40378f
Opcode Fuzzy Hash: b835a43a8353d7ad53f85034fdc50afb41f7c342905ecc90d9aedfc8f8e1a54a
Instruction Fuzzy Hash: 4A01C076809208BBCB115BA9DC09BAE7B6DFF82330F10431AF925D22D1CF719901D6A1

Function 00949EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 008C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008C9BB2

GetClientRect.USER32(?,?), ref: 00949F31
GetCursorPos.USER32(?), ref: 00949F3B
ScreenToClient.USER32(?,?), ref: 00949F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00949F7A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 034a78531e7b556ef96cc7344b7a11b429fe88892152b9f921ec6a7cc91efe38
Instruction ID: f485e8b13c582808c9eeac990a974a9be49e0b373cbbe6db22fbbdef98b3789c
Opcode Fuzzy Hash: 034a78531e7b556ef96cc7344b7a11b429fe88892152b9f921ec6a7cc91efe38
Instruction Fuzzy Hash: 9211367690511AABDB10DFA8D849DEE77BCFB46311F000495F901E3140D734BE86DBA1

Function 008B600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008B604C
GetStockObject.GDI32(00000011), ref: 008B6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 008B606A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: e2bda89ba9eda9fe54a86a0397bb0eaafa8e4ee9f386c428062fb53a4626fd9f
Instruction ID: 9517c37cc2136e306f6324bbb97f790e4c5416948e2eafcabc76d8e5baa5e37a
Opcode Fuzzy Hash: e2bda89ba9eda9fe54a86a0397bb0eaafa8e4ee9f386c428062fb53a4626fd9f
Instruction Fuzzy Hash: 0F1161B2506909BFEF125FA59C44EFA7F69FF19364F040115FA14A2220E7369C61EB90

Function 008D3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 008D3B56

Part of subcall function 008D3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 008D3AD2
Part of subcall function 008D3AA3: ___AdjustPointer.LIBCMT ref: 008D3AED

_UnwindNestedFrames.LIBCMT ref: 008D3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 008D3B7C
CallCatchBlock.LIBVCRUNTIME ref: 008D3BA4

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: c51b219c4bef0fd852236e450d243397c31aa87719fdd8458de87d7dd4792609
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2E01ED32100149BBDF115F99CC46DEB7B69FF58794F04411AFE4896221C732D961DBA2

Function 008E3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008B13C6,00000000,00000000,?,008E301A,008B13C6,00000000,00000000,00000000,?,008E328B,00000006,FlsSetValue), ref: 008E30A5
GetLastError.KERNEL32(?,008E301A,008B13C6,00000000,00000000,00000000,?,008E328B,00000006,FlsSetValue,00952290,FlsSetValue,00000000,00000364,?,008E2E46), ref: 008E30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008E301A,008B13C6,00000000,00000000,00000000,?,008E328B,00000006,FlsSetValue,00952290,FlsSetValue,00000000), ref: 008E30BF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ced16ff2b4b6cc48843a308057abdc0564a39c04d6491912e5ecf8bca105c399
Instruction ID: 39cd40e85372695dd488557509fa1a56c9bff92e827977e27fb5a09272af063c
Opcode Fuzzy Hash: ced16ff2b4b6cc48843a308057abdc0564a39c04d6491912e5ecf8bca105c399
Instruction Fuzzy Hash: E601F77631AA66ABCB318B7B9C48E677B98FF47B61B200620F915E3140D721DD01C6E0

Function 00917464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0091747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00917497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009174CA

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 3cef02414e2899d2f141adf585e7cf51338f9674947a47185f34a7978f676744
Instruction ID: 2eca5f48901e1e7a721bd448c62c976945b403723226ca0faddb0811f663fc68
Opcode Fuzzy Hash: 3cef02414e2899d2f141adf585e7cf51338f9674947a47185f34a7978f676744
Instruction Fuzzy Hash: 5F11A1B530A31A9FF7208F94DD08FD2BBFDEB00B00F108969A656D61A1D774E984DB50

Function 0091B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0091ACD3,?,00008000), ref: 0091B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0091ACD3,?,00008000), ref: 0091B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0091ACD3,?,00008000), ref: 0091B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0091ACD3,?,00008000), ref: 0091B126

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 2b63ea5824139e9c15e06c76b43c992ea9373f4ced1f06ab0812ff0e3cfb6ad8
Instruction ID: 7b8464a4b6089d3c69605489610f39192fe6e67bc2caa70b6ce9f72e1182abf2
Opcode Fuzzy Hash: 2b63ea5824139e9c15e06c76b43c992ea9373f4ced1f06ab0812ff0e3cfb6ad8
Instruction Fuzzy Hash: E011A171E0951CEBCF009FE4D958AEEBB78FF0E310F114485D941B2145CB3455909B51

Function 00947E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00947E33
ScreenToClient.USER32(?,?), ref: 00947E4B
ScreenToClient.USER32(?,?), ref: 00947E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00947E8A

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: bc9ddb50a84886a318db386105000dd0a6db362ce394a8ae85a1bb31d1e94d52
Instruction ID: 9bce4de32fb8a1c1c0eb2e3a08eb7baec406d1131071eb870e15bf0486d3a13e
Opcode Fuzzy Hash: bc9ddb50a84886a318db386105000dd0a6db362ce394a8ae85a1bb31d1e94d52
Instruction Fuzzy Hash: 121153B9D0420AAFDB41CF98C884AEEBBF9FF09310F509166E915E3210D735AA54DF90

Function 00912DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00912DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00912DD6
GetCurrentThreadId.KERNEL32 ref: 00912DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00912DE4

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 63a36b1bd5431498c1f064869d2d753a424bad0f29c77baecc2fe0166c85a2fe
Instruction ID: e63747bac3f2bc303129d4fd83ca87b3ba4bca07efcdcb872932e1e1b4bcb812
Opcode Fuzzy Hash: 63a36b1bd5431498c1f064869d2d753a424bad0f29c77baecc2fe0166c85a2fe
Instruction Fuzzy Hash: 71E092B921A2287FD7202BB2EC0DFEB3E6CEF47BA1F014015F105D10C09AA4C880D6B0

Function 00948863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008C9693
Part of subcall function 008C9639: SelectObject.GDI32(?,00000000), ref: 008C96A2
Part of subcall function 008C9639: BeginPath.GDI32(?), ref: 008C96B9
Part of subcall function 008C9639: SelectObject.GDI32(?,00000000), ref: 008C96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00948887
LineTo.GDI32(?,?,?), ref: 00948894
EndPath.GDI32(?), ref: 009488A4
StrokePath.GDI32(?), ref: 009488B2

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: d8cc21e54dc6554014df1738c7ee884c1220484e106928ceeab7a7355ebf65ce
Instruction ID: 7fa525fc9d99a963c499ed0f95e85021fd172dfc776a7c4895eddd063bcd8233
Opcode Fuzzy Hash: d8cc21e54dc6554014df1738c7ee884c1220484e106928ceeab7a7355ebf65ce
Instruction Fuzzy Hash: 9EF03A3A05A258BADB125F94AC09FCE3B6DAF06311F048100FA11651E2C7755511EBA9

Function 008C98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008C98CC
SetTextColor.GDI32(?,?), ref: 008C98D6
SetBkMode.GDI32(?,00000001), ref: 008C98E9
GetStockObject.GDI32(00000005), ref: 008C98F1

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 62292b964ec56e3d2d402c96d6cf972cc9c91c69d44109aa0ee6d2da80326b9c
Instruction ID: 0757f249c6192a1c958c01ae735241cd34524cfbc621475e8fca351a3fbf9e8e
Opcode Fuzzy Hash: 62292b964ec56e3d2d402c96d6cf972cc9c91c69d44109aa0ee6d2da80326b9c
Instruction Fuzzy Hash: D2E06D7565D280AEEB615B74BC09FE87F21EB1A336F048219F6FA980E1C7715640AB10

Function 0091162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00911634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009111D9), ref: 0091163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009111D9), ref: 00911648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009111D9), ref: 0091164F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4ff9a8288c03ff807653a31aba2bc4330fd00e22619736f7573058748883e100
Instruction ID: 78e884cb75395bc461d0d6318f4db9fbb0e362b55f73ec677849f0fcc0662c88
Opcode Fuzzy Hash: 4ff9a8288c03ff807653a31aba2bc4330fd00e22619736f7573058748883e100
Instruction Fuzzy Hash: D2E046BA616211AFDBA01FA0AE0DF863BACAF467D2F148808F245D9090E76484809B60

Function 0090D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0090D858
GetDC.USER32(00000000), ref: 0090D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0090D882
ReleaseDC.USER32(?), ref: 0090D8A3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6da123572b14df2198741461fa905ffb2d469aae3d388a881bebdb09e6135a5b
Instruction ID: 5f598c9ff525fa302dd6b5b5de0e5bdbd46a89114857a0f53cdf72925cc2a478
Opcode Fuzzy Hash: 6da123572b14df2198741461fa905ffb2d469aae3d388a881bebdb09e6135a5b
Instruction Fuzzy Hash: 5DE01AB8815209DFCF81AFA4D80CA6DBBB1FB09310F11D459F806E7360CB389941AF40

Function 0090D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0090D86C
GetDC.USER32(00000000), ref: 0090D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0090D882
ReleaseDC.USER32(?), ref: 0090D8A3

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 25bd13eb5e4975479ea95bb6e2774b0b0d0be57c36e642fc72338e8c368a8d8a
Instruction ID: 30558a34f08be14d2058ebd54c182fa857b68c4d5c5b16d8f4c2ace5555db3a7
Opcode Fuzzy Hash: 25bd13eb5e4975479ea95bb6e2774b0b0d0be57c36e642fc72338e8c368a8d8a
Instruction Fuzzy Hash: 06E04FB8C15205DFCF90AFA4D80CA6DBBB1FB08310F119048F806E7360CB385901AF40

Function 00924D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 008B7620: _wcslen.LIBCMT ref: 008B7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00924ED4

Strings

LPT, xrefs: 00924DFB
*, xrefs: 00924E10

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: b9cb92014ddb1922bf8274e0b20453b48b4b5b43fd39fa0106ab3867abe6948b
Instruction ID: 7b7a8e527f02ed559db671625abf73f04e26dbdc4ce4640efe98ab776a5f8d45
Opcode Fuzzy Hash: b9cb92014ddb1922bf8274e0b20453b48b4b5b43fd39fa0106ab3867abe6948b
Instruction Fuzzy Hash: C991AE75A002149FCB14DF58D584EAABBF5FF88304F198099E80A9F3A6C735ED85CB91

Function 008DE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008DE30D

Strings

pow, xrefs: 008DE2E5, 008DE302

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: e662934fad0a91b5d9799ff8da064490259cb94401c3640e8dfd4d66ef43933f
Instruction ID: 1dc224befe895ab76b5351e6e36717a8608b9dc3973c7513dfdad05ee22cec40
Opcode Fuzzy Hash: e662934fad0a91b5d9799ff8da064490259cb94401c3640e8dfd4d66ef43933f
Instruction Fuzzy Hash: 5A518061A1C24796DB15771ADD013793BA8FB41B41F304B6AF4D5CA3ECEB308C81AB46

Function 008CE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 008CE1B1

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 27adf1c2ad8c3aa76f11027d27dc0820b4f78a69f8c7df9c0c0ba147a23aec90
Instruction ID: bde212fcbe522877ecb7a7b495feebd8b098a9e1a2e15848e76949a769d2e92c
Opcode Fuzzy Hash: 27adf1c2ad8c3aa76f11027d27dc0820b4f78a69f8c7df9c0c0ba147a23aec90
Instruction Fuzzy Hash: 0051FE75A0424A9FDB25DF28C481BFA7BA8FF56310F248459F891DB2D0D634DD42CBA1

Function 008CF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 008CF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 008CF2BB

Strings

@, xrefs: 008CF2AF

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 7658cf4d89e38bf24d33ad79f2f5347ca356975697e80e525c77aedf3b81fd4d
Instruction ID: b73345ed1247db3df9c7fe4bdfaf9d0761028cb6d200704ece2d61e2114b5912
Opcode Fuzzy Hash: 7658cf4d89e38bf24d33ad79f2f5347ca356975697e80e525c77aedf3b81fd4d
Instruction Fuzzy Hash: E151277141CB449BD320AF14DC86BABBBF8FB84300F81885DF2D981295EB719569CB67

Function 00935745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009357E0
_wcslen.LIBCMT ref: 009357EC

Strings

CALLARGARRAY, xrefs: 009357E6, 009357EB

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 22a710b14a719c33c0e02106e64244459a16fd9fc2e7e7ff27b72483b1a3c1b6
Instruction ID: 44b656d26df701a0fa25cf54225fe774ab49d635a15915c88ef849d1d10c6443
Opcode Fuzzy Hash: 22a710b14a719c33c0e02106e64244459a16fd9fc2e7e7ff27b72483b1a3c1b6
Instruction Fuzzy Hash: 85417E71A002099FCB14DFA9C8829AEBBB9FF59314F114069E505A7262E7349D81CF90

Function 0092D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0092D13A

Strings

|, xrefs: 0092D10B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 57f2c7f4f26a4299deb6403fa9468c8d65ebcd5819455c920691384b5d123c0f
Instruction ID: a125f43b443204a811cb1ef1b7cecc209420937e4cd1ad9fb13bb54cdf43c80e
Opcode Fuzzy Hash: 57f2c7f4f26a4299deb6403fa9468c8d65ebcd5819455c920691384b5d123c0f
Instruction Fuzzy Hash: A7312C71D01219EBCF15EFA4DC85AEEBFB9FF05300F100019F815A62A6E735AA16DB51

Function 0094356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00943621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0094365C

Strings

static, xrefs: 009435BC

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9b27a2bad93c01e2dad79a452695456999e444a5bb5210cc70db8aad9f16c347
Instruction ID: b8a3422ba2a0ad59ea2bc7f7fe8b4489c498bb26d04aca53dece5903f64c4778
Opcode Fuzzy Hash: 9b27a2bad93c01e2dad79a452695456999e444a5bb5210cc70db8aad9f16c347
Instruction Fuzzy Hash: 32318871110605AEDB209F38DC81EFB73ADFF88724F018619F8A9D7290DA34AD91DB60

Function 00944537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0094461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00944634

Strings

', xrefs: 0094458E

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 39ae76958259bdfa9b320a9333872d1dd5ecca2cf9636ed2dfa89bde8f684540
Instruction ID: 8126ad619b1e364d590b370d7bd3a82f565130d3217d5e798089b89bc66b83c3
Opcode Fuzzy Hash: 39ae76958259bdfa9b320a9333872d1dd5ecca2cf9636ed2dfa89bde8f684540
Instruction Fuzzy Hash: 73310674A0120A9FDF14CFA9C991FDABBB9FB49300F15416AE905AB351E770A941CF90

Function 009431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0094327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00943287

Strings

Combobox, xrefs: 00943249

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ebba823317a908474f82861ef4e92ab1392be4c55e1156169871b5a19a928a06
Instruction ID: 90f44cf688f12cd550828a26f2489fa48d82747f13363a58a770d66a49236c14
Opcode Fuzzy Hash: ebba823317a908474f82861ef4e92ab1392be4c55e1156169871b5a19a928a06
Instruction Fuzzy Hash: B911C4713042087FFF259FA4DC81EBB376EEF98364F108225F928A7290D6B59D519760

Function 00943710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 008B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008B604C
Part of subcall function 008B600E: GetStockObject.GDI32(00000011), ref: 008B6060
Part of subcall function 008B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008B606A

GetWindowRect.USER32(00000000,?), ref: 0094377A
GetSysColor.USER32(00000012), ref: 00943794

Strings

static, xrefs: 00943757

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1941349e48bd2c8ecd7f6b366ce0b41d352f43c060f5d3e4d03d78f6e4d59f9c
Instruction ID: 43c42d36b60130e9c36502e11024006e15a74c84f63fa6a64a069350c404d9f1
Opcode Fuzzy Hash: 1941349e48bd2c8ecd7f6b366ce0b41d352f43c060f5d3e4d03d78f6e4d59f9c
Instruction Fuzzy Hash: 6C1126B261020AAFDB00DFB8CC46EEA7BB8FB09314F004915F995E2250E735E8619B60

Function 0092CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0092CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0092CDA6

Strings

<local>, xrefs: 0092CD66

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a45556829f2d24179012a71db143a226d64cc6291fb9ebc6b767b2eb0d71fb24
Instruction ID: 5c18b2ce36783ed75d2caf533a4ed9c2296f2ca74e55f882e33031a8adfeae48
Opcode Fuzzy Hash: a45556829f2d24179012a71db143a226d64cc6291fb9ebc6b767b2eb0d71fb24
Instruction Fuzzy Hash: A011C6F52156317AD7344B669C45EEBBEACEF127A4F004626B109930C4D7749845D6F0

Function 00943429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009434BA

Strings

edit, xrefs: 0094348F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6530c000b645d23b6d982b8d3d41d0d51f86c3ca89c0949f6720d9b037452f55
Instruction ID: 645c4dbd9659445ad910a43337bc5fd57bae3c7e831b9e7c5a4969e6a29e9f9e
Opcode Fuzzy Hash: 6530c000b645d23b6d982b8d3d41d0d51f86c3ca89c0949f6720d9b037452f55
Instruction Fuzzy Hash: 60119A71210208AEEB228E74DC80EEB376EEB15378F508724F960931E0C735DC91AB60

Function 00916C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00916CB6
_wcslen.LIBCMT ref: 00916CC2

Strings

STOP, xrefs: 00916CBC, 00916CC1

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 35c9bc1e88c18cc814314184a7f4b7acfee830cfeb0aa2a48988403dfd8d5dff
Instruction ID: 22839c4b909008aaae1dbebc8df4ad3c2fbccad462d9ba8194f6f0adacbb7b39
Opcode Fuzzy Hash: 35c9bc1e88c18cc814314184a7f4b7acfee830cfeb0aa2a48988403dfd8d5dff
Instruction Fuzzy Hash: DE01C432F1052A8BCB209FBDDC909FF77A9FB61710B510924E992D6291EB31D980C690

Function 00911CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Part of subcall function 00913CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00913CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00911D4C

Strings

ComboBox, xrefs: 00911CEB
ListBox, xrefs: 00911D16

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4a0dd35b45c77d4d58230f21e92f6a6e6f2548be027e3c713b1567762d5a0e5e
Instruction ID: d6863b8d2c11739333461b575f84084aea32be65f14bb1eec69d0afe780b75ff
Opcode Fuzzy Hash: 4a0dd35b45c77d4d58230f21e92f6a6e6f2548be027e3c713b1567762d5a0e5e
Instruction Fuzzy Hash: 4F01D47970121CBB8B08EBA4DC51DFE77B8FB46350B144A19F9A6A73C1EA305948C661

Function 00911BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Part of subcall function 00913CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00913CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00911C46

Strings

ComboBox, xrefs: 00911BE5
ListBox, xrefs: 00911C10

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b509b291bc18be1eea1bf73489319fa09d48018fa43594aed5f10e9d5c0965dd
Instruction ID: 8d962a3d162cf463e9cd90e4110a0eda4bb95fb6ca37a8e0133be1fff698d25f
Opcode Fuzzy Hash: b509b291bc18be1eea1bf73489319fa09d48018fa43594aed5f10e9d5c0965dd
Instruction Fuzzy Hash: 4D01A77578110C7BCB04EB94C952EFF77ACEB51340F140019EA86A7282EA649F48C6F2

Function 00911C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Part of subcall function 00913CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00913CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00911CC8

Strings

ComboBox, xrefs: 00911C69
ListBox, xrefs: 00911C94

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2c1d6f63602d23fdad801a8cda55a040663ca84476dcff1562fa4313ca7602c1
Instruction ID: b5ce037754ab4afb2efdd3b35d6e465df3dd1b688b1abca725475b7fa18a13c0
Opcode Fuzzy Hash: 2c1d6f63602d23fdad801a8cda55a040663ca84476dcff1562fa4313ca7602c1
Instruction Fuzzy Hash: 6C01D6B578111C77CF04EBA4CA51EFF77ACAB12340F140015BA86B3282EA609F48C6F2

Function 00911D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008B9CB3: _wcslen.LIBCMT ref: 008B9CBD

Part of subcall function 00913CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00913CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00911DD3

Strings

ComboBox, xrefs: 00911D75
ListBox, xrefs: 00911DA0

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: dac4cb2bbc5d69d7b9e9ac894323df4a4445223429f8db3a998380c35ba33510
Instruction ID: 909057f78908ca61c98a0b23df90e5cdb2aa56f429a3f0681b92695aeb8a5f70
Opcode Fuzzy Hash: dac4cb2bbc5d69d7b9e9ac894323df4a4445223429f8db3a998380c35ba33510
Instruction Fuzzy Hash: B1F0A475B5121C77DB04E7A8DC92FFE777CFB42350F140919FA66A32C2EA605A4882A1

Function 008CFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 008D0668

Part of subcall function 008D32A4: RaiseException.KERNEL32(?,?,?,008D068A,?,00981444,?,?,?,?,?,?,008D068A,008B1129,00978738,008B1129), ref: 008D3304

__CxxThrowException@8.LIBVCRUNTIME ref: 008D0685

Strings

Unknown exception, xrefs: 008D0692

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 0a9f8c9392e20e90c7ed86db09a7eed11dac394ac083cceb88525cf0dc46e260
Instruction ID: 2949dd57dbe238156971e95973a87a2d2f1c97ca45f83e14a3250ebbbdbd608e
Opcode Fuzzy Hash: 0a9f8c9392e20e90c7ed86db09a7eed11dac394ac083cceb88525cf0dc46e260
Instruction Fuzzy Hash: B7F0A42490030D778B00B6A9E84AE5E777DFE50354F604236BA15D6692EF71DA158982

Function 0093747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00937493
_wcslen.LIBCMT ref: 009374B9

Strings

3, 3, 16, 1, xrefs: 00937483

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 310e3d9a5a8508f124ff817e9d06be1885151478949a45daa1a6ff16a782b811
Instruction ID: f304157643e549b287371c15103838f8d24fe3fff769ff216a3ab93dcbf21d04
Opcode Fuzzy Hash: 310e3d9a5a8508f124ff817e9d06be1885151478949a45daa1a6ff16a782b811
Instruction Fuzzy Hash: DAE0EC4620431021523112AA9CC557F9B8EDEC9750F10141BF585C1376E6949D9153A1

Function 00910B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00910B23

Strings

Error allocating memory., xrefs: 00910B1C
AutoIt, xrefs: 00910B17

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 4c09d5f3d8aa151c6c331fab721a9ede1bbf39700959aada917338de485f2c42
Instruction ID: 8fa1753aaf5f4536b86f704b789a9f3ac178e33291784f4ab436f59be178e9fd
Opcode Fuzzy Hash: 4c09d5f3d8aa151c6c331fab721a9ede1bbf39700959aada917338de485f2c42
Instruction Fuzzy Hash: 24E0D8722893183BD25437987C03FC97B88EF05B65F10442AF798D55C38AE2649006EA

Function 008D0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008CF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008D0D71,?,?,?,008B100A), ref: 008CF7CE

IsDebuggerPresent.KERNEL32(?,?,?,008B100A), ref: 008D0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008B100A), ref: 008D0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008D0D7F

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 616b4d9ad7d10377448d8259cab206bf0aa5c93160bf5f5827d4d841d9a51922
Instruction ID: 3a0d4153d522b5a4f6c845862e544cfcd54e08ee85773bf4b83dbcd3b7a37028
Opcode Fuzzy Hash: 616b4d9ad7d10377448d8259cab206bf0aa5c93160bf5f5827d4d841d9a51922
Instruction Fuzzy Hash: 3DE039B42007428BD7709FA8E404B427BE5FB04745F004A2EE492C6752DBF0E4489FA1

Function 00923017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0092302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00923044

Strings

aut, xrefs: 00923038

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 81eab27920e72045c57df5796baadb2029bc7094ac3d31a18cc51b68c8ae4e7c
Instruction ID: d09bfee26607e087943e5ff09001c61ce35dffc6d155bfe5632127670afe171d
Opcode Fuzzy Hash: 81eab27920e72045c57df5796baadb2029bc7094ac3d31a18cc51b68c8ae4e7c
Instruction Fuzzy Hash: FED05EB65013287BDA70A7A4AC0EFCB3A6CDB05754F4002A1B665E2095DAF0D984CAD4

Function 0090D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0090D220

Strings

X64, xrefs: 0090D2A8
%.3d, xrefs: 0090D22B

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 2d468724e6fa8c711d52de8cf4a421fc80be58fc49b65459ed55e97b6eb62854
Instruction ID: a4e5b77e9ca4261cfcb86452e01e0858978cedcf96aa0268af005b31f53407c4
Opcode Fuzzy Hash: 2d468724e6fa8c711d52de8cf4a421fc80be58fc49b65459ed55e97b6eb62854
Instruction Fuzzy Hash: F7D012A180A218EECB9096D8DC45DB9B3BCFB08301F508866F92AD1080D738D548AB61

Function 00942322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0094232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0094233F

Part of subcall function 0091E97B: Sleep.KERNEL32 ref: 0091E9F3

Strings

Shell_TrayWnd, xrefs: 00942325

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6ea4abb68cadd6f8e0be9d5d54a410a15204f436f8546ff78070d1316422eec0
Instruction ID: 7afe25ad02ca0dd30df4cbe2831e18478c46ebc431d76533f8879b5cc5502716
Opcode Fuzzy Hash: 6ea4abb68cadd6f8e0be9d5d54a410a15204f436f8546ff78070d1316422eec0
Instruction Fuzzy Hash: 48D022BA3A9300BBE3A8B330DC0FFCA7A149B40B00F008906770AAA0D0C8F0A800CA04

Function 00942356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0094236C
PostMessageW.USER32(00000000), ref: 00942373

Part of subcall function 0091E97B: Sleep.KERNEL32 ref: 0091E9F3

Strings

Shell_TrayWnd, xrefs: 00942365

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8d86b6bbf2cb0db273e60c632da6e0a186d89bae55d926791b40037f14f7f143
Instruction ID: 7216118e87bf798bc875463f96441f6fdaa4b02c5c92c1b340d2ee5a0877877c
Opcode Fuzzy Hash: 8d86b6bbf2cb0db273e60c632da6e0a186d89bae55d926791b40037f14f7f143
Instruction Fuzzy Hash: 5AD0A9B639A3007AE2A8A3309C0FFCA66149B41B00F0089067706AA0D0C8A0A8008A08

Function 008EBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 008EBE93
GetLastError.KERNEL32 ref: 008EBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008EBEFC

Memory Dump Source

Source File: 00000000.00000002.2104791196.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true

Associated: 00000000.00000002.2104760733.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.000000000094C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2104991196.0000000000972000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105266166.000000000097C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2105291997.0000000000984000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 8033b6e7d509b2d19c7e3cde44b99920421dcaf75006e6d474af716966a7433a
Instruction ID: 0d8cbdf04ef32b826880ba2ee9053183c333b4b7fa37cc0318ea8ca98e68425b
Opcode Fuzzy Hash: 8033b6e7d509b2d19c7e3cde44b99920421dcaf75006e6d474af716966a7433a
Instruction Fuzzy Hash: E041B634605286AFCB218FA6CC54AAB7BA5FF43310F144269F959E72A1DF309D01DB61

Analysis Process: firefox.exePID: 2300, Parent PID: 7104COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000002ABBAACAD37 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000002ABBAACAD5C

Memory Dump Source

Source File: 00000011.00000002.3911571846.000002ABBAAC8000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002ABBAAC8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2abbaac8000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: ebd888a7b6cf3a7b73c83b4619ff4455a5c1aba7bb87d89a4b6f8c47fa31b3dd
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 66A3C531B14A488BEB2EDF28DC856A977D5FB56304F04462EDD47C7252EF30EA42CA91

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2261997297.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2313953608.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2264612647.00000223BB4BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2290665005.00000223C388F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222380048.00000223C42E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2246834591.00000223C388F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2220842655.00000223C6CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242381337.00000223C6CB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262433713.00000223C6CB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2290665005.00000223C388F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222380048.00000223C42E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248012648.00000223BE4C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2220842655.00000223C6CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242381337.00000223C6CB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262433713.00000223C6CB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3908748512.000002ABBA503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909382128.000001D111A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3908748512.000002ABBA503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909382128.000001D111A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.2276554010.00000223BDC8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3908748512.000002ABBA503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3909382128.000001D111A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2220842655.00000223C6CA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242381337.00000223C6CA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2290665005.00000223C388F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222380048.00000223C42E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2248012648.00000223BE4C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2220842655.00000223C6CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2242381337.00000223C6CB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2262433713.00000223C6CB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2266977770.00000223C4FD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222023911.00000223C4FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2258040254.00000223BCD85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2228886727.00000223BE4A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2116827186.00000223BCD5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49996 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49998 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8d1573d9-a9d4-4e58-8f0b-bfd7b73f78fb.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_8d1573d9-a9d4-4e58-8f0b-bfd7b73f78fb.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8QKOYVEEOEIO44CXR8Z9.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B7GTJ76VNK1DMX72W6WA.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre